Our results show that: (i) the repositories frequently exhibit rank changes due to applications fast climbing toward the first positions (ii) the repositories often update their payloads, which may cause the distribution of distinct binaries for the same intended application (binaries for the same applications may also be different in each repository) (iii) the installers are composed by multiple components and often download payloads from the Internet to complete their installation steps, posing new risks for users (we demonstrate that some installers are vulnerable to content tampering through man-in-the-middle attacks) (iv) the ever-changing nature of repositories and installers makes them prone to abuse, as we observed that 30% of all applications were reported malicious by at least one AV. We analyzed 2,935 unique programs collected in a period of 144 consecutive days. We focus on their software updating dynamics, as well as the presence of traces of vulnerable and/or trojanized applications among the top-100 most downloaded Windows programs on each of the evaluated repositories. In this paper, we bridge this gap by analyzing five popular software repositories. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. We also find, that while popular download portals are not used for blatant malware distribution, nearly 10% of the analyzed installers come with a third-party browser or a browser extension. We discover that most installers that download executable files over the network are vulnerable to man-in-the-middle attacks.
In particular, we measure how many of them drop potentially unwanted programs (PUP) such as browser plugins or make other unwanted system modifications. We use the system to analyze 792 freeware application installers obtained from popular download portals. The analysis system is scalable and can run on bare-metal hosts as well as in a data center. During the installation, the system collects data about the system modification and network access. The UI automation makes use of image recognition techniques and heuristics. The system emulates the behavior of a lazy user who wants to finish the installation dialogs with the default options and with as few clicks as possible. The analysis system is fully automated from installer download to execution and data collection. We present an analysis system for studying Windows application installers.
0 kommentar(er)
