Tag Archives: GlobalSign

Safemode Install (Fried Cookie Ltd) – 18% Detection Rate – InstallCore

October 28, 2015digital signatureGlobalSign, InstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a short post on a publisher called Safemode Install (Fried Cookie Ltd). I just found a download named chrome-download.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

By looking at the certificate we can see that Safemode Install (Fried Cookie Ltd) appears to be located in Israel. GlobalSign has issued the certificate.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it would be digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

So, why did I put up this blog post? Well, the thing is that the Safemode Install (Fried Cookie Ltd) file is detected by many of the scanners, according to VirusTotal. ESET-NOD32 detects it as a variant of Win32/InstallCore.ADE potentially unwanted, Malwarebytes detects it as PUP.Optional.InstallCore, AVG names chrome-download.exe as InstallCore.F22 and Sophos detects it as Install Core Click run software (PUA).

Did you also find a file digitally signed by Safemode Install (Fried Cookie Ltd)? What kind of download was it and where did you find it?

Thanks for reading.

MaxAgile (New Media Holdings Ltd.) – 9% Detection Rate – InstallCore

October 21, 2015digital signatureGlobalSign, InstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a short post on a publisher called MaxAgile (New Media Holdings Ltd.) before going back to some coding on FreeFixer.

You can also check who signed a file by checking the digital signature tab. According to the embedded certificate we can see that MaxAgile (New Media Holdings Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

The issue is that chrome-download.exe is not an official Google Chrome download. If it was, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

The scan result from VirusTotal below clearly shows why you should avoid the MaxAgile (New Media Holdings Ltd.) file. It is detected under names such as Trojan.InstallCore.1364, PUP.Optional.InstallCore and InstallCore (fs).

Did you also find a MaxAgile (New Media Holdings Ltd.) file?

Thanks for reading.

CrossBeam (New Media Holdings Ltd.) – 9% Detection Rate at VirusTotal

September 15, 2015digital signatureGlobalSign, Israel, Tel AvivRoger Karlsson

Hello! Was looking for some downloads to play around with and found one, digitally signed by CrossBeam (New Media Holdings Ltd.). The file is named chrome-download.exe.

Typically you’d see the CrossBeam (New Media Holdings Ltd.) publisher name appear when double-clicking on the chrome-download.exe file: By examining the certificate, we can see that CrossBeam (New Media Holdings Ltd.) appears to be located in Tel Avivl, Israel.

The certificate is issued by GlobalSign CodeSigning CA – G2.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it should be signed by Google Inc. and not by some unknown company. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

9% of the anti-virus scanners detected the file. Some of the detection names for the chrome-download.exe file are a variant of Win32/InstallCore.ACQ.gen potentially unwanted, PUP.Optional.InstallCore and InstallCore (fs).

When I tested the CrossBeam file it bundled StormFall and Norton 360. The checkbox for these two programs were not checked by default.

Did you also find a CrossBeam (New Media Holdings Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Digital Plugin S.L Publisher – VirusTotal Detections

June 14, 2014digital signatureDomaIQ, GlobalSign, SoftPulse, Spain, Tenerife, VerisignRoger Karlsson

Sorry for not posting anything during the days. I’ve been having a few days off visiting friends and family. Before my time off I found another publisher called DIGITAL PLUGIN S.L that bundles some potentially unwanted programs. The file I found was called Player.exe and I could see DIGITAL PLUGIN S.L appear when double-clicking on the file.

Update 2015-06-29: Found another download with the publisher name “Digital Plugin SL“.

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that DIGITAL PLUGIN S.L is located in Tenerife.

And the certificate was issued by GlobalSign.

The reason for posting about DIGITAL PLUGIN S.L is that the file is detected by many of the anti-virus programs. Currently player.exe is detected by 13 of the 52 anti-virus scanners:

Hope you found this post useful.

Did you also find a download signed by DIGITAL PLUGIN S.L? What kind of download was it?

Update 2015-09-12: Today I noticed another download called google_chrome.exe, signed by Digital Plugin SL.

This is another certificate, issued by VeriSign. VirusTotal reports a 19/57 detection ratio.