When setting up a new PC, installing a utility like 7-zip, PeaZip, or WinRAR is something we tend to do almost without thinking. But it’s easy to fall into the trap of downloading malicious executables from unofficial sources, which is what happened for about 10 days with the 7-zip.com website.
To wit, the official website for the 7-Zip project is 7-zip.org. However, as usual, free projects attract copycat websites — whose usual intent is just to get placed high enough in web searches to get click-throughs and earn some change in ad revenue. This seemed to be the case for 7-zip.com, until the timeframe of Jan. 12 – 22 — when the download links started redirecting users to a malware-laden executable.
The link redirection was mildly crafty, as upon entering 7-zip.com, you’d see the regular links to the official executables at 7-zip.org. But after about 20 – 30 seconds, a script would trigger, changing the links to the infected files. This was designed so that basic, automated website scanning utilities would see a clean link and not mark the site as malicious.
We verified this ourselves by visiting the Wayback Machine, but we definitely do not advise others to do so. The malware in question doesn’t do much by itself, but it installs a proxy server — turning the victim’s PC into a part of a remote-controlled botnet. From there, criminals can route their activities through it to hide their origins. MalwareBytes has a detailed writeup of the trojan up on its website, and cyber-security expert Luke Acha posted a technical deep dive.
As for the website’s malicious intent, it’s hard to say. After all, one can hardly get ad revenue if their website is marked as delivering malware. This wouldn’t be the first (or millionth) time that an ad network served up a malicious script — though the fact that our NextDNS-enabled and ad-blocked test machines didn’t block the script in question is concerning.
The issue was first spotted by SourceForge users in a forum thread, and the first technical outfit to spot it seems to have been the Japanese consortium IISJ-SECT. Widespread awareness came via a Reddit post in which a poor user described following a YouTube tutorial that led them to the malicious website — probably unintentionally, as it looked pretty official.
The lesson here is clear, though: Always download software from official sources, and make sure you know what the official source is. Also, it’s worth going the extra mile to check the hashes of the downloaded files — we suggest HashTools for Windows, and sha256sum or GtkHash/QuickHash for Linux.
Follow Tom’s Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
