FileZilla without the Spyware

Update January 2015:

It seems that direct access to the compiled application is no longer available. The list of files is still there, but every link now redirects to the Sourceforge malware-ridden downloader.

Another update and a solution:

I have just had this tip passed on to me (thanks Mike:), and it is brilliant. When you get to the Filezilla download page, it will be a URL like this:

http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.10.0/FileZilla_3.10.0_win32-setup.exe/download

That URL will give you the Sourceforge downloader application for the project, sized about 700kB. You don’t want that. Quickly go to the URL and add “?nowrap” onto the end. It will look like this:

http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.10.0/FileZilla_3.10.0_win32-setup.exe/download?nowrap

Now what you get is the compiled installer for the project, in this case an executable 6MB in size.

So, just add “?nowrap” to get the file you really wanted.

This link gives you the index page for all the downloads, but it automatically adds the nowrap parameter:

https://filezilla-project.org/download.php?show_all=1

How long that link will remain, is unclear. The thing to remember, is to look at the size of the download before you run it.


Went to Sourceforge to download a copy of FileZilla, the Open Source FTP client. What a disappointing experience.

What Sourceforge wants to do, is push a piece of Spyware at you. What the spyware does, is anyone’s guess, but it asks for permission to change Windows settings, which makes me suspicious.

Then I tried the “Browse all files” link (which used to be called “other download options”) and went to the direct download page, where I can choose a specific version of FileZilla and download that. Except no – it does not work like that. The URL shows me the link to the file I want, but clicking on it redirects my browser to the spyware download again.

This shit is misleading and should be considered dangerous. They try their best to trick you into installing something that has full access privileges to your entire machine, and then sell that on to their “partners”, who could be just about anyone. Given how they are misleading users, I don’t trust them, and neither should you.

If you want FileZilla, here are the downloads direct from the project:

http://download.filezilla-project.org/

The one you want is probably down near the bottom of that long list, as the latest is at the bottom and not at the top as you would hope.

Good luck, and stay away from Sourceforge – they are looking more dangerous by the day.

Update: today I also needed to download an update to SoapUI, the excellent SOAP testing and development tool. That is also hosted on Sourceforge, but the download links do exactly what they say they do – no spyware, just the 140Mbyte (!) application. I’m guessing SoapUI has a different arrangement with Sourceforge than does FileZilla, though I suspect whatever gains FileZilla thinks they may be getting, are going to be destroyed by the distrust they are building up amongst its end users.

34 Responses to FileZilla without the Spyware

  1. Duncan 2014-04-29 at 15:14 #

    Thanks for the article – I too was quite surprised to see crapware hidden in SourceForge downloads.

    I wonder if the authors are aware of this?

    • Jason Judge 2015-01-23 at 14:53 #

      I believe, from reading various discussions with the authors, that they are very aware of it, since they allegedly get a cut of advertising revenues that result. They certainly wouldn’t make any money if I could charge them for the time it takes to remove this crap from family PCs.

    • John 2016-01-03 at 21:06 #

      Thiose links now also go to Sourceforge 🙂

      • Jason Judge 2016-01-03 at 23:41 #

        Yes, they do – BUT the “nowrap” URL gives you the raw application and not the adware installer. The FileZilla application is around 6.1Mbyte in size, while the adware installer is just a couple of kilobytes.

  2. Mike 2014-05-29 at 14:26 #

    Just thought you would like to know that the links on the direct download site you have posted now go to Sourceforge also. (At least the 32-bit Windows links did)

  3. Jeff Williams 2014-06-20 at 00:25 #

    I ran into this same exact problem. Thanks for posting an article about it. Everyone needs to be aware of Sourceforge pushing out spyware.

    Shame on you Sourceforge!!

    If I can’t find a spyware free copy of Filezilla, I’ll just go back to old faithful WinSCP.

    Thanks Jason!

    • Jason Judge 2014-06-25 at 15:17 #

      I needed Filezilla because I was looking for FTPS rather than SCP or SFTP – they are different protocols, even though they have very similar names. WinSCP has still served me well for many years though – it’s awsome.

  4. Brandon 2014-09-04 at 15:09 #

    FileZilla has an arrangement with Sourceforge to bundle malware with their installers. Sourceforge knows about this, and Filezilla developers know about it. They are hoping that a portion of their users do not know about it, and will accidentally install malware so that Filezilla and Sourceforge can get a few extra bucks. There have been reports that the malware will install even if you say “no.”

    Make sure that you always avoid the sourceforge installer. The sourceforge installer has the SF logo, while a clean Filezilla installation executable will have the FZ logo. You can get a clean Filezilla installer if, from the download page, you click “Other Downloads” and look for the link with “nowrap” in it. They seem to change the method every few months, so it might be safest to find a third party site that builds from source.

  5. Saeid 2014-09-12 at 20:12 #

    Surprise…even the download link from filezilla server goes to sourceforge 🙁

  6. Darrell 2014-10-25 at 16:49 #

    Dude, even all the links at http://download.filezilla-project.org/client/ now go to download through souceforge so that was DELIBERATE can’t find a single non poisoned link to download it anymore. damn,.

  7. DSW 2015-01-23 at 22:58 #

    Hi Jason, boy I totally agree. I just spent a whole day getting rid of such malware and I don’t even know which source it came from. Maybe sourceforge maybe cnet, maybe tucows or other (previously thought to be trusted site).

    Who knows, maybe now even other free trial anti-malware and such other security software downloads / even directly from companies that develop them could be infected. In any case, the link you provided toook me through two page (first looks like real FileZilla page the second paged did say sourceforge at the top. However, the auto-download at that time did seem to download the real FileZilla, not the sourceforge exec.

    One more thing, when I first downloaded (but did not run the sorceforge exec) I cannot find it in my download folder (in fact, searched my whole computer and cannot find it). I wonder where they sneaked that in and what it may do to me later???

    Really appreciate your help on this. God bless.

  8. Kelly Bellis 2015-01-24 at 21:25 #

    Hi Jason,

    First off, thank you for the article and for allowing others to post news of this very sad turn of affairs.

    Today (01/24/2015) I fired up Filezilla and it provided notice of an update, like it has done for what seems like since day one; however, today there was the malware Vosteran, a browser hijacker present during installation of Filezilla. Even though I stopped the installation of Filezilla before it had barely begun, the malware had already hijacked Chrome and established itself as the default search engine. Removing Vosteran which had showed up in the listing of Programs, power cycled off/on a couple of times and then removing any instance in Chrome’s Settings, Manage search engines…, and then double checking for any suspicious items, closing Chrome and reopened, and then another power cycle off/on hopefully has nipped things in the bud. If you have anything further to add to removal strategies, I’m sure that your readers would be quite happy to learn and without question, so would I..

    A couple of questions: 1) are you still using Filezilla, and if not, 2) what are you using for ftp transfers?

    • Jason Judge 2015-02-13 at 13:18 #

      1) In general no 2) it is built into my editors.

      If I need to grab the contents of a site or server, I would normally archive all the files up into one file (zip or tar.gz) and transfer that over https. It turns out to be faster then grabbing the contents one file at a time anyway. But it is always good to keep these tools handy, because there are always times when other tools and techniques fail.

  9. Kustaa Nyholm 2015-01-31 at 17:01 #

    Even if you decline the spyware the installer will still change (on Mac OS at least) the default search engine and homepage to Yahoo. Never trust something that needs installer on Mac! A software that cannot be just dragged and dropped is not worth anything. Source forge, never again if there is an alternative.

    • Jason Judge 2015-02-13 at 13:14 #

      Take a look at the updates. There is a parameter you can add to the URL to download the core file without the malware wrapper. At least, there is for now. Check the file size when you download, to make sure you are getting the right file.

      I tend not to use FTP these days as much as I used to. Most of my code goes in and out of github, so there is less to transfer directly.

  10. Xiatian 2015-02-15 at 07:11 #

    They seem to be doing an user-agent check. To avoid the SourceForge crap on download.filezilla-project.org, just copy the links from there and feed them to curl, wget, aria2 or any other command line download tool.

    That site is where the software downloads its automatic updates from so it does have the files without the adware.

  11. Laura 2015-02-17 at 08:47 #

    Hello! I suffered through FileZillas malware last year and have no intention of going through it again, however I must have an FTP client.

    I tried downloading with the ?nowrap link above, but the file size is 6,09MB. Is this still safe?

  12. Nathaniel R. Lewis 2015-03-16 at 01:04 #

    At this point I’ve completely ditched FileZilla. On OS X I use Macfusion, which allows one to mount ftp or sftp (over ssh tunnel) server as a drive on your computer. On Linux, well, I just use the built in sftp capability in XFCE’s file manager, thunar.

  13. Alessandro 2015-11-22 at 14:45 #

    Unfortunately your link, by Filezilla project, links to a Sourceforge folder to start download. It’s totally a shame what Sourceforge and Filezilla decided to get malware, also powerful, into download!

    • Jason Judge 2015-11-22 at 16:27 #

      The “nowrap” URL still works for me. Without the “nowrap” parameter I get a 1Mbyte download (the spyware loader) and with the “nowrap” parameter I get a 6.1Mbyte download (the Filezilla installer). Now, whether Filezilla themselves have compiled something nefarious into their executable, is something I can’t comment on.

  14. Daniel Cajiga 2016-01-22 at 08:10 #

    Thank you very, very much, I had downloaded the 1.0 MB version and my AV detected the malware, then I got to this post and downloaded already the good one of 6.0 MB

    Thanks a bunch for your good will.

    🙂

    • Jason Judge 2016-01-22 at 09:57 #

      It is so sad that so many projects are stuck on SourceForge still. I am also having issues downloading older versions of some applications (to do legacy upgrades) as they tend to be more likely to suffer from bit-rot pre 2013 and are simply not accessible anymore without losing the link halfway through. They were once a great custodian of our code. Not any more.

  15. Zangune 2016-02-04 at 20:37 #

    Hi all.
    Jason Judge, can you explain it better please?
    What can’t you download exactly?

    • Jason Judge 2016-02-05 at 09:56 #

      The link that SF provides to supposedly download the product (the compiled application) instead downloads an application to deliver ads and other malware to your machine, before it then downloads the product. Once people run this malware – thinking it is Filezilla – many people report that ad-ware has been installed on their machine even if they cancel the installation, and even if they tick any boxes to indicate that they do not want this software installed. This is underhand, and breaks all trust between the users and the projects. This kind of action drags the name that SF built up a decade ago, through the sordid depths of all things nasty on the Internet.

  16. Zangune 2016-02-05 at 12:38 #

    I am sorry Jason, I probably have not provided enough details in my first question.

    I am aware of the DevShare program on SourceForge because I am an active member there. More details on the DevShare program are here:

    http://sourceforge.net/blog/?s=devshare

    In few words: the installer is intended to let the project administrators to earn some money and keep developing their projects, but without harming the users systems; sadly sometimes the installer gives problems to some users and I can understand that a lot of people consider additional software undesiderable.

    Indeed my question was about this statement:

    “I am also having issues downloading older versions of some applications (to do legacy upgrades) as they tend to be more likely to suffer from bit-rot pre 2013 and are simply not accessible anymore without losing the link halfway through.”

    If I read well, you found broken links, which ones?
    The web pages of the projects (project.sourceforge.net) are maintained by the projects’ administrators and links to files (sourceforge.net/projects/project/files) are removed either by projects’ administrators or due to the violation of the SourceForge’s terms of use (spam, illegal stuff, non open source projects in example); indeed it would be a problem if a legit link to files (sourceforge.net/projects/project/files) will break and this is the reason I will ask you, what can’t you download from there?

    • Jason Judge 2016-02-05 at 13:04 #

      The “installer” is a shit way to get malware onto users machines while putting the apparent blame on the developers. Sorry, but however you try to spin it, it is an appalling thing to do. Like I say, what it does is underhand, just like the big “Start Download” advert buttons you allow on the download page to MISLEAD people into clicking them.

      The broken CiviCRM links I was having trouble downloading (they were half-downloading then timing out in the middle) all seem to be a bit more stable now. They were not working properly earlier in January.

      • Jesper Sommer 2016-02-08 at 09:53 #

        Is it possible (and legal according to the license) to do a build from the available source files and distribute it through other channels? I have several people in my network I can activate, but they have little interest in license terms and Windows – they’re Linux buffs. They would help me if I asked them though, and I would be happy to share the output.

        In essence: Can “we” just build a clean version of FileZilla and share it through other channels? I might even have a digital cert which can be used to code-sign it (establishing credibility that the output is not filled with yet another batch of malware)?

        • Jason Judge 2016-02-08 at 10:31 #

          It is is open source (which it is) then the source is open for the end user to change and redistribute as they like. If you do change it, then make sure your source code is available for people using the software to do similarly. There are sometimes issues with trademarks, which you often need to get around by renaming the product clone (for example CentOS is the free version of Redhat, compiled from the Redhat code with all the trade marks removed). So check the licence and go for it!

  17. Brad Stone 2016-03-22 at 23:01 #

    Thanks for your excellent article. I have two questions.

    First, I just tried going to http://download.filezilla-project.org/client/ and downloaded the file titled “FileZilla_latest_win64-setup” which is 6.3MB in size. Is this file safe?

    Second, assuming that a safe install is completed, will the FileZilla initiated periodic updates contain malware, or just the first install?

    • Jason Judge 2016-03-22 at 23:11 #

      6.3 MByte sounds about right. I could never declare it “safe”, but it certainly does not look like the much smaller malware installer.

      I’ve just fired up my copy of Fileziller and it prompted me to download the latest version (3.16.1). Using the automatic download and install, it downloaded the 6.3 MByte installer then automatically ran it. Nothing bad has happened so far, so it looks like it will be okay, but it is always good to be cautious.

      • Brad Stone 2016-03-25 at 17:55 #

        Excellent. Thanks for taking the time to share your knowledge!

  18. Chris 2016-11-02 at 00:54 #

    https://ninite.com/

    The best site for downloading all those utilities.

  19. Bruce J. 2016-11-16 at 09:26 #

    Similar experience with FileZilla – install was downloaded through their website. Saw a brief popup for a different product. Tried backing up, but was not able to get to that view of the popup to disable install. Immediately exited/cancelled the install w/o installing, but noticed activity on the machine. Brought up Task Manager – found ‘WebCompanion’ running – immediately terminated it and started a filesystem search on the same name (I have a good idea what is supposed to be running on my machine).

    Found installer and a bunch of partial matches (use a search on WebCompa), not the full name.
    Moved installer to another location (copy if you can’t move).
    Checked services – nothing added.
    Did internet search on WebCompanion – found LavaSoft and they state to remove it, look for the program labelled “Ad-Aware Antivirus” – no such creature present. Another page indicates the name “Trovi” – no such creature present.
    Checked browsers for unknown addons – didn’t find them, might have gotten it early enough to prevent it.
    Manually opened/unpacked contents of installer(without installing) and used files present to search the filesystem for them(using common base names) – deleted identfied files – watch for files that have same name, check for date updates to current.
    Searched registry for same. Be careful of mods – surgically removed refs.

    Now for a beer – ‘caus I’m really T’d off. I think I got it all. It might help to list the names of the crapware that FileZilla is trying to squeeze in.

    NOTE: The zips don’t have the crapware installer in them.

  20. Jacob Stanfield 2017-06-21 at 15:33 #

    This is a great article and thread of replies. I won’t bore anyone with my story, but I will add some things I’ve noted.

    Upon download of the file from Filezilla’s website, what you receive is a Zip Archive called “FileZilla_3.26.2_macosx-x86_setup_bundled.zip” (798 KB). You do not want this.

    Adding “?nowrap” to the end of the link, as suggested, a bzip2 compressed archive is downloaded. It’s called “FileZilla_3.26.2_macosx-x86.app.tar.bz2” (8.9 MB). This IS the file you want.

    Some additional information I found (as I had no idea what a bzip2 compressed archive was), according to WinZip, “The BZ2 format is used to compress single files only and is not able to archive a group of files. That means you need to assemble the group of files you want to compress into an archive first, then apply bzip2 compression to that archive file.”

    This definition eases my concern of installing unwanted, malicious software. I would like to thank Author Jason Judge (https://academe.co.uk/author/jasonjudge/) for this article and can confirm adding “?nowrap”, will indeed lead you to the file you’ll want to download. Current, safe, MacOS build link below.

    Safe Link: http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.26.2/FileZilla_3.26.2_macosx-x86.app.tar.bz2/download?nowrap

Leave a Reply