I decided to post this as a public safety announcement, since I (surprisingly) didn’t see this blogged elsewhere. I have, for many years now, used the free/open source PDFCreator software for simple PDF generation and testing.
I recently updated to the most recent version (0.9.7) of the software (now hosted at pdfforge.org), and have made an interesting discovery.
The software is bundled with a browser toolbar component that has behavior which I would consider malware or trojan-like behavior. The notable difference is that it redirects certain types of browser traffic to www.searchsettings.com, which is a linkbait/parking-type site.
In Firefox, I noticed an extension called “Search Settings 1.2” which, once removed, killed this behavior. After more research, I saw that IE had 2 Add-Ins installed (these were also removed). I did some more digging, and that’s when things got interesting.
There is a SourceForge Bug 2607106 “Remove trojan from download!” filed against this project. There’s the report at SiteAdvisor on pdfforge.org hosting this malware. There’s the post from an angry user on the pdfforge.org message boards.
To clarify, there are other “free” PDF creation projects that are questionable at best. However, I always took PDFCreator (sf.net) as a legitimate open source project.
The PDFCreator Toolbar is apparently implemented using “mybrowserbar”. As per their terms of service, they indicate:
f) modify your Microsoft Internet Explorer and/or Mozilla Firefox browser settings for the default search engine, address bar search, “DNS error” page, “404 error” page, and new tab page to facilitate more informative responses as determined by The Toolbar;
mybrowserbar.com “Company Information” redirects to www.spigot.com, which claims to be “Coming in March 2009”. spigot.com is a proxied domain, so there’s no further information available.
I downloaded and investigated the source tarball for the PDFCreator project, and the source of the browser toolbar installer is nowhere to be found (indeed, the .exe included with the installer isn’t present). There’s a response from Philip, one of the developers, in the pdfforge.org forum which sheds a little light on the browser toolbar. I completely empathize with his desire to make some money from his open source work; however, I’d disagree that this is an appropriate approach, and at the very least, the toolbar install option should be more up-front about it.
It’s unfortunate to see a long-time, responsible open source project act this way, and I do hope it’s an honest mistake. I wanted to give people the heads-up who may not be aware of this.