Sourceforge Joins the Ranks of EVIL with Filezilla Malware

666 The Number of the BeastA lot of people rely on Filezilla, the FOSS FTP application. Versions you find on Sourceforge are plagued with malware. And it is on purpose.

I am a recovering user of Filezilla. This wonderful free and open source FTP application has been a workhorse application at Proactive International, Mirye Software and Meshbox Design for several years. It does what it does very well.

But I made a terrible discovery last night. I went to Sourceforge to download the latest version to install on a new Win 10 box and anti-virus software flagged Filezilla as containing malware. Surely it must be a false positive, right?

Spyware Installer on Sourceforge

It isn’t. In fact, SourceForge explains what it is – it is their DevShare Plan to monetize (as in generate money from) applications so that their developers and SourceForge can make money.

In all fairness – SourceForge gives us this warning:

This installer may include bundled offers. Check below for more options.

But most people won’t notice that when they see the big green download button.

And it gets worse if you stray from SourceForge to third party sites, as reported by PC World.

Chrome browser users are saying that Chrome won’t download Filezilla as it is identified as malware.

Sadly, by my own testing, I downloaded the alternative download version that is zipped, and got a warning that Windows 10 identifies Filezilla as malware.  This was taken from the page linked from the “check below” warning on the SourceForge download page. So no, you can’t trust their alternative downloads either.

FOSS developers struggle to turn a buck, and I don’t doubt SourceForge has some non-nefarious reasons to using this method to generate revenue from developers and themselves.

But SourceForge is also ignoring what is being clearly stated by the community, Google and Microsoft – that SourceForge is relying on duplicity to install unwanted malware on your computer.



2 thoughts on “Sourceforge Joins the Ranks of EVIL with Filezilla Malware”

  1. I don’t know why people complain about SourceForge. This is their business model just like CNET et all. While it is sad that it was once a trustworthy place, lucky for us there are a lot of great and safe places to download such as FossHub and GitHub which doesn’t spread adware. Recently, other trusted websites tried to deliver adware (FileHippo is the most recent example) so why people keep using them? Just stop using the offending services, stop recommending them and they will have a slow and painful death.

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    1. You said it yourself: Sourceforge was once a trustworthy place. The hope of course is that SourceForge will find some other way to generate revenue. While loyalty can be fickle, a sense of betrayal persists. For example, there are quite a few ex-users of Apple Final Cut Pro who will never forgive Apple for the version 7 to X upgrade. You know Filezilla was wildly popular as a free FTP client, which delivered semi-regular updates and just always seemed to work. If the Filezilla team wanted to make some money, I would have been happy to pay some extra money for a “Pro” version.

Leave a Reply