SourceForge Installs Mac Malware

MacKeeper is not good software nor do they practice clean marketing, but the program is not malware.

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.^[1] Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency. The term badware is sometimes used, and applied to both true (malicious) malware and unintentionally harmful software.^[2]

Whether it's unwanted or not is hardly a qualification for true malware. Furthermore, calling a valid working piece of software malware is in itself a bit malicious because it is libel in the loosest sense.

In any event feel free to call it what you want, but it is not malware in the strictest sense. Whatever SourceForge is doing, these forums are not the proper venue for expressing your opinion about them. Read the Terms of Use for these forums and try to follow them. It will be appreciated.

I went to the link you provided - https://filezilla-project.org/download.php?show_all=1

I then clicked on the first choice which is for the Mac version of FileZilla and this downloads a .bz2 compressed file. I then decompressed that file by double-clicking on it, this produced the FileZilla application. There was no installer program, no malware, no unwanted extra applications, it was just the FileZilla program.

Now what sometimes may be the case is that when you click on a link to go to a download site e.g. the first entry on the FileZilla project page which remember 'says' it is for a .bz2 compressed file, it takes you to an automated download page, this is what happens in this case. This download page as is not uncommon has on it lots of adverts some of which are deliberately misleading by themselves having the word 'download' in their advert. If however you do nothing i.e. click on nothing then what should happen is that SourceForge will after a few seconds automatically send you the .bz2 file, if you look closely in the top left portion you will actually see the words "Your download will start in X seconds".

It sounds like you have been ignoring that message and clicking on one of the adverts below it and that is triggering another different website - not SourceForge and not FileZilla in to sending you some foul malware infested download.

I am not going to try clicking on all the adverts to try and find out which one you have mistakenly been clicking on.

As a general comment I have used SourceForge for many years and they do not add installer wrappers to any software hosted on their site. They only provide exactly the files uploaded by the authors.

The only other possibility that occurs to me is that maybe your browser has been previously attacked after visiting a different website and now it is doing the wrong thing, however I feel the first possibility that you clicked on something you should not have rather waiting.

hands4 wrote:

SourceForge is pushing malware.

Yes. This is well-known, in some circles at least. To make matters worse, the software that SourceForge and other scam-ware sites deliver is often customized on a per-download basis. This means that you can go onto a forum like this one and warn people about malware. Then people will try it out and proclaim that there is no malware to be found at that link. They might even accuse you of click on ads instead of download buttons. (Which could easily be true if you have ever gone to a site like SourceForge without an ad-blocker.) How can that be?

The answer is that these are not static downloads. The scam-ware sites look at your browser settings and probably also cross-reference your IP address and other tracking cookies to Big Data advertiser information. If that split-second analysis indicates that you might be a patsy, then you might get adware. The installer that you download may do a similar kind of analysis. The end result is that one person will get loaded up with malware and another person who clicks the same link will not.

So yes, you are being scammed. And the people trying to help you and verify this report are being scammed as well. Don't fall for it. While ad-blockers are very useful, I advise disabling them before downloading anything. If the site you are downloading from is full of ads, then the software you would download will also be full of ads or worse. You can't even suggest downloading directly from a source website anymore since SourceForge is one of those. A new tactic is wrapping open source programs into adware and malware installers like MPlayerX does. Usually, the only real indicator you have is the presence of obnoxious ads on a website. If you see those, don't download any software. While open source software is safe by itself, its open source nature makes it very susceptible to this kind of trickery. These days, I don't think it is wise to download software from any source other than Apple's App Stores.

Sourceforge, once the bastion of free software repositories, has been pushing junk bloatware after it was acquired by Dice holdings a while back. Coincidence or not, I'm not judging.

Don't download anything from source forge, unless you like unwanted junk.

Download.com appears to have gone the same way.