alt Hacker News7zip.com Is Serving Malware
Comments
7zip.com has never been the official website of the project. It's been 7-zip.org
I tested with the 3 major browsers and all 3 block it as "Suspected Phishing". So looks like the system is working as designed.
Lookalike websites serving malware have always existed. So this isn't exactly news. But the browsers are blocking them like they should.
The links to the file downloads on 7zip.com all point to 7-zip.org. Example: https://www.7-zip.org/a/7z2501-x64.exe
Did they change it because of the negative publicity (Reddit) and will probably change back soon to the malware links?
I've started using winget to install my apps for exactly this reason. I can't keep track of every url for every piece of software.
Does the 7-Zip author still refuse to digitally sign or even provide hashes of the official downloads? It's an extremely weird flex, he thinks it's a frivolous waste of time or something.
It doesnt help that many services use a few domain names, bonus points if other ones look like from scam domain examples
i'm increasingly convinced nothing good ever comes from youtube tutorials
I would not trust any sw from Russia. Could be a vector for the FSB. I'm sure they have thought about it.
I compared https://7-zip.org/a/7z2600-x64.exe with https://7-zip.com/a/7z2600-x64.exe. They are byte-for-byte identical. If there's malware, it isn't obvious.
The buried lede here is the business model. This isn't ransomware or data theft. The malware turns your PC into a residential proxy node and sells your IP address to third parties for fraud, scraping, and ad abuse. That's why it's designed to be invisible and why it persisted for so long. Traditional malware wants to disrupt or extract. Proxyware wants to coexist quietly.
Your machine runs a little slower, your bandwidth gets a little thinner, and someone halfway around the world is routing traffic through your home IP. It's a fundamentally different threat model and most endpoint protection isn't looking for it because the behavioral signatures look like normal network activity.