I don't know enough to be able to specify how or why this is happening,
but apparently it is happening, and is common enough that two people
have written in a thread that isn't even dedicated to the tool, about
this issue.
I'm not sure how this could be avoided but probably checksums on the
downloaded files, as supplied in the indexes, could work.
Unless they also hijack the indexes.
Matt
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It appears the problem is a dodgy script on the website redirecting traffic.
The DOM on https://sdi-tool.org/download/ is modified to change the links from SDI lite to a program called Driverpack from drp.su. It links to htt#p://dl.drp.#su/17-online/DriverPack-17-OnlinefromSDI-tools.exe (hashes added to stop accidental clicks and any google linkbacks).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried to reply on that mentioned thread but it seems I do not have permission. I have more information about this. I have incountered a clients computer who is being redirected. They are doing more than just a dns redirect. The page is being changed. I watch the right panel show up then it changes. If I view source I cannot find the changed text in the source. So I inspected it. I ran this tool by mistake. Has something virusy in it. Not sure what it does or if it is dangerous though. Not sure how they are doing it. No matter what browser I use on the computer the page gets changed.
Just came here to say the same thing about the fake driver program link for the "online" version.
I'm doing a pc cleanup now, second I ran the installer I noticed it wasn't the right program. By the time I crashed the program it had already installed about 5 common pup adware things on my PC. I'm guessing I will find more with a deeper cleanup.
This needs to be sorted on the website ASAP!
Last edit: Martin 2020-05-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just checked the website too and currently the live version correctly links to http://sdi-tool.org/releases/SDI_R2000.zip, which seems correct to me. Is the link correct for too at the moment?
What's confusing me now is that following the Patreon Link on https://sdi-tool.org/, I get to https://wwwpatreon.com/SamLab, where it is stated that 'Yury creates driver packs for sdi, drp, and samdrivers.'
The link you've shown above is for this tool named DRP (Driver Pack Solution) and I can't find another website for it, so drp.su seems to be the correct one.
Why would the (a?) developer of sdi, SamLab, state that he is working for drp too if it is spreading malware?
Last edit: Magnus 2020-05-15
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am the author of a driver pack for 5 different shells, I currently manage the SDI project - the DriverPack project temporarily placed ads on the SDI website, but it is not dangerous - the reactions to DRP are false positive
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For me it currently links to /releases/SDI_R2000.zip, which seems correct to me.
The lettering also changed from "DriverPack Online" to "SDI Lite" and the source changed from drp.su to direct. I'm still wondering how or why this was the case at the time of your snapshot.
Would be interesting to know how the other project replaced the element for some time!
I have noticed that it shows source DRP.SU on most loads, if I refresh the page enough once in a blue moon I will get the Direct link showing, which is the right one.
I think the DRP.SU mirror needs to be nuked. Something fishy is going on with it.
That's weird indeed. Are you at https://sdi-tool.org/download/ too?
Maybe your browser cached the site? (though that's questionable given the time that has passed)
I replied to TheFatherMind above before seeing your comment, I can't find the link you're showing anymore.
As far as I know, Sam also supplied Driver Packets to the application you're seeing called DriverPack Online. I haven't found much about the software itself on the internet, but from a reddit post I read that the original developer behind snappy broke with the company because of some dubious policies regarding adding adware, which resulted in SDI and SDIO as continuations without adware. But there's still some uncertainty for me whether this is an accurate representation of what happened.
EDIT:
I'm using Malwarebytes too, it has listed some problems I use as pups before, so it's quite possible that, like Sam said, it's a false positive in this case too. Either way Malwarebytes doesn't state that it's malware per se, just a Potentially Unwanted Program.
Last edit: Magnus 2020-05-15
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
l also clear all my browsing traces daily on this computer due to being a web developer.
If DriverPack Online is meant to be linked where it is then we need confirmation that it's meant to be there. People come to the site for Snappy Driver, not some other 3rd party driver installer.
Okay I want to be clear here... On the computer I am working on.. that is in Vietnam. I tried the site over multiple browsers and it is always the same. The left panel is correct but the right panel is changed just like in the picture Martin posted. Here is where it gets REALLY strange.. I copied the source of the page and did a "diff" of the source from my computer where it is correct. And they, the source, are exactly the same. I cannot figure out how they are doing it. But that DRP program is a COMPLETELY different program. It even talks to you!!!
When it loads I can see the correct page load and then something happens and the right panel is changed to the spyware one.
I also verified the DNS is the same.
OKAY.. I JUST had a thought.. a break through... I am running an ad-blocker in my web browser. When I turn that off.. I see the spyware panel instead! Test this in an incognito window.
This needs to be fixed. (:
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just tried multiple VPN servers stationed in Vietnam to rule out that there is regional component all the while disabling uBlock Origin (both just inside the browser and by using a different profile) but I can't get that mirror to show up.
I normally only use firefox, so what I found with further fiddling is that I get the drp.su mirror to show up in Chrome; now I finally can see firsthand what you guys found!
It also shows up in Safari, but I can't get it to show up in firefox, no matter what. I disabled any Adblocker, used a fresh profile, and stopped any tracker-protection and loosened the internal policy. Maybe I missed some option, but firefox seems to block it inherently (I didn't set up a fresh install in a new VM though).
Is one of you using firefox and getting it to show up?
I still am not fully positive that DPO is malware (If I remember correctly, SDI requested an exception in my firewall too, in general there's nothing wrong with that) but at the very least it is not what should be delivered by the site, so that is definetely a major problem.
On the other hand I don't see a reason for legitimate software to inject itself like this, which is pretty much a giveaway for it to be adware at a minimum.
If I find the time I'll set up a new VM and install it there and monitor what it does, whereat the results might be interesting but won't solve the problem.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hmm, I don't think SDI itself asked if I remember correctly, I just got remarks from defender and my other software firewall that it wants to create an exception.
I get these remarks for any application, even if I tick a "create firewall option" in an installer. But the firewalls are also configured to notify me of any change and let me approve it manually; I'm not sure if applications normally can sneak in firewall rules on vanilla Windows without notice.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The Windows firewall rule only pops up on the first use on a computer (you won't see it on future uses), below is a screenshot. I use it on about 5 different computers a week, seen it many times :)
Yeah, thought this to be normal behaviour too :)
What I wasn't aware of is that, without another firewall installed, installers would be capable of creating firewall rules without this kind of confirmation on windows, like DPO seems to have done for you before you canceled the installation
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Great pointer!
There must be another thing that blocks it in my main firefox intallation which I didn't find.
Using the latest portable version I found that setting the enhanced tracking protection to strict will block the false link too, while I was able to reproduce the problem when it is only set to standard.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
See the discussion in this forum thread here:
https://forums.overclockers.com.au/threads/upgrading-to-win10-a-basic-guide.1267620/page-2#post-18360772
I don't know enough to be able to specify how or why this is happening,
but apparently it is happening, and is common enough that two people
have written in a thread that isn't even dedicated to the tool, about
this issue.
I'm not sure how this could be avoided but probably checksums on the
downloaded files, as supplied in the indexes, could work.
Unless they also hijack the indexes.
Matt
It appears the problem is a dodgy script on the website redirecting traffic.
The DOM on https://sdi-tool.org/download/ is modified to change the links from SDI lite to a program called Driverpack from drp.su. It links to htt#p://dl.drp.#su/17-online/DriverPack-17-OnlinefromSDI-tools.exe (hashes added to stop accidental clicks and any google linkbacks).
I tried to reply on that mentioned thread but it seems I do not have permission. I have more information about this. I have incountered a clients computer who is being redirected. They are doing more than just a dns redirect. The page is being changed. I watch the right panel show up then it changes. If I view source I cannot find the changed text in the source. So I inspected it. I ran this tool by mistake. Has something virusy in it. Not sure what it does or if it is dangerous though. Not sure how they are doing it. No matter what browser I use on the computer the page gets changed.
I have attached the screenshot.
Just came here to say the same thing about the fake driver program link for the "online" version.
I'm doing a pc cleanup now, second I ran the installer I noticed it wasn't the right program. By the time I crashed the program it had already installed about 5 common pup adware things on my PC. I'm guessing I will find more with a deeper cleanup.
This needs to be sorted on the website ASAP!
Last edit: Martin 2020-05-02
I just checked the website too and currently the live version correctly links to http://sdi-tool.org/releases/SDI_R2000.zip, which seems correct to me. Is the link correct for too at the moment?
What's confusing me now is that following the Patreon Link on https://sdi-tool.org/, I get to https://wwwpatreon.com/SamLab, where it is stated that 'Yury creates driver packs for sdi, drp, and samdrivers.'
The link you've shown above is for this tool named DRP (Driver Pack Solution) and I can't find another website for it, so drp.su seems to be the correct one.
Why would the (a?) developer of sdi, SamLab, state that he is working for drp too if it is spreading malware?
Last edit: Magnus 2020-05-15
I am the author of a driver pack for 5 different shells, I currently manage the SDI project - the DriverPack project temporarily placed ads on the SDI website, but it is not dangerous - the reactions to DRP are false positive
Perfect, thank you for the clarification!
Are you saying that that fake panell linking to that other driver program made by someone else, should no longer be there?
For me it currently links to /releases/SDI_R2000.zip, which seems correct to me.
The lettering also changed from "DriverPack Online" to "SDI Lite" and the source changed from drp.su to direct. I'm still wondering how or why this was the case at the time of your snapshot.
Would be interesting to know how the other project replaced the element for some time!
I have noticed that it shows source DRP.SU on most loads, if I refresh the page enough once in a blue moon I will get the Direct link showing, which is the right one.
I think the DRP.SU mirror needs to be nuked. Something fishy is going on with it.
This is the program listed within the "DriverPack Online" DRP.SU link:
https://imgur.com/wCbtPiB
This is not snappy driver:
https://imgur.com/fbrmOT0
And it has malware that installs on your pc:
https://imgur.com/T9toUhb
That's only some of the detections, I force canceled the install so a lot didn't get on my pc
Last edit: Martin 2020-05-15
That's weird indeed. Are you at https://sdi-tool.org/download/ too?
Maybe your browser cached the site? (though that's questionable given the time that has passed)
I replied to TheFatherMind above before seeing your comment, I can't find the link you're showing anymore.
As far as I know, Sam also supplied Driver Packets to the application you're seeing called DriverPack Online. I haven't found much about the software itself on the internet, but from a reddit post I read that the original developer behind snappy broke with the company because of some dubious policies regarding adding adware, which resulted in SDI and SDIO as continuations without adware. But there's still some uncertainty for me whether this is an accurate representation of what happened.
EDIT:
I'm using Malwarebytes too, it has listed some problems I use as pups before, so it's quite possible that, like Sam said, it's a false positive in this case too. Either way Malwarebytes doesn't state that it's malware per se, just a Potentially Unwanted Program.
Last edit: Magnus 2020-05-15
Hi Magnus,
Yes I'm at the right sdi-tool.org website link .
l also clear all my browsing traces daily on this computer due to being a web developer.
If DriverPack Online is meant to be linked where it is then we need confirmation that it's meant to be there. People come to the site for Snappy Driver, not some other 3rd party driver installer.
DriverPack Online also adds a firewall rule:
https://imgur.com/kD7FTpo
I also canceled the DriverPack Online install midway through when I noticed it wasn't SDI. Who knows what else would have been added to my PC.
Okay I want to be clear here... On the computer I am working on.. that is in Vietnam. I tried the site over multiple browsers and it is always the same. The left panel is correct but the right panel is changed just like in the picture Martin posted. Here is where it gets REALLY strange.. I copied the source of the page and did a "diff" of the source from my computer where it is correct. And they, the source, are exactly the same. I cannot figure out how they are doing it. But that DRP program is a COMPLETELY different program. It even talks to you!!!
When it loads I can see the correct page load and then something happens and the right panel is changed to the spyware one.
I also verified the DNS is the same.
OKAY.. I JUST had a thought.. a break through... I am running an ad-blocker in my web browser. When I turn that off.. I see the spyware panel instead! Test this in an incognito window.
This needs to be fixed. (:
@Martin Try installing the "uBlock Origin" ad blocker plugin into your browser and watch what happens.
That fixed it. I had AdBlock Plus didn't stop it which I had originally...
But that's not going to help the average joe blow who is being shown the dodgy mirror.
A more pernament fix is needed. Nuking that mirror.
Last edit: Martin 2020-05-18
I just tried multiple VPN servers stationed in Vietnam to rule out that there is regional component all the while disabling uBlock Origin (both just inside the browser and by using a different profile) but I can't get that mirror to show up.
I normally only use firefox, so what I found with further fiddling is that I get the drp.su mirror to show up in Chrome; now I finally can see firsthand what you guys found!
It also shows up in Safari, but I can't get it to show up in firefox, no matter what. I disabled any Adblocker, used a fresh profile, and stopped any tracker-protection and loosened the internal policy. Maybe I missed some option, but firefox seems to block it inherently (I didn't set up a fresh install in a new VM though).
Is one of you using firefox and getting it to show up?
I still am not fully positive that DPO is malware (If I remember correctly, SDI requested an exception in my firewall too, in general there's nothing wrong with that) but at the very least it is not what should be delivered by the site, so that is definetely a major problem.
On the other hand I don't see a reason for legitimate software to inject itself like this, which is pretty much a giveaway for it to be adware at a minimum.
If I find the time I'll set up a new VM and install it there and monitor what it does, whereat the results might be interesting but won't solve the problem.
At least Snappy Driver asks to create a fire wall rule, DriverPack Online does it automatically behind the scenes.
Hmm, I don't think SDI itself asked if I remember correctly, I just got remarks from defender and my other software firewall that it wants to create an exception.
I get these remarks for any application, even if I tick a "create firewall option" in an installer. But the firewalls are also configured to notify me of any change and let me approve it manually; I'm not sure if applications normally can sneak in firewall rules on vanilla Windows without notice.
The Windows firewall rule only pops up on the first use on a computer (you won't see it on future uses), below is a screenshot. I use it on about 5 different computers a week, seen it many times :)
Yeah, thought this to be normal behaviour too :)
What I wasn't aware of is that, without another firewall installed, installers would be capable of creating firewall rules without this kind of confirmation on windows, like DPO seems to have done for you before you canceled the installation
You can actually change Windows Firewall settings to ask permission of all programs on first run.
@Magnus I can get it to happen in my copy of FireFoxPortable v76.0.1.. Here is a link to mine...
https://www.desktopmasters.com/Stuff/Temp/FirefoxPortable.zip
I recommend you try the official copy before downloading anything from me..
https://portableapps.com/apps/internet/firefox_portable
Official is likely a much newer version than mine.
Great pointer!
There must be another thing that blocks it in my main firefox intallation which I didn't find.
Using the latest portable version I found that setting the enhanced tracking protection to strict will block the false link too, while I was able to reproduce the problem when it is only set to standard.
I am SOOOO glad we are making progress on this. And I cannot wait to find out the source of it.