Malicious Firefox Installer - Google & Anti-Virus Companies Non-responsive

[bitfreak!]

I was just working with a client and I instructed them to download Firefox because Internet Explorer was giving them problems. They did a Google search for "Firefox" and clicked on the first result without realizing that it was a paid advertisement. Consequently, a bunch of malicious software was installed onto their system, including those fake virus scanners which warn the user that they have hundreds of infections and that they must purchase the product to have them removed. The client had AVG installed so I told them to do a scan but it found nothing. So I started to look around for some more information about the malicious website (www.ez-download.com).

Besides this Mozilla bug report which is now a year old, one of the only articles I could find about this malicious website was a blog post on webroot:

Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore.

More details:

Sample screenshot of the landing page:


Rogue download URL:
hxxp://www.ez-download.com/mozilla-firefox

Based on what my client described to me I would say that "potentially unwanted" is a vast understatement. So I tried visiting the website myself and my WOT plugin gave me a warning that the website had a very bad rating. I took a look at the WOT user reviews and nearly every one of them were saying that the website gave them a virus/trojan. I also noticed that some of the reviews were posted near the very start of 2013, over 1 year ago. So I started to wonder how this site was still at the top of the Google search results for "firefox". Here is a screenshot I took showing the malicious website at the top (the little green and red circles are part of the WOT addon for Firefox):



So I did some more searching and to my surprise I found that WOT was essentially the only website which recognized the malicious nature of ez-download.com. This TrustPilot review page gives the website a rating of 9.2/10. Even this Norton Safe Web Report for ez-download.com lists 0 detected threats and gives it a big green "OK" and says it is "safe". One Norton user posted the following comment nearly a month ago:

"Norton Says Safe? They had a pretty nasty virus on their Foxfire download so I don't understand how Norton can consider this site safe. I will never use their site again. It was the sort of thing that should not have passed even basic scans."

Indeed, so how did it pass their scan and why has this website been freely operating for over a year now as we can clearly see by the Mozilla bug report and the WOT reviews? I started searching for a solution to the problem so that I could help my client remove the infections from their computer. There was nearly nothing written on this topic but I did find a Yahoo answer page related to this issue:

What can I do about the damage this site ( mozilla-firefox.ez-download.com ) caused to my computer?

I tell you do-not-download-this. I had Mozilla Firefox installed from this site and my entire computer crashed... The system is designed to have you blackmailed in order to save your computer from the damage they cause you. I had to buy a new computer.

BEST ANSWER:

There is nothing to be done unfortunately. In-fact the US government is sanctioning the use of new malware to be developed as a deterrent for downloading copyrighted material. (another confirmation politicians are in the pocket of big business and don't even bother hiding it).

Report website to virustotal.com. It may help others to avoid it in the future.

I would have dismissed this answer as a paranoid fantasy if not for what I had already learnt about this website. So based on his answer I took a look on virustotal.com to see if anyone submitted this malicious website to them. I found the virustotal scan report for ez-download.com and to my amazement only 2 out of the 53 scanners said the site was malicious (WOT and Dr.Web), the other 51 reported that the site was "clean". As I was looking through the Mozilla bug report and the WOT reviews and some of the other articles I have linked to in this post, I also came across some other virustotal links where people had submitted the Fake Firefox installer for scanning, such as these four:

Antivirus scan for firefox_setup.exe (1 year ago) - 2/46
Antivirus scan for Firefox_Setup_21.0.exe (8 months ago) - 4/46
Antivirus scan for Firefox_Setup.exe (3 months ago) - 1/46
Antivirus scan for firefox_downloader.exe (4 days ago) - 6/46

The one from 4 days ago is a scan of the installer which you can download from ez-download.com right now. At least the anti-virus software seems to be getting a little bit better with 6 out of 46 positive detection results, but that is still absolutely pathetic imo. It was missed by so many of the "top line" scanners including the ones made by Symantec, TrendMicro, Panda, McAfee, Microsoft, Kaspersky, F-Secure, Comodo, BitDefender, Avast, AVG, Ad-Aware, and the list goes on. All of them have consistently been unable to detect these fake Firefox installers, even though this malicious website has been disseminating them for over a year now. And even with such a long history of malicous activities, now Google has placed them at the top of the search results for the simple search phrase "firefox". Just what in the hell is going on here? I submitted a report to Google but so have many other people before me and they still haven't done anything about it. This is absolutely unbelievable...

[1715560683]

1715560683

[1715560683]

1715560683

[Lethn]

Good find, but this is precisely why you should very rarely click on sponsored links etc. this is old news but there was a similar type of incident where some kind of Winrar virus got out and because of how much it spread it became increasingly unsafe to download the free version from any mirror sites. What bothers me is that Mozilla Firefox has always been free and open source, have they said anything regarding this? I only ever go to the official website to download open source software, I don't think this is the U.S governments' work though we should probably be careful of this kind of thing in the future.

You may want to send a message to the developers so they can maybe issue a warning about this and see whether they know anything.

Oh and a fun thing to keep an eye on, if no one is using adblock there are sponsored 'Download' buttons all over websites now where if you click on them they try to get junk installed on your PC, this is precisely a reason to install adblock though because they're trying to take advantage of inattentive people, it's pretty sad that the only ones who can really survive on the internet are those who are borderline paranoid about what they click on.

[bitfreak!]

What bothers me is that Mozilla Firefox has always been free and open source, have they said anything regarding this?
---
You may want to send a message to the developers so they can maybe issue a warning about this and see whether they know anything.

They obviously know about it due to the bug report I linked to. The date on the bug report is listed as "2013-02-07", so it's essentially a year old and it still says that it's "under legal review". It amazes me that Mozilla isn't taking a stronger stance against this nonsense. It seems to me like Google is just doing this in order to boost downloads of the Chrome browser and make people avoid Firefox. The whole thing is very strange if you ask me.

[b!z]

What bothers me is that Mozilla Firefox has always been free and open source, have they said anything regarding this?
---
You may want to send a message to the developers so they can maybe issue a warning about this and see whether they know anything.

They obviously know about it due to the bug report I linked to. The date on the bug report is listed as "2013-02-07", so it's essentially a year old and it still says that it's "under legal review". It amazes me that Mozilla isn't taking a stronger stance against this nonsense. It seems to me like Google is just doing this in order to boost downloads of the Chrome browser and make people avoid Firefox. The whole thing is very strange if you ask me.

It's a paid ad. Report it.

[bitfreak!]

I did report it, like I said in my opening post.

[Kiki112]

try reporting it, I'm sure google will remove it as soon as they hear about such a scam..

[bitfreak!]

How many times do I have to repeat myself?

[Kiki112]

sory, try once more

never the less, I never usually click on the paid ads, I always use normal google results so this shouldn't concerne me
it would probably be for the best if everyone also used only legit google results too

[DarkHyudrA]

Crap, in my language it haves 2 paid ads to download Firefox.
One its the one you show in the topic, the other that shows to me is "mozilla-firefox.gol-app.com".
Ultimately dubious to download from there, probably another way of getting some sort of malware.

[bitfreak!]

Crap, in my language it haves 2 paid ads to download Firefox.
One its the one you show in the topic, the other that shows to me is "mozilla-firefox.gol-app.com".

Well that's obviously connected to the same group of people because it's a similar format URL and the IP of the domain is close to those listed in the webroot article (54.218.92.141). On a related note, I just noticed something interesting, it seems the ez-download.com website have changed to a Costa Rica server some time in the last few hours because just before I wrote this article they were using a US server like gol-app.com (I'm betting they'll change that soon as well). I guess they must have noticed this thread and it spooked them a bit. I should have copied the IP address but it's too late now.

Here's a virustotal scan report for the FirefoxSetup.exe file I downloaded from gol-app.com:

Antivirus scan for FirefoxSetup.exe 2/50

The scan results further confirm that both websites are connected. I also found a reddit post made 10 days ago which warns people not to download Firefox from gol-app.com and many of the comments say they have reported the website. Either Google is slow as hell to deal with these criminals or they are making a large profit from the adsense payments and they're delaying the review process on purpose.

[bitfreak!]

Still hasn't been removed from the top of the results... unbelievable.

[DarkHyudrA]

Yup, the gol-app still visible here.
There's something wrong to google not stopping their ad.

[Kiki112]

Yup, the gol-app still visible here.
There's something wrong to google not stopping their ad.

yeah..

I always thought google was a good and an honest service (except for spying their users),  this makes me doubt it o.O

how do they fail to notice that it's beneficial for them to remove bad adverts and thus gaining a good rep + people won't avoid clicking on paid adverts..

[bitfreak!]

OMG.... the same damn ad is STILL shown at the top when searching "firefox".

[meawleir21]

Every successful program has this kind of fakes, we might need to send URL Links now rather than names when recommending someone a program.

[DarkHyudrA]

Was taking a look...
There is a "Contact Us" button, almost hidden, but there is.
This is all the information they have avaiable:
"Gol Apps

R. Prof. Eurico Rabelo, Rio de Janeiro - RJ, 20271-150, Brazil
+55 21 8871-3950"

This address is not false ofc, but I wonder if this is truly a company, because this street is the one that haves the "Maracanã" Stadium, and the street is rather short to have any decent building.

[mprep]

Every successful program has this kind of fakes, we might need to send URL Links now rather than names when recommending someone a program.

Well except this one managed to get the first result.

[rjk]

This sort of shit pisses me off big time. I run AdBlockPlus so I never saw it, but when I disabled ABP in order to see what an unprotected user might see, I saw the same ads and they weren't even in a highlighted yellow box. Fuck you, Google. I submitted reports for both ads that I saw, by using this contact form: https://support.google.com/adwords/contact/feedback

[DarkHyudrA]

OMFG
Whenever someone complains of the ad, seens that those pieces of shit creates another one!
Here's the new one that is appearing to me(sadly, the gol-app still visible aswell)
mozilla-firefox.xtremedownload.com

In this site they pass themselves as part of another site(xtremedownload), when clicking in the "Contact Us" button.