Secure download resources or a malware cesspool – How trustworthy are download portals nowadays?

  • March 6, 2012
  • 6 min read


The term “download wrapper” is still quite unknown, which of course does not make its basic technology any less harmful. The moment that hackers and malware authors start to specialize in download wrappers, if they haven’t done already, the Internet community may have to face new waves of viruses. Learn more in this article on how to avoid potential risks – and what these actually look like.

If you thought of a filled wrap when you heard “download wrapper”, you are just about right in a way. Wrappers are generally software wrapped around other software, just like dough covers up the filling in a wrap. Download wrappers are being used more and more by download portals to download the desired target file. When trying to download a program from a provider’s site, you will obtain the download wrapper in the first place. This little helper will then download the desired program onto your PC. While downloading, you will be faced with annoying ad banners or even tricked into downloading other software or toolbars that you do not want at all.

What are download wrappers good for?

You have every right to wonder what the point of download wrappers is at all, as conventional downloads have been just as simple and as well established for decades now. There are several reasons: Useful features such as pausing and resuming while downloading big files are mostly advertised. Current browsers support pausing and resuming downloads, though. You can also make use of professional download managers instead of having a wrapper imposed onto you. This argument is also rather weak as download wrappers are also used for very small target files that are sometimes even smaller than the wrapper itself.

For download portals there is first and foremost a good reason for using download wrappers: the possibility of systematically putting in ads. Software you have designed yourself for that purpose is way more useful than a website is. Plus, this offers the advantage of collecting statistical data on used hardware, which enables the creation of detailed user profiles. One must not forget the commercial effect, either:  When a user downloads software from a specific portal, they are highly likely to remember its name and use this portal for future downloads as well. Regular visits including unique user statistics result in more profits from advertising.

Current examples and threats

Example 1: download.com

If you click on the download button of a file that reads “CNET Installer enabled” in small print on the world’s biggest download portal, you will receive a wrapper of about half a megabyte instead of the desired file. Due to user complaints and threats of lawsuits from several software providers, the portal has refrained from using the wrapper for these and uses it only for programs whose providers have not made a complaint (or who do not even know that their software has been “wrapped up”).

Risk: Installing a browser toolbar and hijacking your browser’s homepage.

Attention! Never be tempted to just click on “Next Step”. You would not see the option “I do not accept” hidden in the lower right corner that enables you to not install the supplementary toolbar.

wrapper_cnet_1 wrapper_cnet_2 wrapper_cnet_3 wrapper_cnet_4

Images: Installation of CNET Download.com installer

Example 2: softonic.com

Even the multi-language portal “Softonic” has acquired the bad habit of giving out a wrapper before you receive the desired file. At little more than 300 KB, this is one of the smaller ones, but shows the most aggressive ads. The section “Options” shows nothing but an ad page for a third-party program from a pool of other programs. Installation is also enabled by default. If you uncheck the corresponding box, you will immediately see another ad page for another program. When the download is finally about to start, you will see another ad banner for another program that will be even more focused once the download is done. This ad penetration is worse than any other wrapper.

Risk: Installing undesired software, fraudulent ad banners.

wrapper_softonic_1wrapper_softonic_2wrapper_softonic_3wrapper_softonic_4

Images: Installation of Softonic Download Wrapper

 

Example 3: softonic.de / RegNow

The German version of Softonic advertises the download that we tested with a direct vendor download link. This will not take you to the desired installation file, but to another wrapper offered by payment service RegNow. The wrapper of about 300 KB is also rather small, but immediately shows a special offer for third-party software once launched. One click on the falsely-named “Options” button, and you will see that RegNow have not even programmed the wrapper themselves, but trusted in another third-party developer named GetRightToGo.com

Risk: Unintentional redirection to unknown third-party providers, ad banners.

wrapper_regnow_1wrapper_regnow_2wrapper_regnow_3

Images: Installation of RegNow Download Wrapper

 

Example 4: tucows.com

In our opinion, the veteran among the download portals has the sneakiest ways of all: The wrapper called “AVG CloudInstaller” lets you choose between “Express” and “Custom” installation of the AVG toolbar in the first place. You can only skip this by clicking on the “Decline” button below. This suggests, though, you are canceling the download and installation of the desired program. No matter whether it’s Express or Custom, your browser’s homepage will be hijacked and default search engine altered by default as well as a toolbar installed.

Risk: Greatest risk due to accidentally installing third-party software and tampering with your browser.

Note: The technology by the company “OpenInstall Inc.” that the wrapper is based on is recognized as a potential risk through Emsisoft’s signature scans and behavior analysis as data is sent to the web once the download is done and even after closing the software, most likely for statistical reasons.

wrapper_tucows_1wrapper_tucows_2wrapper_tucows_3wrapper_tucows_4

Images: Installation of Tucows Download Wrapper

Earnings through ads at any cost

The intention of funding themselves through ads is totally understandable for download portals, as traffic costs money. Download wrappers are a huge security risk, though. The user is being tricked while attempting to download a certain program in the first place: They will not receive the target file, but the wrapper. This may confuse unexperienced Internet users in particular.

What is even worse in our opinion is the fact that the user does not see the provider’s code signature when running the downloaded file. This will open the floodgates for potential hackers, who merely have to infiltrate the download system and then distribute their own software. You, the user, will not see anything more than what you are downloading, the desired tool or a trojan – or maybe both.


download_original_endownload_cnet_wrapper_en

ORIGINAL   –   WRAPPER

Even a badly programmed wrapper is enough as it enables others through its weaknesses to take control of your PC. Each and every installed and particularly active program is a security threat – reason enough to do without unnecessary software such as wrappers. The possibility of creating user profiles and installing other software such as a toolbar through a download wrapper is another negative point we would like to mention here.

 

Our recommendation: Avoid portals that use wrappers.

For the lack of technical necessity of download wrappers and the security risks that go with them, we recommend that you simply avoid websites that use this kind of technology.

Pay attention when you are downloading a file – there should be no hint of the wrapper contained in the file name, and the file should be the size stated in the description. You can download Emsisoft Anti-Malware as EmsisoftAntiMalwareSetup.exe from our server; the setup file has the same name on several download sources. On Softonic, the file name SoftonicDownloader_for_emsisoft-emergency-kit.exe clearly shows that
Softonic’s downloader will be downloaded onto your PC. Other portals have similar naming conventions, such as the following abbreviations at the beginning of the file name:

Another easy way of recognizing download wrappers: through their file icon as they always use the same one:

icon80_cneticon80_tucowsicon80_regnowicon80_softonic

Different wrapper symbols

Remedy

If a download wrapper has already been installed onto your PC, we recommend that you simply uninstall it. Most toolbars and free add-ons that come along should be uninstalled like this. You can see a list of all programs installed on your PC in “Programs” in “Control Panel” on Windows 7 and Vista, or in “Add or Remove Programs” on Windows XP. Altered settings such as your browser’s homepage or default search engine need to be reset manually.

Emsisoft Anti-Malware recognizes suspicious download wrappers as Riskware. The behavior blocker will also display a spyware alert when a wrapper downloads or sends any data from or to the provider in the background.
emsisoft_alert_openinstaller
Emsisoft Anti-Malware Alert

Have a nice (malware-free) day!

Your Emsisoft Team

www.emsisoft.com

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Emsi

Emsi

Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next