These companies that mislead our users

Some thoughts about the people who use the name of VLC media player to spread adware/spyware while infringing the VideoLAN‘s intellectual property and brand…

At VideoLAN we’re really fed up with all those websites/companies that are tricking our users to download malware and violate our IP by distributing misleading versions of VLC without conforming to the GPL license.

What bothers us the most is that many of them are bundling VLC with various crapware to monetize it in ways that mislead our users by thinking they’re downloading an original version. This is not acceptable. The result is a poor product that doesn’t work as intended, that can’t be uninstalled and that clearly abuses its users and their privacy. Not to mention that it also discredits our work as volunteers and that it’s time-consuming, time that is not invested in the development.

Of course this situation is not specific to VLC, other open source products are affected by this scourge and there’s not much we can do about it. They have the money to buy adwords, we don’t. Sadly, as a non-profit organization we don’t have the money to sue them.

We’re constantly trying to enforce our IP to protect our users, in the meantime tell people around you that VLC media player is and will always be free of any charge and for your own security always download it from the official website www.videolan.org.

FYI these are the two biggest companies who use VLC to distribute their crap:
- pinballcorp.com
- eorezo.com / tuto4pc.com

But there are many more:

  • http://vlc.us.com
  • http://www.eorezo.com/cgi-bin/download/direct/index?c_software=vlc
  • http://www.vlcdownload.org
  • http://www.softwaredownload.cc/?gclid=CMyGhoHrwJ8CFcpb4wodNHnJzg
  • http://www.iogiciel.com/l/index.php?option=com_content&view=article&id=53&Itemid=61
  • http://vlcplayer.2010-fr.com
  • http://www.mediaplayers-gratuits.com
  • http://www.downloadvlcplayer.net
  • http://vlc-media-player-blog.com
  • http://www.softesdown.com/fr/vlcmediaplayer/
  • http://www.getyoursoft.com/download/name/vlc-media-player/id_soft/18
  • http://supertelech.info
  • http://www.descargarvclmediaplayergratis.com
  • http://www.oficial-es.org/es
  • http://todotusoft.com/Video/Reproductor-Multimedia/1158/VLC-Media-Player.html
  • http://galleries.secure-softwaremanager.com/804e9dc7b4/854190c2bc1e
  • http://www.clickdownloadsoftware.com/player/
  • http://www.freefilesoft.net/VLCPlayer/
  • http://www.vlc.de
  • http://videolan.sk

 

Some screenshots of ads you’ll find when searching for VLC on Bing and Google:

Update #1: old links removed, new added
Update #2: added some screenshots of typical ads 

87 Comments.

  1. Mark Johnston

    Have you tried contacting Google and get them to punish these companies for abusing adwords et al?

  2. I suppose, because of the OSS nature of VLC (the fact that it would not be difficult to remove this), that there’s no way to securely do a phone home to be sure of the software on first run? Perhaps in the update check?

  3. @Mark: We’ve already contacted Google and SafeBrowsing both told us that they don’t care.

    @Carl: Yes, the OSS nature of VLC prevents us from doing that but anyway it would be easy to disable it in the source code. It’s pretty much like DRM, only the “legit” version would be impacted.

    • ­Robert Carnegie

      I suspect that your “colleagues” releasing these other versions of VLC aren’t very interested in changing the source code and program behaviour. However, releasing a phone-home version of source code arguably is against OSS spirit. The authentic program checks for updates from the authentic place, however.

      If I released my own version of a media player with your source code, that would not be immediately wrong, yes? But if I call my version”VLC” too, that may be wrong.

      How about… if your authentic version is released with copyrighted material that is used with permission in this way. You could be sponsored by… let me consider… a major retailer of do-it-yourself home improvement tools and equipment. (Is that what Swedish House Mafia do?) And people will look for your product combined with the sponsor’s name. Fakers won’t want to fake that part, it will get them into trouble with somebody big. The problem then is to find somebody big who will do you this favour whose benefit to you is uncertain.

      “POM WONDERFUL PRESENTS THE GREATEST FILM EVER SOLD” is an interesting documentary film that attempts to examine film and television paid product placement whilst being financed by product placement. Maybe this fruit juice company would also let its name be associated with your efforts so that VLC 1.2 can be launched as “Free Pom Viewer EXE”, although I have not yet definitely identified a good reason for you to do that except that I think it would be quite funny. I don’t know if you would agree. It also perhaps would make casual downloaders be particularly careful that they got the right version. Perhaps you would have to make it “Pom Wonderful” in full, but that could still work.

      By the way, did you get my VLC 1.1.10 crash reports? ;-)

  4. How about getting DHS’ ICE to do something useful & pull the offenders’ domain names. Just tell them that you are part of the RIAA and they’ll do whatever you ask

  5. Given the breaching of the GPL might not the EFF be able to assist?

  6. It’s very hard to solve this problem, unfortunately. http://lockshot.wordpress.com/2010/02/02/helping-users-avoid-fraud-sites-and-get-the-real-firefox/ details some of the steps we’ve had to take to improve it a bit, but we still see millions of users a year get ripped off, and we have ~50 different sites under investigation at any given time. Requires basically full-time counsel for it. :-(

    Does VLC have a trademark in the relevant countries? It might not be required (it’s use rather than registration that gives most of the rights, in most countries), but it would likely be helpful. AdSense has a pretty straightforward way to report trademark issues, and we’ve used that in the past to some success as well, but it probably requires a registration.

    • Thanks for the link, this looks promising.
      FYI we already tried to use stopbadware.org, interestingly they don’t consider these scams as badware!

      We now have trademarks in most European countries, unfortunately still not in the US.

      • (Disclosure: I’m on the board of StopBadware.)

        I’m surprised that SBW doesn’t consider them to be badware, but I could be misunderstanding something. Would you mind forwarding me the mail exchange with SBW? That said, SBW curates but doesn’t generate the badware lists that browsers get, so it’s not clear how much we can help. If Google or whoever is generating the blocklists don’t consider the sites appropriate, that’s sort of their decision.

    • Interesting link, but you link to stopbadware.org, which is a total joke and doesn’t do anything against those sites, even after reporting…

      • I’m biased, being on the board, but I don’t know that I would describe the behaviour here as a joke. They are however very small (<5 people), and rely on the upstream data providers like Google to do the scanning.

        But let me ask, what would you have SBW against them, that SBW can do?

        • Ok, maybe not a joke… But the core team of VLC is < 5 people too, and still we do a lot of work…

          Anyway, maybe SBW should allow manual flagging by some trusted people of the teams of the major open-source software for Windows (FFx, OO.o, VLC, Audacity, gimp…), which are the most targetted by these scams…

        • Maybe giving access to a web interface or something for well-known projects (Mozilla, OpenOffice, VideoLAN, …) so they can report badware themselves.

  7. @Paul: we already tried without much success.

    @David: Probably, to be honest we didn’t try to cut off non-European websites.

  8. man, if you do not want people do that don’t make your software GPL. You should know your own license

    • So much for sharing, open source…
      Not doing good things because of assh bad guys isn’t the way to go. Never will be.

    • Exactly… Or not…

      The GPL doesn’t allow you to modify VLC and add proprietary software in it…

      Moreover:

      - Claiming that you are the original Author is not OK, because of copyright laws.

      - Adding restrictions on the usage of the software is not OK, because of the GPL.

      - As the VLC installer is GPL, the modified installers must be GPL’d too.

      - Shipping VLC commercially means shipping all the source code of all external libraries, which they usually don’t. (Still GPL)

      - VLC, VideoLAN, x264 and VLC media player Trademarks are registered. (depends on the countries)

      - Scraping the website and the images is not ok. (copyright)

      - Wrongly impersonating a person or an organisation is not ok either.

  9. These people disgust me. There must be some way to do something. We need the help of Lulsec

    • Indeed, a bit of Lulz is always welcome :-D

      • Øystein Huseby

        Please dont mention anything about lul, those guys are notting but annoying guys in a garage, making there own rules there notting better then the guys earning money on software under the GPL license, if not ten times worse.

        And i might add, thanks for the open NSIS installer, i modifed it to publish it to a school academy(approx 2000 computers) i were working on as a software distrubter, it were suprisingtly easy to modify it in order to get an own launcer to set the settings we wanted, along with disabled auto upgrade and so on.

    • A good old baseball bat would be more than enough from my point of view :D

    • I’ve followed the stories on this new wave of “ethical” hackers and so far seen the majority to be shots taken at innocent bystanders in the name of some barely related noble cause. This would actually be the first case where I could see some DDOS or defacement being a truly and legitimately justified and ethical move.

      I’d respect them for it anyway.

  10. You should be able to do a Euro-wide patent rather than have to file in each company, imho, ianal…

  11. There is some consolation in the fact that these links are paid ads and that they don’t trump you in rankings.

  12. man up … get a lawyer … go to the gym …

  13. I’ve nearly been hired by this eorezo crap few years ago. Now I’m glad I wasn’t.

  14. Create a bot that clicks on the malicious VLC ads?

    • I don’t think it’s a good solution. It’s the role of the Ad-companies to filter malicious requests from their customers. Sadly most of them don’t care.

  15. did you submitted the fake url download links to any security company like kaspersky, trendmicro for blocking this “malicious” websites? its fraud and has to be blocked

  16. Google – despite its anti-malware stance – still earn money from these phony firms. They won’t do anything to boot them from AdWords.

    I you don’t have legal way to combat them, then USE TECHNOLOGY AND THE COMMUNITY !
    That’s why I’m a WOT contributor: I try to red-flag as many as those sites as possible, and promote the use of WOT : http://mywot.com

    Users can then – with zero-knowledge – be informed of fishy websites with a free browser extension.

  17. The least we can do is to rate them on WOT (Web Of Trust).
    Done !

    p.s.
    Don’t forget to tell people around you that they should have this extension. My parents who are not very familiar with Internet have been saved a lot of times…

  18. Have you tried reporting this to the Free Software Foundation at http://www.fsf.org/ ?
    I would also go to http://www.gnu.org/licenses/gpl-violation.html. You can email them directly at license-violation@gnu.org.

  19. “Until we decide to sue them I don’t think the FSF can be of any help.”

    Couldn’t do any harm, either. They might do it pro bono.

  20. Why are you talking to google? Why not talk to Mozilla? They control the software that many people (about half) use to access your program. Mozilla could theoretically ship a known badware blacklist by default, rather than relying on google, who clearly have a conflict of interest.

    It comes down to the problem that repository based distribution solves — authenticity. The internet is exceptionally bad at this, and the solution is to ensure active trust webs.

    • The blacklist used in Firefox is managed by StopBadware.org, but until now they didn’t want to blacklist those websites. See previous comments from Mike Shaver for details.

  21. Juju_the_ouf

    Yes unfortunately it is very very boring. But that’s why I put all the fake sites vlc (as gimp etc …) in red.

  22. Sounds like we need a firefox/chrome plugin to interface with these lists and redirect to the correct site.

    Could the guys at Mozilla help with this?

    • This is the job of StopBadware.org, even if they don’t do it already.
      Then I think that redirecting users transparently is probably a bad idea because they won’t remember the legitimate URL. The current behavior used in most web browser (the red screen of death) is IMHO the most efficient thing to do.

  23. Offer users to download the well known Adblock extension for their navigator along with the VLC download, so that they wont be lured by malicious ad anymore.

    (PS: Google will like it so much they might get to the other solution ;) )

  24. Let’s ask Anonymous and Lutz to take the shit out of this sites !!! ;)

  25. And what’s even worth is that companies like tuto4pc are going IPO as we speak based on this “user-screwing” business model: http://www.tuto4pc-bourse.com/index.php [french]
    If you read french, reading their IPO filing document is worth a read:
    http://www.tuto4pc-bourse.com/images/stories/pdf/tuto_prospectus_vise_par_l_amf_le_17_juin_2011_sous_le_n_11%20233.pdf

    I have nothing to announce yet, but the only thing I can tell you is that, with Allmyapps [disclaimer: I'm the CEO], we are really willing to put an end to these abusing behaviors. And we’ll eventually succeed!

  26. Fareed Rizkalla

    What about an awareness campaign?

    • Because it’s hard to reach targeted users with those campaigns. The most efficient way for now is to spread the word around you (family, friends, co-workers).

  27. Some of these rip offs have some nice box art – perhaps you can return the favor and steal their box art :D

    • The box art you mention is floating around the web for some years now. Many of these fake websites use it and I really don’t know who’s the artist who did it in the first place ;-)

  28. do
    wget –random-wait http://fake-vlc.com/fake-vlc -o /dev/null
    while(true)

    :)

  29. The truth is that these companies
    doesn’t respect gpl because of it’s vagueness
    see mplayer vs. kiss example

    because nonprofits cannot sue them

  30. Thanks for the List i block them all in google…

  31. do you know a site calling it self http://www.vlc.de?

    it has also offers downloads for Open Office, Firefox, Thunderbird, Songbird and PDF-Drucker. They say all are for free and in German.

    it belongs to
    Frank BohIing
    KIein EisseI 10
    27283 Verden
    MaiI: info – AT – vlc.de
    TeI.: 01805-11-9090
    Fax: 01805-11-9091
    USt-lD. Nr: DE241884340

    The number for Tel. and Fax are pay numbers for 14 Euro cent per minute
    The USt-lD. Nr. looks like an official tax number

    • They’re not affiliated with VideoLAN in any way, furthermore the executable are provided from their own server… quite suspect. Anyway I don’t know if the binaries are safe or not so you shouldn’t trust them at all.

      • The binaries contain some kind of “AdWare” like Software that can be deselected during installation. Its not guaranteed, that the rest of the installation does not do unwanted modifications, if you deselect the AdWare. It though looks like the custom installer launches the official VLC installer after installing the AdWare (wrapped installation). So far so bad :(.

  32. tempting, but no, thank you.

    The only thing I do, is preaching to my relatives and friends :

    “If you ask me for maintenance for your Windows computer, than download only from the original sites. If you don’t know which site, ask me.”

    -Ok, two friends even don’t got the passwords for their admin account, because I had to set up the systems two times new. So I’m now the only one who can install software on their computers-

    “But the best is, do it like me, use Linux.”
    That’s what I do, preaching, preaching, preaching. And take away the admin password if they not follow my advice ;-)

  33. oh, the comment I answered to is gone, good. What was suggested there I don’t like.

  34. As sad as this is, it is a copyright violation and possibly a trademark violation; there is no “intellectual property” involved. The term “intellectual property” is very misleading and suggest that
    ideas are property. It cannot be pointed out often enough that the
    basic assumption, that ideas are the same as property in the physical
    world, is wrong. The step to “You wouldn’t steal a purse/car.” is a
    very small one and many people won’t even notice the difference because
    the term “intellectual property” is used all the time. Let’s use the
    proper terms for the things we talk about, such as copyright violation,
    patent violation, trademark violation, etc. Only then is a reasonable
    discussion possible.

    I hope you will find a good solution to let users know what rights they have when they download free software like VLC.

    • The term “intellectual property” actually comes from the French law (where VideoLAN and most of its authors are based) also known as “droit d’auteur” that defines the copyright in the French legislation.
      I’m not a lawyer but AFAIK “IP” is commonly used to translate the “droit d’auteur” even when Free Software is involved.

  35. IMPORTANT:
    Please report this urls to google and all the other “Anti-Phising Browser Plugin Data Provider” so that users geht warned when they visit this website, that thte website contains harmufll content!

  36. and a fruther comment. Google is interested in making the web safe and keepting adwords clean. if someone official from VLC will contact these companies google will react. (If not please post the answer here in the foru. then I will complain too and a lot of other users will also. if enough complain at google, googel has to take action and remove the adrwords. but as said, its more important to ghet these malicious urls to all the “phishing website data providers” so that users visiting theses sites will get warned…

  37. While it could be still counterfeited to some degree, if you provide the resulting data from AT LEAST TWO different methodology hashes for each release you provide, it might help people to better verify their files who downloaded from a different source. E.G. MD5 and SHA-1 hashes.

    This could help keep your download bandwidth low while still providing a way for folks to check with a bit more confidence. I’m fairly sure counterfeiting matching results of 2 different hash methodologies in the same file is still considerably more difficult than counterfeiting 1.

    • Afaik, manipulating a file in a way that doesn’t change the file hash is possible (in case of some hashes), but:
      a) it is very difficult (if the changed data should have a certain value and not be bogus data)
      b) I think nobody was able to beat two hashes at the same time yet.
      So I think using two hashes to verify would be very safe,
      BUT:
      1) The average user doesn’t know that something like file hashes exists
      2) Windows (which the majority uses) doesn’t include a tool to create file hashes by default, so even if you teach them what file hashes are, they don’t have a tool to verify them.

  38. I noticed that on the http://www.videolan.org/news.html webpage re: false AV positives, the recommendation was to stop using certain anti-malware programs.

    You might suggest as an possible alternative (in anti-malware programs that support it)…users could set their programs to IGNORE the folders/files associated with VLC. Warn however that if they located the “false positive” creating VLC components in a “general use” kind of location that ignoring an entire folder might allow malware from other sources to exist in that folder(s); e.g. the “C:\Program Files\” folder.

    “VLC 1.1.8 and anti-virus software
    2011-03-25
    Yet again, broken anti-virus software flag the latest version of VLC on Windows as a malware. This is, once again, a false positive.
    As some of the anti-virus makers plainly refuse to fix their code, we recommend to our users to stop using Kaspersky, AVL, TheHacker or AVG.”

    • I have used Kaspersky and VLC for years now (both in several versions) and never got any false positives.

      I can think of 3 reasons for the warnings:

      1) They downloaded from a dubious source and the installer really included malware, but they don’t blame the download site, they blame the VLC developers.
      (@VLC-developers: did you ask the users who got false positives where they downloaded VLC? )

      2) They got the warning because they downloaded the new VLC version very shortly after it was released. In that case you might get the warning that the software tries to do certain things, has no digital signature and is used by very few users.
      This is a general warning that Kaspersky doesn’t know how dangerous the file is yet and is not a real false positive.

      3) They set the heuristic module to very strict. This is not recommended because it asks for trouble (i.e. a lot of false positives). (Of course there might be legitimate use cases to set the heuristic module to strict)

      Also I don’t think it is a good recommendation to stop using anti-malware software that creates false positives (or generic safety warnings) sometimes (rarely in my experience). False positives are surely annoying (for users and developers), but are still much better than false negatives (i.e. not recognized malware).

      • AFAIK most of these alerts came from their heuristic that detects some VLC modules (that contains assembly code) as some sort of trojan.

  39. It’s unfortunate that the BEST media player on the interwebs has to be used in this manner but like any program, if you dont d/l it from the main site then you you are taking your chances..

  40. The site VLC.de gives you Malware to download:
    Filesize VLC 1.1.10 from original (videolan.org): 21.022.914 Bytes
    Filesize VLC 1.1.10 Fake from this website: 21.131.264 Bytes
    any more questions?
    Also the 0180 telephone number is very suspect

  41. Why do you not implement code-signing for your distributed executables? At least for the criminals primary target OS family, for Windows. Use code-signing, maybe from CaCert.org can prove the VLC is genuine. A prominent menu-entry can simply do a self-check (SHA2/Whirlpool-checksum). If this menu-item is not present, this is a strong hint, it is a badware.

    • Sadly most (if not all) of our user base on Windows don’t check for md5 signatures after they download VLC. Doing something more “user-friendly” (other than md5sum on the downloaded file) won’t work because these fake could easily bypass the security check as they don’t touch VLC binaries but only the installer.

  42. You have been cited on http://www.heise.de – this should make an impact on the evil clones…. at least in Germany, Austria & Switzerland (german speaking countries).

    The article is here: http://www.heise.de/newsticker/meldung/VLC-kaempft-mit-Luecken-und-betruegerischen-Klonen-1279867.html

    Greetings!

  43. This blog has been also linked at in the newsletter from 2011/07/21 by Bürger-CERT (http://www.buerger-cert.de/) by the German Ministry for Security in the Information Technology: http://www.buerger-cert.de/newsletter_archiv.aspx?param=Zxo7YT%2f0plfW0EHbCemqzA%253d%253d

    But as long as there are people clicking on those sites and downloading fake and malware programs without having any idea of security, sites like the mentioned ones above will exist!

  44. Remind individuals who profit will be the difference between revenue and expense. This may cause you peer smart.
    The work of the baby still remains the spark that moves mankind ahead even more than teamwork.

  45. Denis Martin

    Comme Google vous ignore, faites en sorte qu’il ne vous ignore plus.

    En gros, une MAJ VLC qui inclus une première fenêtre expliquant le problème, avec possibilité d’envoyer ça par email, facebook ou juste un copié collé.

    Une suggestion pour les utilisateurs de VLC et leur amis de désactivé ADWord dans leur préférence Google afin de ne pas voir les FAUX résultats de recherche VLC. (Ca devrait faire réagir Google, bon deal, ils retirent les Scam et vous retirez l’explication pour désactivé ADWord, ça parait logique)

    C’est juste une idée :)