Author Topic: Does www.official-drivers.com and DriverTuner serve malicious software?  (Read 43150 times)

0 Members and 1 Guest are viewing this topic.

Offline erlend_sh

  • Newbie
  • *
  • Posts: 2
I had just reinstalled Windows 7 on my computer and immediately opened a browser to download the latest graphics drivers. official-drivers.com got me with a sponsored link using an ati.official-drivers.com sub-domain. I downloaded something called DriverTuner (drivertuner.com) by LionSea software, installed it, and immediately realized my mistake when I recognized the "we'll find drivers for you" type of software. I promptly uninstalled it and found the official driver.

So now I'm feeling paranoid, wondering if they managed to insert a virus somewhere before I'd installed Avast.

Are there any known culprits among the sites and software mentioned here?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37132
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #1 on: December 22, 2013, 05:07:59 PM »
Url reputation can be tested here www.urlvoid.com / www.virustotal.com .... Select url scan just below the blue button

Suspicious files can be tested here www.virustotal.com / www.metascan-online.com / www.jotti.org


Quote
So now I'm feeling paranoid, wondering if they managed to insert a virus somewhere before I'd installed Avast.
If you want a check, follow guide and attach logs.   http://forum.avast.com/index.php?topic=53253.0

Og God jul og et godt nytt år.    ;)




« Last Edit: December 22, 2013, 05:15:53 PM by Pondus »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2783
  • Volunteer
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #2 on: December 22, 2013, 08:00:36 PM »
Hi,

It doesn't appear Malicious, however I am suspuicious. You will always be better getting the drivers from the Official Homepage (Logitech, Dell etc). I'd never trust these sites. The file I tried in Comodo isn't working. Most likely due to it being corrupt.
SOC Tier II Analyst - Malware Analysis; Digital Forensics and Incident Response (DFIR); Fortinet Firewall Management; Pentest

Personal security is a mindset, not an application. Think before clicking.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2783
  • Volunteer
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #3 on: December 22, 2013, 08:04:11 PM »
Note: the File name should have something to the effect of "DriversForLeogitech Headset XXXX" Type thing, Not setup.exe. I'll run these files inside my Virtual Machine and upload some results. However, don't download those files until deemed Safe. (Which I doubt will happen)

Malwr Report: https://malwr.com/analysis/ZGM5YWU0NTI3NDcwNDk1OGJhNzQ1ZDhkY2YwYzcxMDc/#
VirusTotal: https://www.virustotal.com/en/file/4e09d9006a6b4d57933df47e3b586859b8b790e8cade3869e8ed1eee8ca40ce1/analysis/

(Signed by Norton/Symantec + VeriSign)

Looking into it further w/ my Virtual Machine.

Creates a .tmp (Temp) folder called setup.tmp (.tmp being file extension for Temp). No notable to Startup keys to indicate Malware being present.

Possible Adware: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{520C1D80-935C-42B9-9340-E883849D804F}_is1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{520C1D80-935C-42B9-9340-E883849D804F}_is1

Uninstall should not be present w/ Drivers.

Recommended not to download these file further on that site.
« Last Edit: December 22, 2013, 08:12:24 PM by alan1998 »
SOC Tier II Analyst - Malware Analysis; Digital Forensics and Incident Response (DFIR); Fortinet Firewall Management; Pentest

Personal security is a mindset, not an application. Think before clicking.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3650
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #4 on: December 22, 2013, 08:18:54 PM »
Emsisoft is blocking the following link when i click on download: hxxp://www.official-drivers.com/setup.exe

Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2783
  • Volunteer
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #5 on: December 22, 2013, 08:19:13 PM »
Also,

I in order to get drivers, you must Register/Pay @ hxxp://xxx.drivertuner.com/register.php (Don't go there)

I'll ask Polonus to do some Site Scans for you...
SOC Tier II Analyst - Malware Analysis; Digital Forensics and Incident Response (DFIR); Fortinet Firewall Management; Pentest

Personal security is a mindset, not an application. Think before clicking.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2783
  • Volunteer
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #6 on: December 22, 2013, 08:19:47 PM »
Emsisoft is blocking the following link when i click on download: hxxp://www.official-drivers.com/setup.exe

Avast! does not block it. I'm going to fetch Polonus to do the Site scanning.
SOC Tier II Analyst - Malware Analysis; Digital Forensics and Incident Response (DFIR); Fortinet Firewall Management; Pentest

Personal security is a mindset, not an application. Think before clicking.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3650
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #7 on: December 22, 2013, 08:28:42 PM »
Setup.exe and Driver Tuner.exe are trusred by Kaspersky IS 2014
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #8 on: December 22, 2013, 11:12:47 PM »
Add-driven site with malware according to Quttera scan and various instances of remote file inclusion shell malware now being closed:
http://support.clean-mx.de/clean-mx/viruses.php?ip=173.192.57.82&sort=firstseen%20desc
http://jsunpack.jeek.org/?report=9dc90b473abdc764cdb4ccc69dabae9653d0fc91
http://www.quttera.com/detailed_report/www.drivertuner.com
Site is not the "real McCoy" you searched for, look for better trustworthy alternatives.
IDS for: "ET RBN Known Russian Business Network IP group 27".
See: https://www.mywot.com/en/scorecard/official-drivers.com?utm_source=addon&utm_content=popup-donuts

polonus
« Last Edit: December 22, 2013, 11:14:36 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2783
  • Volunteer
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #9 on: December 22, 2013, 11:29:49 PM »
IDS for: "ET RBN Known Russian Business Network IP group 27".

polonus

=Bad News Bear!

http://en.wikipedia.org/wiki/Russian_Business_Network
SOC Tier II Analyst - Malware Analysis; Digital Forensics and Incident Response (DFIR); Fortinet Firewall Management; Pentest

Personal security is a mindset, not an application. Think before clicking.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #10 on: December 22, 2013, 11:38:29 PM »
Hi allan1998,

Right, you are.  Well this RBN group is mainly into SEO Spam, clickfraud driven code and other cyber-brigand activities.
An IDS alert like this one via an urlquery dot net scan could  therefore be translated as "better stay away"....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline erlend_sh

  • Newbie
  • *
  • Posts: 2
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #11 on: December 23, 2013, 12:25:51 AM »
Wow, thanks a bunch for all the informative answers!

Offline It is all BS

  • Newbie
  • *
  • Posts: 1
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #12 on: April 27, 2014, 11:43:16 PM »
F.Y.I.  Asus requires you download and use that software to get updates.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2783
  • Volunteer
Re: Does www.official-drivers.com and DriverTuner serve malicious software?
« Reply #13 on: April 27, 2014, 11:46:57 PM »
It is All BS, you just answered a thread that is nearly 4 months old.... The issue has been resolved.
SOC Tier II Analyst - Malware Analysis; Digital Forensics and Incident Response (DFIR); Fortinet Firewall Management; Pentest

Personal security is a mindset, not an application. Think before clicking.

Offline Michigan guy

  • Newbie
  • *
  • Posts: 1
 :-[ :-[ :-[ :-[
Worst product I've ever wasted my money on!
Downloaded, installed and "fix drivers" CRASHED MY COMPUTER.... caused it to go to Partition reboot and wiped my drive losing EVERYTHING.
Now... I'm not a super tech, but I do consider myself knowledgeable, at least for a user.
The software was recommended by ASUA (I have a G75)
Needless. to say.. I AM Pissed!
They keep asking me to "give them another try".. REALLY???!?!?
They can kiss my @$$

Good luck to you if you use this software.. don't say you weren't warned.