The Scumbags Hall of Shame (part 2) . Sothink confirmed on the list ? (Update 3: The debate continues ! - February 8)
Update 3
Our friends put us in the situation to … not be able to highlight in the main article their interesting replies !
Please go and read all the interesting comments !
( Just a world to Paul : We hope you have understood who’s that “Robert” - attacking 4Free on a innocent thread about … Sothink.
… And thank you for ignoring “him”. Just another confirmation of the sick-childish clone-games on GOTD.
And yeah ! … All that while 1-2 clones of the same “guru” on 4Free are giving us peace-messages regarding their … “beloved child-prophet” LOL ! It seems that we should pretend to not see what’s so obvious for us.
Well … We cannot let a fraud happening when we see it ! A few hundreds ( probably thousands - later ) 4Free’ers will know what this natural born crook is doing. We’ll take care of that ! )
…
After Alok and Franck, there are two other testimonials - from Paul and Alan Baxter - defending Sothink’s position
Please read the Update added to the initial article
Hi friends !
Like many of you we have said like ” it’s hard to believe Sothink is that kind of developer”, on our previous The Aimersoft Situation … Leading To … The Scumbags Hall of Shame
(Un)Fortunately Alok has just notify us about a confirmation he just read on ZDnet.com. So this time it’s an official vulnerability notification from Blog.Mozilla.com/addons.
Thank you Alok !
Again : the 4Free Team would have never thought a developer like Sothink is involved in this kind of activities !
This is the warning:
Security Issue on AMO
Issue
Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
Impact to users
If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections.
Status
This vulnerability is known to affect Firefox on Windows only, if either Master Filer or Version 4.0 of Sothink Web Video Downloader are installed. Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.
.
Update
It’s important to draw a conclusion in order to avoid misinterpretetion of the 4free community reaction in this case.
First Alok had a balanced comment, recommending patience and a mature reaction … And then Franck has tryed a deeper analysis of this situation.
Alok said:
It’s still hard to believe actually. This company did have a very good reputation at GAOTD. Let’s see if they stand up against the bad news about them.
Franck’s analysis:
Hum… the versions above 4 are not infected?
I almost never heard of a virus writer who cleans himself his “products”?
And I don’t really see why a quite well established software publisher (who explicitly claims he is Chinese) would deliberately put malware on his software.As of today, the web video downloader standalone application setup file that was given away on gotd some months ago is still 100% clean on virustotal HERE .
I don’t remember if it comes bundled with the firefox addon…
Maybe their upgrade policy is too kind to be honest (except for the swf decompiler I was always able to upgrade for free from my free versions) and even on gotd, the serial was in the readme and worked with the trial from the editor site (and except for the swf decompiler) still works with the latest build…
Actually I can’t believe it…There are obviously two parts in their catalog : the web dev tools and the video / multimedia tools.
I’m not necessarily fond of the latter, but to me the web dev tools are just great…
Maybe all sothink products don’t come from the same publisher, although it seems to me sothink is a brand owned by a publisher named SourceTec.
(and sourcetec wasn’t on the list was it ?)Obviously the sothink website is NOT like the other brands on the list… no stupid domain names, products are all within two domains (sotink.com and sothinkmedia.com), so it’s not like they’re building a website network to trick search engine and gain traffic and spread their “scam”…
It really doesn’t look like.
Their products seem under regular development, with a consistant changelog.I never snoop my ip packets run one of their products was running, but even for update checking it opens browser…
(snooping should be an instructive experience, as their should be absolutely no traffic from and/or to it)LAstly, why every AV persist to flag sothink products as safe on virustotal if this is such an awful company ?
I think sothink still deserves more investigation before its reputation being ruined…Obviously, scamware editors don’t try to do nice programs… (think of the other day GOTD to download youtube videos which was reported by gotd visitors as hijacking ie homepage and installing an adware toolbar…)
And obviously, the vast majority of sothink products are good quality… In my mind, there is something that doesn’t match here…
The Team’s answer:
We totally agree Franck and Alok but there can be many answers here.
Keeping one brand clean ( or “reparing” his image ) and using multiple cloned brands can be an answer.
Like you say : as long as the main brand - Sothink - looks serious ( see all your arguments ) AND the VirusTotal analysis is clean … I guess the users can go ahead with using a sothink app ( taking care every time he updates )
The situation is not so obvious … That’s why we have added a question mark in our title.
But we all must agree a serious developer should NEVER be listed as malicious code by Mozilla !
And a serious developer must absolutely explain what happened and clean his name.
Regards !
.
Update 2
Paul’s comment
About SourceTec (Sothink)
This is the easiest way to shoot down a rising company, just hint that a virus/trojan was in one of their offerings and people will flee it like the plague!
Since this was in the Add-ons @ Mozilla and NOT on the main Sothink site (my version (5.7) came from there directly) and since the Mozilla vigilance was very lax (from the meaning: lacking in rigor or strictness), who can really say if it came from SourceTec/Sothink?
You cannot blame SourceTec/Sothink for this Mozilla blunder!
Mozilla Add-ons site’s security/checking protocol looked (until this incident) more like an open barn door policy than a real secure site and that can lead to nightmares not just for users but also for decent companies and Mozilla itself.
I hope Mozilla gets its act together, stops being lax and does not take security for granted in the future. With the sheer number of contributors Mozilla has, their site is akin to an airport.
Well, an airport which is lax with its security protocol and that exhibits open barn door nonchalance does not bode well for safety.
Following this announcement, I made a “Full and deep” safety sweep/scan with my Antivirus that took twelve hours (I have two internal and three external Hard Drives) and it came up empty on the trojan front.
I also checked with VirusTotal and it too came up empty!
.
Alan Baxter’s comment
It looks like the report from AMO that the SoThink 4.0 addon contains a trojan may be a false positive. SoThink updated the addon to version 4.2 in May 2008 because of false positive reports in 4.0. Did AMO verify that 4.0 actually contained a trojan? I’ve asked in each of the two Mozilla blogs that announced this problem, but haven’t received a reply yet. I provide informal Firefox support, happened to run across this issue in the MozillaZine forums, and discovered this had been reported as a false positive almost two years ago. I wish SoThink would get on the ball and do their own damage control.
I found a couple of things:
1) A Google cache of the AMO versions page for the the SoThink addon. SoThink mentioned the false positive report right there in the changelog for v4.2 posted in May 2008 right there on the AMO site. From HERE
Version 4.2 — May 16, 2008 — 685 KB
Works with:
* Firefox: 1.5 – 3.0b3
Fixed Bug
* Some of anti-virus softwares misreported that it contained virus.2) This was discussed in the SoThink forums two years ago. From HERE
We would like to advise that this is a mis-report; however, to avoid the mis-report we release a new version — V4.2 Build 80516.
.
Related posts:
- Sothink’s Name Cleaned On AMO ! BUT Is There A Stolen Code Problem ?! (The Scumbags Hall of Shame - part 3) Update From Paul
- The Aimersoft Situation … Leading To … The Scumbags Hall of Shame
- KickYouTube Or 3outube - Direct Download And Convert YouTube Files (Update From Franck And Bob)
- Sothink SWF Decompiler 4.5 ( worth $ 71.99 ) - 4 Free!
- Latest Important News On The Web - Week 8-14 February, 2010
- Latest Important News On The Web - Week 1-7 February, 2010
- Latest Important News On The Web : April 26 - May 2, 2010
- Latest Important News On The Web - Week 22-28 February, 2010
- Latest Important News On The Web - Week 15-21 February, 2010
- Ad-Aware Plus 8.2 - 4Free (24 hrs giveaway - Friday 26th of March 2010) RE-Update
20 Responses to “The Scumbags Hall of Shame (part 2) . Sothink confirmed on the list ? (Update 3: The debate continues ! - February 8)”
Leave a Reply
Search the News
-
4Free Projects
-
Ad
-
Ads
It’s still hard to believe actually. This company did have a very good reputation at GAOTD. Let’s see if they stand up against the bad news about them.
Just read the same info on theregister.co.uk
The trojan is a password sniffer that collects passwords,email addresses and systems configuration and sends them to the attacker.It is a real nasty!
Sothink has gone down in my estimation and it will be the last time I will be putting any of their software on my computers
It goes to show you can never tell with these developers. They are getting better at looking legit.
Thanks for the heads up.
Hi there.I’m really concerned about this matter,since a short while ago I had installed Sothink web video downloader in Firefox.Fortunately,my antivirus did not detect any malware in it,however,I don’t know the exact version that was installed.
Thank you for opening my eyes to this very disturbing situation…It’s really sad that it has come to this…you cannot put your trust into anything on the web anymore…
Hum… the versions above 4 are not infected?
I almost never heard of a virus writer who cleans himself his “products”?
And I don’t really see why a quite well established software publisher (who explicitly claims he is Chinese) would deliberately put malware on his software.
As of today, the web video downloader standalone application setup file that was given away on gotd some months ago is still 100% clean on virustotal.
http://www.virustotal.com/fr/analisis/9094d209e776b91868021d3ef82286ef83cd7c7a87f32869102c518260ac7e53-1265412676
I don’t remember if it comes bundled with the firefox addon…
Maybe their upgrade policy is too kind to be honest (except for the swf decompiler I was always able to upgrade for free from my free versions) and even on gotd, the serial was in the readme and worked with the trial from the editor site (and except for the swf decompiler) still works with the latest build…
Actually I can’t believe it…
There are obviously two parts in their catalog : the web dev tools and the video / multimedia tools.
I’m not necessarily fond of the latter, but to me the web dev tools are just great…
Maybe all sothink products don’t come from the same publisher, although it seems to me sothink is a brand owned by a publisher named SourceTec.
(and sourcetec wasn’t on the list was it ?)
Obviously the sothink website is NOT like the other brands on the list… no stupid domain names, products are all within two domains (sotink.com and sothinkmedia.com), so it’s not like they’re building a website network to trick search engine and gain traffic and spread their “scam”…
It really doesn’t look like.
Their products seem under regular development, with a consistant changelog.
I never snoop my ip packets run one of their products was running, but even for update checking it opens browser…
(snooping should be an instructive experience, as their should be absolutely no traffic from and/or to it)
LAstly, why every AV persist to flag sothink products as safe on virustotal if this is such an awful company ?
I think sothink still deserves more investigation before its reputation being ruined…
Obviously, scamware editors don’t try to do nice programs… (think of the other day GOTD to download youtube videos which was reported by gotd visitors as hijacking ie homepage and installing an adware toolbar…)
And obviously, the vast majority of sothink products are good quality… In my mind, there is something that doesn’t match here…
Thanks to Alok for pointing out these issues.
I’ve not been able to spend much time with 4Free in the last month or so but my time looks better now.
I uninstalled all Sothink products imediately, although DHTML-Menu is a really great program. This whole episode seems kind of weird to me: If Sothink was a malware spreading company, why would they put malware only in some products and some versions? Doing both “business models”, spreading malware and selling legitimate software, doesn`t work together. After the detection of one piece of malware, sales of other products will drop, even if they`re clean. Maybe an employee of Sothink wanted to make some extra money? if that was the case, it`s still Sothinks fault not to check the Video Downloader thoroughly before publishing it.
About SourceTec (Sothink)
This is the easiest way to shoot down a rising company, just hint that a virus/trojan was in one of their offerings and people will flee it like the plague!
Since this was in the Add-ons @ Mozilla and NOT on the main Sothink site (my version (5.7) came from there directly) and since the Mozilla vigilance was very lax (from the meaning: lacking in rigor or strictness), who can really say if it came from SourceTec/Sothink?
You cannot blame SourceTec/Sothink for this Mozilla blunder!
Mozilla Add-ons site’s security/checking protocol looked (until this incident) more like an open barn door policy than a real secure site and that can lead to nightmares not just for users but also for decent companies and Mozilla itself.
I hope Mozilla gets its act together, stops being lax and does not take security for granted in the future. With the sheer number of contributors Mozilla has, their site is akin to an airport.
Well, an airport which is lax with its security protocol and that exhibits open barn door nonchalance does not bode well for safety.
Following this announcement, I made a “Full and deep” safety sweep/scan with my Antivirus that took twelve hours (I have two internal and three external Hard Drives) and it came up empty on the trojan front.
I also checked with VirusTotal and it too came up empty!
Hmm this topic is all over….
Hi Ishaan !
Don’t know where else you have seen it - on serious sites or on pathetic copy-cats blogs ( really don’t have the time to surf the web these days )
… But you must agree it was natural for us to publish the news, as a confirmation of our recent Scumbags Hall Of Shame article.
( which was an obvious genuine article - like all we do on 4Free )
Regards !
It looks like the report from AMO that the SoThink 4.0 addon contains a trojan may be a false positive. SoThink updated the addon to version 4.2 in May 2008 because of false positive reports in 4.0. Did AMO verify that 4.0 actually contained a trojan? I’ve asked in each of the two Mozilla blogs that announced this problem, but haven’t received a reply yet. I provide informal Firefox support, happened to run across this issue in the MozillaZine forums, and discovered this had been reported as a false positive almost two years ago. I wish SoThink would get on the ball and do their own damage control.
I found a couple of things:
1) A Google cache of the AMO versions page for the the SoThink addon. SoThink mentioned the false positive report right there in the changelog for v4.2 posted in May 2008 right there on the AMO site. From http://74.125.47.132/search?q=cache:aou1K7snX3QJ:https://addons.mozilla.org/en-US/firefox/addons/versions/6541+site:addons.mozilla.org+sothink+%22version+history%22&cd=1&hl=en&ct=clnk&gl=us
Version 4.2 — May 16, 2008 — 685 KB
Works with:
* Firefox: 1.5 – 3.0b3
Fixed Bug
* Some of anti-virus softwares misreported that it contained virus.
2) This was discussed in the SoThink forums two years ago. From http://www.sothinkmedia.com/phpBB2/viewtopic.php?p=1367&highlight=trojan#1367
We would like to advise that this is a mis-report; however, to avoid the mis-report we release a new version — V4.2 Build 80516.
@ Alan Baxter - that is a well written post you have. The thing that jumps out at me though is - why would SoThink need to a change log (upgrade) because of some component of their program being a false positive with many antivirus products? Any legit av company will correct false positives once reported. There would be no need to correct a release if it was truly a false positive. The more appropriate remedy would be to have the product submitted to these av companies to have the false positive tag removed. Why wasn’t that path followed as opposed to removing (correcting) the component that caused the false positive flags?
Hello team, I also posted my views on GOTD ( in the SoThink Trojan in Firefox Add On topic ) on this subject, it’s essentialy the same post I submitted here along with, shall we say, a wrapper designed to plug our 4Free community here.
I feel that the views over there add to those over here so if members from here want to see it, they should go here: http://www.giveawayoftheday.com/forums/topic/7000
@ acr - Like I said after your post in the GOTD thread, Chinese Companies should NOT be compared to the rest of the world when it comes to dealing with possible errors as they have their own code of honor regarding these and all their other dealings with foreigners.
I will be quoting my second GOTD post on the subject here:
I should know as I went to China to adopt in 1992 and stayed there 3 weeks absorbing all the culture I could so with this experience behind me, I can safely say NOTHING is the same in China as everywhere else in the world!
And I can also add this tidbit that I have learned along the way: Some still call us Gwailo (AKA Gweilo) stemming from the Cantonese term Gwai Lo which means “ghost man” because the first foreigners were white.
This modified term is also translated into English as foreign devil and arose when the first group of Europeans appeared in China as they were associated with barbarians due to their imperialistic and colonial reputation.
Anyway, back on track, I still say all of this is due to Mozilla’s lax, after all can’t they read over there or where they all so busy whizzing around like bees on a mission to address this corrected problem in May 2008 ?
Another question i have is this one: Is it a coincidence that it happens just when Sothink is becoming known for good programs ?
Someone must sure feel threatened enough to unearth this old skeleton!
@acr : you should go and read Nir Sofer’s blog (nirsoft). You’ll there discover than many (most? all?) legit av companies wouldn’t correct false positive was reported.
Sometimes, a piece of code is falsely tagged a malware merely because of the way it has been compiled/packed/compressed… An editor updating is software because false av detection is far from meaning he was caught red-handed…
Obviously I’m not saying there wasn’t a virus there…. just that, to me, it doesn’t sound very logical that someone who put a virus in one of his program removes it as soon as his program is flagged as malicious…
Unless… he updates his malware to make it undetectable… Oh, we’re getting really paranoid here…
Guys i may not use the products of this company but i know when someone is serious about their work. And these guys are. Firefox has had a lot of problems in the past years with vulnerabilities etc etc.. We only saw some serious moves when Safari and Chrome got in to the game for good.. Don’t forget that MS was stuck with IE6 for a looong time.. This is one of the reasons Firefox was underdeveloped at that time.. and many addons were falsly reported to contain a virus because some of FFs vulnerabilities. I know that this team always tries to find the truth behind everything said and that’s one of the reasons i am active here.. (i may be registered in a lot of forums all these years to receive the freebies but i am active in a few only). I hope we will have an answer from Sourcetec soon. It’s too bad to take such a “hit” and do nothing..
I will check out nirsoft, thanks for the info. I think we can create a timeline here: LDpinch (some variant) was part of the SoThink release in February 2008 and detected in May 2008. A new release of the program came shortly after detection on virustotal and did not have the infected dll. The program developers claimed the antivirus alerts were “mis-reports”. Now the infection has been confirmed as malware by Mozilla.
Kaspersky and Prevx were two of the antivirus companies that flagged the nsCatcher.dll as malicious. Both those companies still flag this dll. Kaspersky flagged the Armadillo packer and I am aware that sometimes Kaspersky flags Armadillo packers as false positives but they also correct these. Prevx will correct a false positive within 24 hours normally. Of the antivirus programs on virustotal that flagged the dll, Kaspersky was the cause of most- F-secure and Gdata both used Kaspersky at the time and you can notice from the VT readout that Kaspersky was what caused the flags in both these programs. SoThink could have submitted the file to Kaspersky and Prevx for review but decided the better course of action would be to issue a new release without the infected dll and claim the VT readings were “mis-reports”.
It is interesting that SoThink chose to word the change log of the new release as fixing the “mis-reports”. What info did SoThink possess to conclude the readings on VT were false positives?
I realize that some malware writers will submit their malware to VT to see if its detected or not prior to release. Maybe that was the case here, maybe not. But the timeline of events certainly looks suspicious.
It’s interesting that none of the 4000 users who downloaded that version of the addon reported a problem.
acr: “Now the infection has been confirmed as malware by Mozilla.”
For all we know, Mozilla only went by the virus scan reports rather than inspecting the actual code and behavior of the dll in question. I’ve queried AMO and Mozilla twice as to whether they were relying on just virus scan reports in their decision to pull the addon. No reply yet.
acr: “What info did SoThink possess to conclude the readings on VT were false positives?”
SoThink possessed the actual dll that triggered the virus scan report. That dll was available to them and anyone else who wanted to get it from AMO. AMO keeps versions of addons available indefinitely, and version 4.0 could have been downloaded and inspected by anyone up until it was pulled last week. As far as I know, hi-speed virus scanning isn’t a reliable way to determine if something is actually malware. It would be straightforward for SoThink or anyone else to analyze the dll’s behavior and code in detail. That should be necessary and sufficient.
Just a nitpick but in some of my google searches I have seen complaints by firefox users of the trojan prior to Mozilla pulling it. Some of those were in the comment section of the downloader IIRC.
Mozilla’s security efforts have been lax to say the least. I would doubt they would pull the add on unless they actually confirmed the trojan existed. But the program is still flagged by Kaspersky and Prevx. I would think some of the 4000 users would have submitted the file for a second opinion. I believe Prevx is able to do this anyway with their cloud scanning. So I would think the dll is actual malware since it’s still flagged some 20 months after the initial warnings of KAV and Prevx. I cannot think of any false positive Prevx has continued to flag, they usually stay on top of things. If the .dll were flagged by A-squared or Bitdefender only I could see it still being in their system as a false positive. But not so much with Kaspersky and Prevx.
False positive! Mozilla has confirmed that the trojan detection in Sothink Web Video Downloader for Firefox 4.0 is a false positive. http://blog.mozilla.com/addons/2010/02/09/update-on-the-amo-security-issue/
Sothink Web Video Downloader for Firefox has been reinstated on AMO. https://addons.mozilla.org/en-US/firefox/addon/6541
Where is the version in question?
https://addons.mozilla.org/en-US/firefox/addons/versions/6541
From Mozilla-
“The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan.”
“From Mozilla-“The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan.” ”
should not be in the above post as it is not relevant to this topic.
thanks