That is incredibly rich coming from __FileZilla__, one of the few OSS projects that accepts money from malware makers to catch out unwary windows users.
I wonder if they're actually more worried about having the EU go after them legally if some EU member loses data or money directly because of that malware?
There was a thread on the old FileZilla support forum[1] where the developer describes the adware included in the installer offered to unwary downloaders, which sounds a but shady but is probably not malware.
A lot of AV engines use crowdsourced classifiers like virustotal to flag “potentially unwanted applications (PUA)” as a threat and quarantine, but the term “malware” is a category reserved for destructive or criminal application behavior. I’m not convinced that is what was or is bundled with “sponsored” Filezilla installers.
At some point the bundled adware was apparently something called OpenCandy related to ask.com, and the developer of FileZilla is alleged to have concealed rather than disclosed it.[2]
The adware-free installer was/is reported to be available for download freely on the same site, but for the extra browsing effort.
Fundamentally, malware is about deception. If the user understands what is being done and why (we're tracking everything we can, then selling that to everyone) then it's not malware. The typical adware hosted on FileZilla shows a screen in the middle of the install process with multiple paragraphs of text in a font smaller than everything else, which vaguely refers to ad supported software and a link to a privacy policy that nobody reads or understands.
I don't know if there's a legal definition of malware, that's definitely malware in my understanding of the word.
Malware is defined many industry standard places, like NIST 800-61 which is the Computer Incident Response Guide, US-CERT, and EU-CERT.
From what is your understanding of the term malware derived?
Fundamentally, malware is about destructive application behavior. It’s a negatively charged term that should be reserved for tools created/used with actual malice by threat actors.
Oh, this isn't in any way a new thing. They've been pulling this shit for probably over a decade now.
Naturally the whole time they've tried to paint themselves as innocent victims, and wouldn't people PLEASE just try running the malware themselves to find out it's all an innocent misunderstanding.
Meanwhile, the several in-depth analyses of the various "extra" payloads delivered by their installer always come to: "It's 100% malware, delivered using evasion techniques that try to avoid system/virus detection, and have no place in legitimate software. DO NOT use this".
I wonder if they're actually more worried about having the EU go after them legally if some EU member loses data or money directly because of that malware?