Combofix: a cocktail of infective factors

In various blog-posts, users have been encouraged by ESET experts to download applications from the official website for that application, as you never know what might have happened to the software when you download it from a mirror site or a download site. Of course even when downloading from the official website for that application, users should pay attention downloading content. A mistake is easily made.

A good example of why we offer this advice could be found on the website of, home for the official download of the ComboFix application,  which had an “issue” on 29 January 2013. ComboFix is a respected application that scans your computer for certain types of malware and is able to remove these. Furthermore, it can generate reports aiding experienced users to remove malware not detected and/or removed by ComboFix. On 29 January 2013, ESET’s LiveGrid Technology started showing infections of a Sality variant being detected in the latest downloadable version of ComboFix.
Just before anyone starts thinking this blog is a “Goliath versus David” one where we would like to behead the author of ComboFix, please read on, as this as far from the truth as it can be. It would be too easy and really not fair to criticize “sUBs”, the author of ComboFix, who has been providing this useful application for free for many years. An error was made, but that was by accident.
BleepingComputers, upon notification, immediately pulled the infected executables and shortly after that, “sUBs” issued anapology and an explanation. In short, the combination of being overly busy working for a good cause and a faulty mouse issuing a double-click rather than a single click while looking at malware in an infected archive triggered the infection of his system. It is true but unhelpful to state that malware should never be looked at and handled on a production system as it only takes a minor mistake as this one to cause an infection on production software. A quick lesson learned the hard way: an accident is just around the corner.
For the record, all infectious applications have been removed and replaced by clean ones.
Now if this can all happen on the original website, imagine how easily can it happen on official and unofficial mirrors and download sites? And on those sites even more can go wrong. It is especially well known that sites offering free downloads may wrap the original software with a new installer that also installs other (unwanted) applications in the form of ad-ware, sponsor-ware, spyware, toolbars, in fact PUAs (Potentially Unwanted Applications) in general, that may leak personal information or data to third parties without you realizing it. If you want to read more on what a PUA is, please read this
In the above screenshots you can see an installer for NOD32 Anti-Virus which has been rewrapped. Besides installing our award-winning Anti-Virus program, there are check-boxes to install sponsor software. These sponsor software checkboxes are already preselected, so by default the wrapper installs them. The end user has to take specific action to stop the installation of such applications. The pre-configured default should not automatically download automatic sponsor toolbars: users may choose to install additional software if they really want to. So rather than an opt-out this ought to become an opt-in.
The majority of users do not want to have toolbars installed just like that, and they do not always pay too much attention to those installation screens (instead, they just click Next/Finish). But the most important issue here is that the software has been rewrapped without the consent of ESET and is bundled with software that ESET deems inappropriate. And the above example is not the only exception where the popularity of ESET’s Anti-Virus Software is misused by others to wrap their monetization shells around it, as is shown in the 6 examples below (but there are many more).
Now if – for whatever reason – users insist on downloading software from sites like these, they will be stopped by ESET’s PUA or URL detection. To be able to download the wrapped installer, the user will have to temporarily disable their protection. When the wrapped installer does contain an infection – either or purpose or by accident – the malware will be installed on the user’s system, as the only way to download the rewrapped software is to disable protection. As an example, see the below screenshot of an alternate download site offering ComboFix, wrapped in a PUA.
If this version was initially mirrored from BleepingComputers and happens to be one of the W32/Sality infected versions, the moment the user temporarily disables his protection to download and install the ComboFix version from this site, he will automatically infect his system with Sality as well.
Downloading applications other than from the original application’s website always entails an additional risk. These days, additional risks should be avoided at all costs, especially when taking the risk means that you will (temporarily) have to deactivate your protection.
Even in the event that you download from a mirror site and the software is not wrapped, as in the above ComboFix case, it does not mean that you can safely download the updates from the mirror site as well. As stated on BleepingComputer: “The minute we heard about this, we pulled the executable so that it is no longer available from : Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.” It is always unclear whether mirrors will act in as timely a manner as the original site, by removing the file and/or copy the new non-infected file. (And publishing a warning accordingly.)
Therefore our emphatic recommendation is to go to the official application’s website and download the file from there. This poses the lowest risk. If you can opt-in for news concerning the application, this may be useful, as most application vendors will inform you not only about the availability of versions but also about errors like these.
The problem of alternate download sites is not new. It has been mentioned many times before, e.g. by Brian Krebs. Sadly, the fact that people keep using these alternate downloaders, maybe because they are led there by search engine results, keeps these alternate download sites going.

Author Righard Zwienenberg, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.