Slashdot Mirror
How To Hijack Your Own Windows System With Bundled Downloads
How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion:
[N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.
Je suis windows!
If it's one thing I've learned after playing with OS X and Linux, it's that no matter what the OS is, an install script is an awful UX.
This isn't a problem in OS X because most software installs via app bundles. Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.
Also this isn't a problem in Linux because either you're usually installing from a repo or source, of which the requirement for any repo package or code base isn't going to be libtrackingmalwarelolpwn(64 bit; of course).
Why does Windows keep this antiquated process around?
Non impediti ratione cogitationus.
Download.com installs crapware news at 11
Time for bed, said Zebedee - boing
While I find download.com to be very useful, it has been that way for as long as i can remember. Mcaffe or some other bundled crap that no one asked for. wanting to auto run on startup, and damn hard to get rid of once its there. It got so bad at my house i actually blocked downloads from them for the rest of my family because I was sick and tired of fixing their machines everytime they needed a new video player to try and grab youtube videos in the case of my younger brother, etc.
have you seen my sig? there are many others like it but none that are the same
...out of all the stacked up reasons why windows desperately needs a proper package manager
Download.com is crap.
Sadly open source isn't immune to this crap with SourceForge now doing this stupid shit of bundling malware, adware, toolbar hijacks, etc. Especially when you have yahoo's like FileZilla's admin approving(!) of this irresponsibility !?
At least Git hasn't been effected (yet)
Need SCP? Download it from winscp.net. Need VLC? Download it form videolan.org. Teach your non-geek how to think outside the box (just a little and be gentle). Teach them about digital trust. To locate website of the vendor that makes the software that they want. If that vendor redirects them to cnet, then that is where they should download the software from.
For all driver needs tell them to download only from the original equipment manufactures website. If the driver doesn't exist anymore there is a reasonable chance the driver found on some third party website won't work anyways.
There is or can be built a machine that can simulate any physical object. -Church-Turing principle
Some AVs will detect and remove PUPs (Possible Unwanted Programs).
http://www.pcworld.com/article...
Life is not for the lazy.
Never download software from one of those "Free Software Download" sites. They always bundle in crapware. Instead, track down the original author's homepage and try to download it from there. That greatly reduces the amount of crap you have to deal with.
Also, if you are forced to download from one of those sites, don't assume that just because you uncheck all of the crapware in the installer that it won't just go ahead and install it anyway, because it will. Basically, ask yourself if you really really need that app or if you could maybe find something else that does the same thing but is still supported. It's also a good idea to run whatever your favorite anti-spyware app is if you do have to install something like that.
I read the internet for the articles.
Craptacular!
Download.com used to be a great place, but it's like a dilapidated, crime infested neighborhood now; don't go there.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
It would be rather good to have a utility which would inspect an installer executable (.msi etc.), show the user what is going to be installed, and allow them to choose which bits to install, then do the install for them (with no way for features to be hidden and no "admin overrides" to stop you deselecting stuff)
I keep trying to tell people to do "custom install" and deselect all toolbars, all bundled crap etc. but it's falling on deaf ears...
OneGet could not be more timely...
Free software and free hosting has to make money some way. Even the more legitimate ones tend to bundle stuff like
adobe acrobat, google chrome, google toolbar, or some other random search engine toolbar that presumably gives them
a kickback. As long as people keep demanding free apps and free software then you will continue to see sneeky ways
to monitize their software. That being said, some of the worst offenders I've seen are PAID software like norton and
mcafee.
One very useful Windows application I have is ImgBurn (Burn and verify optical media; make image files from optical media), which has this problem: Its installer will, if the defaults are followed, install some fairly nasty browser hijacking adware.
I consider this kind of adware ethical; it allows one to compensate the author for making professional level software without having to pay for the software. Given a choice of having to use Windows built in burning software or using ImgBurn and dealing with its install prompts, I prefer ImgBurn. It would be nice if I could, for a nominal fee ($20 or $50) get a version of it without the adware in its installer, but beggars can not be choosers.
Another application which is even worse is utorrent. utorrent used to be a decent Torrent client; but a couple of years ago, not only did it bundle adware, it installed the adware even after I clicked no. That is clearly unethical. These days, I use the Windows port of Transmission for the occasional torrent download.
The downright criminal ones are the ones where a scumbag takes some piece of software they haven't developed, such as Firefox, and bundle it in an adware-installing "download helper" application.
Ninite.com and filehippo.com
If you can't get it from the source, try these two.
My advice for downloading software:
- download from the source, that is, from the authors rather than from a freeware site. The software is probably easier to find (there are fewer misleading links to downloaders and other junk) and more up to date.
- prefer portable applications unless you use them really a lot. Portable applications are much easier to get rid of and they don't mess so much with your system.
- if you need to install, pay attention to the installer. If you are asked to click ok someone wants you to approve something. Make sure you know what you approve.
if you ask someone less knowledgeable to download something send them a link, and make sure you warn them of bundled crapware ...
Anyone fool enough to download software from a generic [ad/spam-supported] host rather than the author's own site or somewhere with a reliable rep is just asking for trouble.
malware = stuff designed to do nothing more than harm your computer.
adware / junkware = stuff not specifically designed to do that, but a pain in the butt, extremely annoying, probably unwanted but not necessarily "evil" as such.
No malware doesn't mean it's "safe" or won't fill your computer with unwanted junk. Hell, even some AAA paid-for game titles will fill your computer with junk given half a chance.
That said, download.com has been dead to me for a number of years. Precisely because, like a text conversation I had with an old friend just now, people eventually have to ask me to clean their machines after touching it. Sure, it's not doing damage, but slowing your machine, popping up junk, intercepting your default search etc. is not "malicious" so much as downright rude and annoying, if you've agreed to it.
It's like the difference between posting some junk mail through my door, and posting some dog excrement. One is clearly intended to harm. The other's just a pain in the butt that I never really wanted (even if I "volunteered" for it at some point, somehow).
Sorry, but I remove (and have more trouble removing) more "adware" / "junkware" in my professional life than I ever do malware. It doesn't mean it's okay, still, but it's not malware. It's not exploiting security holes, stealing your passwords,avoiding your antivirus,etc. Most of it will remove itself if you ask it to. But that doesn't mean that anyone actually WANTS it either.
Sorry, the second you bundle unnecessary junk into your downloads, I stop using you. I've had to abandon several good pieces of freeware because of that (yes, I'm looking at you IZArc and lots of your friends because you just can't resist bundling some unwanted junk with a lovely freeware util that I'd gladly give you £10 for if it didn't have that stuff).
Bing doesn't seem to make any effort to filter out crapware or malware and disguises ads as organic searches. I've witnessed some savvy users getting caught out by this in recent times
I used to always recommend download.com to non-technical users as a trusted source for freeware.
Now, unless it is available through the ninite.com installer, I don't recommend users download anything themselves.
I just went through a major ordeal with my mom's computer where I ended up having to ship the thing to me in order remove the infestation of malware she got because she was trying to install driver software herself. The stuff was basically making her computer unusable. I had to rebuild the box and remove her admin rights to her own machine just to protect her from herself.
I feel really bad for non-technical Windows these days....
My eyes reflect the stars and a smile lights up my face.
And why I recommend ninite.com to all the family members etc. I support. Even official installers direct from the source tend to include this junk these days.
When Oracle bundles the ask.com shitware with Java, and you have to conscientiously know it's there and un-check it, is it any surprise pretty much everyone else does this stuff?
Some ass is always trying to monetize your clicks, and 'free' comes with strings.
I've noticed over the years CNET is doing this, so much so that I don't typically trust them as a source.
The marketing assholes have pretty much wrecked the internet, and they pretty much use the same tactics as the malware people -- putting stuff on you don't want.
Lost at C:>. Found at C.
I can witness on open source not being immune. I recommended Libreoffice to a novice PC user recently. I don't know from where he downloaded the installer, but when he finished he had some redundant anti-virus programs, and another program that reset the home page of his web browser and wouldn't let him change it back.
Any more, it looks as if all the download sites are just there to infect the unsuspecting user. I can't put a finger on any download site who has not sold it's soul by now.
I don't use any of them any more. It's almost as if using bit torrent is safer these days. If so, that's really scary!
I like to see How-To-Geek or some else reputable mike a no non-sense like of the download sites who don't pull this crap.
I'm thinking it might be a short list.
People who buy Windows make the mistake of thinking they are Microsoft's customer. It has been clear to anyone for the last 15 years, that Microsoft's customers are the marketing firms, and OEM PC makers that what all this crapware on your computer, not the people using their OS. That is why Windows has always been a haven for viruses and malware. It is supposed to be.
Why do you _assume_ free is good?
Just to drive the point home:
STDs such as Aids are "free" too.
Just because it is free, doesn't imply it is good (for you.)
Free source code: Good .exe + malware: Bad
Free standalone binary: Good
Free
This is why many people happily accept walled gardens.
Thank you, Bradley Manning, Edward Snowden and so many others, for courageously defending humanity, my freedom and more!
The last time I used it, I made the mistake of doing an express install, and wound up with at least 5 pieces of malware on my PC. CNet is dead to me.
...most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. ...
Working as designed. The purpose of the installers is to get the secondary software installed, so why make it easy not to meet that goal?
Does Oracle really need the money from Ask.com to keep including that dilapidated toolbar with every single java.com installer download and incremental java update?
Us geeks despise the idea of a walled garden source for software installs, but at least it nominally protects users against this kind of stuff.
Yes - things sneak through from time to time, but it's still orders of magnitude safer than Joe User hoping to find a program online to perform the same task that won't bring his web browsers grinding to a halt with fifteen toolbars.
Fifteen or twenty years ago, when I used a cheesy mass-market OS from Microsoft, nonags.com was the place to go for good, free software with no bullshit. Is that still a good source for grandma to get software for Windows?
Nothing like false equivocation.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I don't normally use Windows except as a launcher for certain Windows-only games that I play (I'm primarily an OS X user), and even when I use a web browser, it is NOT Internet Exploder. A few weeks ago I ended up running one of those crapware installers on a W7 laptop. Fortunately the very fact that I don't use Windows for much helped me, because I noticed the problem immediately and could see all the new stuff simply sorting by date.
A couple of things I noticed: turning off my WiFi didn't persist over a reboot! (Macs have always kept track of your wireless on/off state over reboots.)
Also, out of the half dozen or so things that got installed before I turned off WiFi, maybe half of them were "properly" installed, showing up in Control Panel->Programs and Features, and with a fully working uninstaller. I guess installing stuff in Windows is sufficiently non-trivial that they didn't even try to make their crapware hard to uninstall. The rest of the stuff I searched for in the registry by name and tediously deleted registry entries one-by-one.
And then there was C:\ProgramData, which I had never heard of before, because most of my Windows experience was with XP. Way to go Microsoft, making yet another "Program Files"-like directory and setting the hidden attribute on it. At least one crapware installed itself there.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Adware added by anyone but the original author/publisher should be avoided. When in doubt, get the product directly from the publisher or from a web site that offers the exact same downloadable package as the author/publisher. Places like CNET/etc. who dicker with the publisher-supplied installable application should be ashamed of themselves and deserve all the public ridicule they get.
Adware or even non-adware third-party products offered/added by the publisher (Java and Adobe are two well-known "offenders") are a different beast. They are part of the publisher's economic model. Without the add-ons the products might not exist, they might not be free, or they might contain (more) internal advertising (okay, Java and Adobe's free products would probably exist as they do now, but others, not so much). For these, you just have to decide "is it worth it to recommend the product or not."
I and many others have stopped recommending a particular Windows-OS print-to-PDF package ever since it went the "adware" route. It used to be good. Stripped of its adware, it still is. But I can't recommend it because of the adware issue.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Even my *paid-for* copy of PowerISO tries to install crapware - stopped by Malwarebytes.
No affiliation with Malwarebytes - just a satisfied user
"there's no way a non-geek could figure out how to avoid the awful" its all written right there in the installer, "do you want this crapware, untick if not" does one really need to be a geek to read it? Is unticking checkboxes some arcane skill? Last time i checked basic reading skills do not make someone a geek.
This is why I run deep freeze on my family's PC. We can install stuff with impunity and, if it behaves well, I may even re-install it on the unfrozen machine when I get around to applying the windows updates. I wish my Dad would do the same. It's not as if the installation of these packages is usually time consuming. The only issues are with taking the time to save backups of game progress data for my kid so he doesn't lose his "progress".
Nullius in verba
Here's what I do to set up a new PC with IMGBurn and a couple other bundled software that I still want on every PC I build. Put the installer on a flash drive, drop the computer off the internet for a bit, run the installer. Any installer I've ever seen contacts to the internet to see what the top-bid scam of the month is that it should download and if it can't immediately contact the internet, it simply skips the malware installation step. Then reconnect to the internet and configure the software to never check for an update.
Keep a raw and clean image of your computer. When you want to try something, install it slowly and carefully, then monitor it for awhile (weeks). If it has proven to be okay without any crapware or odd running tasks, then re-image your machine, re-install it carefully again, then make an updated version of your image to include that software. But still keep the clean image.
MajorGeeks.com does not bundle.
today download.com is a piece of shit.
nonags provides safe downloads with no ad ware or other stuff.
I'm pretty sure you're mistaken there. I've done installers with both RPMs and MSIs. Not my specialty, but I have some experience.
In Windows, you don't need elevated privileges to install an application to a user-specific location. You only need it to install system-wide. The registry keys to track Windows Installer components can be referenced from either location in the registry (the administrative access part, or the user-only part).
It's not all that different from RPM, though really it's a little easier to do user-only installs with Windows Installer. You need administrative privileges to install system wide w/ RPM. You can also do a bunch of RPM hacking to install to a user-only RPM database and installation folder without root, so long as you specify that you're running RPM against a non-default RPM database location, and someone went to a lot of trouble to permit user only installs in your RPM spec file. There's a bit of work to enable this in regular MSIs, too, but it's actually better supported that under RPM.
A rather interesting Adobe Flash Pro installer is making the rounds through ad hacking. It contains a webpage that looks and smells like a Real Adobe web page and an installer .EXE starts to download automatically in Chrome (without any clicks required). The web page suggests it is Adobe Flash Pro.
It has the most honest small print. "This is not Adobe, rather an improved video streaming software that is better than Flash...this also installs ad viewing software to help pay for this free improved video experience...software will track what you're doing..."
However the first webpage is a total Adobe knockoff - including graphics and fonts. But the EULA tells the true story.
And it is signed. Yes...signed. By "BEST APP."
Anything that does something which is not in the interest of the owner of the system is malware.
The owner of the system defines what is in his interest.
Simple as that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When I recommend a file for someone, I literally give them a link to one of my file servers.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
1 - download stuff from download.com
2 - run the install exe from wine (on Linux of course)
3 - run stuff and any crapware associated
4 - run (shell) rm -rf ~/.wine
Note that step 4 may be done before step 1, up to you. But stick to that choice!
Slashdot, fix the reply notifications... You won't get away with it...
How do you teach a non-geek to find and recognize the canonical source for a software download? Is http://www.vlc.cc/ the official VLC site? Is http://www.7zipdownload.org/ the right place to get 7-zip? Is http://www.libtiff.org/ the place to get the latest LibTIFF? The answer to all of these is "No", but I'd like to hear the teaching technique that allows a non-geek to come to these conclusions.
I think my biggest issue with all of these vendors is that they have the option checked to begin with, requiring the user to opt-out as opposed to opting-in. Even companies like Adobe and Java have their add-on crapware and toolbars enabled by default. The installation of Chrome being the biggest pain in the ass. I've repeatedly emailed them and told them that this practice is really underhanded, and that they should really uncheck those boxes by default. Sadly, I can't even tell if they received the email. Grassroots ban-the-(check)box protest online?
See subject: Since you spout falsehoods about Windows http://slashdot.org/comments.p...
To fix all these problems Mindows users can just download ZoomFixMyComputer from Craptastic.com.
The first 5 days is free. After that a low monthly subscription price of $99 will assure that your computer is safe and as efficient as it was they day you took it out of the box.
Uhm. This practice is illegal in Canada now as of CASL.
With CASL it is illegal to install any software without end-user approval.
Nobody can tell me that crapware is approved by end-users.
By "Mindows" I meant "Windows". The spellchecker on my PC quit working for some reason. And for some strange reason it appears the keydoarb has been rewapped.
Went to upgrade Flash directly from Adobe the other day and it attempted to bundle macafee.
Cancelled just in time and started over.
Seems to now be the rule rather than the exception.
^ Probably Sarcasm...
Because windows people are stupid enough to search google for libreoffice, gimp, and other useful open-source - and install from whatever link comes up. Idiocy - because that is how you get to the crapware sites. All open source projects have their own homepages, where you find the software without anything bundled to it. Get libreoffice from www.libreoffice.org, gimp from gimp.org, and so on. No bundled stuff, not even for windows users.
Google can be used to find homepages, but DON'T install from the first random provider that pops up.
www.filehippo.com
'Nuff said.
In somewhat related news: http://www.digitaltrends.com/c...
It was bundled with several pieces of malware/crapware and I ended up reinstalling Utorrent.
I am quasi tech savvy.
My most recent malware exposure incident happened on a sandboxed Windows box, but never the less it was almost unavoidable.
When in need of a log file viewer capable of opening a very large (2GB) log file, because my current set of software did not allow me to do so (notepad++, gamut log viewer, etc) I ended up finding a proper solution, that worked very well indeed.
I do not remember the offending site nor software's name, but it turned out the package executable contained a BHO module that could count as malware, alongside the real program. I used [skip],[skip],[skip] until getting to the proper screen and I was able to deploy only the needed software.
However in the long run i ended up with a dangerous installer on my hdd. I did not execute the "dropper', e.g. i skipped those extra unneeded steps, but the fact is the package was bundled with 3 + different unnecessary files.
Serves me right for downloading for elsewhere than sourceforge.
Really? It's the solution to the great majority of the issues here, (Bundled crapware) and just plain easy to use as well.
Downside -- it always needs admin rights, not particularly surprising.
How to install? Hit the win key -- type cmd in the search box, hold control-shift - tap enter. Viola - An Administrative rights command prompt pops up.
Then paste: @powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin
(Note you should copy that from chocolatey.org's website yourself - don't trust me!)
When it finishes, type : choco install sysinternals
or choco install libreoffice, choco install javaruntime, etc.
Of course you can stack installs: choco install javaruntime libreoffice paint.net notepadplusplus.install googlechrome 7zip.install firefox putty filezilla
When you think there might be updates: type: cup all
in a command prompt. It'll let you know when it's done.
- Jeff
Portable apps dot com is all I recommend for non geeks anymore. They recompile the open-source programs to leave nothing on your computer, and there is no installation bull crap. Has 99% of the free apps a typical user will need. Also comes with its own little start menu just for its programs. Plus the programs can be selected through a repository like select screen.
The market for good software seems to be shrinking and consolidating. There are so few crumbs left that people are fighting over a few pennies of revenue for installing crapware. There is very little that is needed anymore beyond what comes with the operating system, an office suite, and a text editor. I bought Textpad years ago. I have Microsoft office (corporate) and Visual Studio paid but I could use the free edition. Really no other commercial software. A few true OSS apps, password safe and cygwin. I doubt any of the most popular downloads actually do much that is useful.
I wonder how much malware is included in the download if you uncheck all the boxes - I wouldn't assume that would help, though it might in some cases. I'd also be interested in how much of the malware was proof against removal. Obviously any malware that re-installs itself after removal is much worse than malware that permits uninstallation. My own view is that automatic reinstalling is a felony under federal law regulating computer crime, but apparently the Justice Department doesn't care.
The real source of problem is that google ranks download.com and similar sites high. Penguin should deal with that but probably these companies pay a lot.
Whenever I look for some FOSS, top results are occupied either download.com or my local counterparts.
PDFCreator is the best example of this abuse I've seen in the last year. It's "free software", but it comes with almost a dozen different pieces of adware, hijackware, and web browser corrupting redirect tools that log your behavior spew ads into your screen, clutter your browser with undesired nad unexpected toolbars, and the remove tools for them *don't work*. PDFCreator stopped doing this for about two years, but then went right back to including the bloat.
Last time I touched it, I had burn the machine to bare metal and install from scratch.
If you use libraries designed with static linking in mind like musl-libc and tinyxlib, then it's not really that much. You get similar benefits to shared libraries if the program is or has recently been running... Users run programs, not libraries and shouldn't have to wait for every unused function of every dependent library to load just to run a program. What's worse is when vendors distribute alternate shared libraries with a single program so that none of the library caching occurs from other programs and the overall size increases significantly. If you are distributing multiple programs that use the same libraries, you can always create a multicall binary like busybox, toybox, dropbear and mupdf do and still do a static build that will be smaller than the overall shared build.
The irony is tickling, that while reading this article on Slashdot's website, I saw an ad for a free software download of some random vaporware. Naivety is lucrative, apparently! But good on these guys at How-To Geek for getting to the bottom of the matter here. Thanks!
Step 1: install a Linux OS from the distro's server.
Step 2: install only apps from the distro's repositories. As for the other 1%, you probably don't need them but they're usually clean anyhow.
If any friend/relative wants you to clean their system, just tell them "I don't do Windows" because you forgot how, but you'll happily install Linux.
If a paying customer, charge them by the hour to fix their Windows. Profit!
"cavalcade of crapware" -- sounds like the subtitle from a resume from an offshore development firm.
i have had my own data hijacked in other words my pc be programs i payed for from a " reputal vendor " ! this must have happed to some other members . i found that the only way to get my stuff back was by very carefully deliting the thing i payed for . not only that but another payed for refused to accept the key or code because i was not connected to the www . this was from a silver partner . when they refused to tell me why they had this policy , i told them to keep their illgotten gains , removed the offencive program , and found a much better equivilent on a donate site . as a matter of fact a fieldspacific program i need came from such a place , it left all pay for programs for dead ! in my experience every recommended program has caused me problems . i no longer buy them
the power of men in charge of words over men in charge of machines surpasses all wondering S WEIL