UPDATE: SourceForge has removed the offending Binkiland software from its installer. Read the full story here.
If you’ve been working with software for longer than five years, then you can remember a time when SourceForge was one of the pillars of open-source software. It used to be the only good place to go to find fresh builds of open-source projects, as most projects had their own pages spread around the Web.
Rather than poking around those individual sites, SourceForge aggregated the binaries and made them available to people for free, like some sort of saintly Download.com, benevolent and thoughtful in how it provided its services to the community at large.
Sure, there were ads and click-through pages, but SourceForge was still a place you could trust. Download.com, on the other hand, quickly turned into a spyware and malware distribution network, as CNET struggled to squeeze every dime it could out of the poor thing.
But not SourceForge. It was part of the Slashdot network. It understood the way developers thought and acted. It was tied into Freshmeat as a third leg on the stool of hacker culture that had originated in the late 1990s and early 2000s. Yes, SourceForge used to be a thing of beauty, and 3.7 million registered users seemed to agree.
Today, SourceForge is the knowing distributor of virus-laden software called Binkiland that cannot be removed from the host computer without editing the registry. That’s the very definition of a virus, and I consider this to be completely illegal.
This isn’t tacked on to silly programs that have little consequence. This virus is included with FileZilla, the excellent free FTP tool. And worse yet, the FileZilla website actually directs users to the SourceForge download link as the main way to download the tool. The maintainers of the FileZilla Project are culpable in all of this.
This is a step beyond the Ask Jeeves toolbar being installed with Java, which is now standard on even the Mac OS version of that language. It should be noted, however, that we have officially entered territory even Oracle is not willing to explore. This is actively attempting to compromise the user’s computer, and I think SourceForge should not only halt its distribution of this software, it should be very worried about legal repercussions from its users who have now compromised their seemingly secure machines.
The only saving grace is that thus far I can only see that this is tied to Windows binaries on SourceForge, leaving Linux and Mac OS X safe—for now.
Understand, this software installation is not an option, though the purveyors of FileZilla and SourceForge would have you believe otherwise. There is no way to tell the installer not to install Binkiland. There is, however, a way to opt out of the Ask Jeeves toolbar in Java.
(I should probably point out here that I fully realize Jeeves was murdered in his sleep years ago, and that the toolbar I keep referencing is actually the Ask.com toolbar. However, as it’s useless spyware, I will call it by any name I see fit!)
And when a user filed a bug report about this almost two weeks ago, the FileZilla Project’s response was that the installer was safe and that the user could opt out of installing the virus. This, however, is not true.
We should note that FileZilla has absolutely nothing to do with the Mozilla Project. FileZilla is an independent project, as are many of the 300,000+ projects hosted on SourceForge. Evidently, two years ago, Dice.com started pushing its project controllers to redo their projects with the new SourceForge installer, which is what’s actually installing this virus.
We contacted Dice/SourceForge but had tremendous trouble finding someone to talk to. We were assured someone would get back to us with a comment, but nothing has come back yet. We’ll update this post if they respond.