[badware] vlc.de

[stonecrusher]

URL(s) where the issue occurs

https://www.vlc.de/

Describe the issue

This (known) scam for german speaking community exists for years now and still not blocked... They bundle OpenSource software together with their malware and make it look official (although there already exists an official german VLC page). They somehow manage to stay in the top results when searching on google. People like to click vlc.de easier than videolan.org when trying to get the VLC player.

Mainly scam for VLC Player (obviously), but also Open Office, PDF-Drucker, Iron Browser, Songbird, Thunderbird, Gimp, Notepad++, 7-Zip, Libre Office [edit: They are clean, but old. Probably just there for SEO].

VLC official build:
vlc-3.0.0-win32.exe   37.1 MB

vlc.de build:
vlc-3.0.0-win32.exe   37.4 MB

Proof

Virustotal only has one match for the new VLC 3.0 version, but the summary for the whole domain shows the red line and community reports go back to 2008...

In their own vlc.de forum they try to justify by citing their licence and general business terms and stuff... but actually the guy opening the thread is completely right.

Licence:

Das Installationsprogramm verändert an Ihrem PC die Startseite von verschiedenen Browsern, sowie das Suchfeld.

Translation:

The installation program changes the homepage of different browsers as well as the search field on your PC.

Tons of results for search on german speaking malware help forum.

[okiehsch]

The 7zip, notepad++ files etc do not bundle anything, as far as I can see. the only files with different hashes than the original are the vlc-player ones, which do have a different digital signature, the site is quite open about what their version of Videolan does.

The part below the bolded part means that the homepage in your browser will be changed and you can prevent this by disabling that option during the installation process -- it will be enabled by default.

@gorhill what do you think, should this site be added to the badware list?

[smed79]

@okiehsch

you can prevent this by disabling that option during the installation process

Not sure if the normal user will read or change something.

@stonecrusher Unchecky is a recommended software if you are a windows user https://unchecky.com/

[stonecrusher]

You're right - I didn't test the other programs by myself, just read about it. Just checked 7-zip which looks ok. However this is not a trustworthy site. It tries to look like an official vlc site very hard.

And I didn't see that by now they put a warning in the text above the download button.

Actually I think that's (unfortunately) normal behaviour for most people:
Search for vlc, click the most promising and appropiate url (so short! And who even knows vlc is somehow related to "videolan") - cool, there's already the big downloadbutton. Get it!

The directive should be to protect the everyday user. @SMed79 I don't fall for that but already had to revert it from my relatives' PCs a few times.

[okiehsch]

Not sure if the normal user will read or change something.

I am pretty sure that the "normal" user that downloads any installer double clicks it and then clicks "OK" anytime he/she can. 😉

[stonecrusher]

Just documenting in case for the future:

• There is no note on vlc.de directly (which also offers the direct download), only on vlc.de/vlc_download.php
• People obviously don't want the bundled PUPs like Startfenster, VLC Updater, GoodGame or Qweb, they want the vlc player
• Page looks official by URL, menu color, favicon, same download name
• It's like a tourist scam - why should we accept this? It's worse than ads!

edit

• It damages the real VLCs reputation
• A user claims in vlc.de forum that even the German Federal Office for Information Security had a warning about vlc.de in their newsletter in 2011 (unfortunately the archive of the new site only goes back to 2015, so I can't prove it)
• Forum subheader is "The official VLC forum by www.vlc.de" (Das offizielle VLC Forum von www.vlc.de) which is just word scam like Adidos or people's front of judea

edit

• geek.com: "Ludovic Fauvet, one of the developers working at VideoLan, has done a blog post about the extent of these malicious alternative versions of VLC [in 2011]. He lists 18 common URLs that appear in search results for VLC, all of which include crapware/adware/spyware." This list includes vlc.de. Most of those URLs are inactive by now or offer extremely old versions.

[gorhill]

It does look like a scammy site to me, as per @stonecrusher's arguments. The main purpose of the site, from the domain name to the design, is to deliver a tainted version of VLC. I can't find any obvious link to the real official VLC site.