Stolen 7-zip bundled with adware?

Stolen 7-zip bundled with adware?

Recently, we found a popular free software called SevenZip (not to be confused with 7-Zip, a popular open source file archiver) was included in an adware bundler that I would have been very surprised to find it on the system after running the bundler on autopilot.

When checking the changes the bundled installer had made, I noticed a familiar icon in the list of installed programs on my virtual machine. Bundlers are installers that install more than one program on the machine they are run on. Usually several you didn’t want and, if you are lucky, one you were looking for.

warning4

Entry for the fake version

Running the SevenZip program did not immediately tell me that anything was wrong either. It functions exactly the same as the regular 7-Zip for as far as I could tell without trying every option the program has to offer.

I decided to run the bundler again and pay attention this time. And indeed I must have clicked “Next” here without noticing the name of the firm offering the software. AdFactory Technologies are renowned for “DocToPDFConverter” software which indeed was part of this bundle under the name “FromDocsToPdf”.

main

When looking at the official site of 7-Zip software we probably all know, the first thing I noticed on their site is that they discriminate between 32 and 64 bit versions. Obviously a bundler can’t be bothered to care, so my guess was that the bundle installed a 32-bit version of the program on my machine. And looking at the process in Windows Task Manager confirmed this.

taskmanager

After offering other components of the package the bundler starts a separate installer for SevenZip. But it’s not the official one.

installing

I tried installing the same version of 7-Zip to see if that would cause any conflicts. But the installer from the official source did not run into any conflicts.

In fact the two applications appeared almost side by side in my Start menu.

And as you can see below, the uninstall entries are similar but not the same.

uninstall

One notable difference is the sites they point to, and to my surprise the site where the fake SevenZip uninstall entry points to, actually exists.

You can reach their site, but as soon as I tried any of the download buttons Malwarebytes Anti-Malware Premium jumped into action and blocked the site I was re-directed to.

Sevenzip.info

When I went looking at the 7-Zip forums to check if this was a known issue, I did find no mention of sevenzip(dot)info but a post from few years back that mentioned sevenzip(dot)net which no longer resolves. So this is probably not the first time the good name of this software has been abused.

I contacted the author of 7-Zip (Igor Pavlov) via Sourceforge and he replied that

If they (sevenzip.info) use 7-Zip code with additional Malware code, I don’t like it.

The bundle also included MyStartSearch, Wajam, AnySend and OneSystemCare, but since they are geo-sensitive and change regularly you may get different results. The bundler was blocked by Malwarebytes Anti-Malware Premium as PUP.Optional.CheckOffer.

I will post about my findings at the 7-Zip forums, as Igor also suggested in his reply, shortly after this post is published, so their team can look if there are any grounds for legal action. Since we are not sure at this point if this is an (unauthorized) copy or a fake version, I will keep you posted here if anything comes of that.

Bundlers are known to offer all kinds of software, and maybe they are using 7-Zip as bait. In this case I certainly did not get the optimal version for my system. Either way, and we have said this many times before: Get your software from the publishers’ site or sites recommended by the publishers.

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.