Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Hijack Your Own Windows System With Bundled Downloads

Posted by timothy on from the would-be-funny-if-not-evil dept.

How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion: [N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.

13 of 324 comments (clear)

  1. Download from the source by shuz · · Score: 4, Informative

    Need SCP? Download it from winscp.net. Need VLC? Download it form videolan.org. Teach your non-geek how to think outside the box (just a little and be gentle). Teach them about digital trust. To locate website of the vendor that makes the software that they want. If that vendor redirects them to cnet, then that is where they should download the software from.

    For all driver needs tell them to download only from the original equipment manufactures website. If the driver doesn't exist anymore there is a reasonable chance the driver found on some third party website won't work anyways.

    --
    There is or can be built a machine that can simulate any physical object. -Church-Turing principle
    1. Re:Download from the source by mprinkey · · Score: 4, Informative

      Ninite.com is the only place I go for software on a new Windows installation. Select what you want and it gives you one installer. And you get exactly what you asked for. No search bars or crapware. It has been working great for years now.

    2. Re:Download from the source by BenFenner · · Score: 4, Informative

      I wanted ninite.com to be the solution to all of my app downloading/installing problems, but it turned out not being the solution to any of them. The idea is great, but one simple test showed the issue with this service. They try to make insalling an application a one-click affair, and they do this assuming the software you are installing does not install bloatware of it's own. So take Foxit PDF Viewer for example. This was a great, secure alternative to Adobe PDF Reader which many of us used happily for a while. But, as with most software like this, is started getting loaded down with bloat. Specifically, it tries to get you to install certain browser toolbars, or other such madness. This is the true installer from Foxit's website.

      So, Ninite takes this installer, and makes sure nothing else has been added to it. However, they have no concept of the genuine installer forcing bloatware on you. It seems they are just checking for 3rd party bloat. So, with the genuine installer you have the option to uncheck this bloatware and not install it. This is not true with Ninite's one-click installer which accepts all of the defaults.

      For me, this made ninite a non-starter, and I do as most of us do, and go to the app provider's site to download.

      It's a shame.

  2. Find the source by jandrese · · Score: 3, Informative

    Never download software from one of those "Free Software Download" sites. They always bundle in crapware. Instead, track down the original author's homepage and try to download it from there. That greatly reduces the amount of crap you have to deal with.

    Also, if you are forced to download from one of those sites, don't assume that just because you uncheck all of the crapware in the installer that it won't just go ahead and install it anyway, because it will. Basically, ask yourself if you really really need that app or if you could maybe find something else that does the same thing but is still supported. It's also a good idea to run whatever your favorite anti-spyware app is if you do have to install something like that.

    --

    I read the internet for the articles.
  3. Not Surprising by Wycliffe · · Score: 2, Informative

    Free software and free hosting has to make money some way. Even the more legitimate ones tend to bundle stuff like
    adobe acrobat, google chrome, google toolbar, or some other random search engine toolbar that presumably gives them
    a kickback. As long as people keep demanding free apps and free software then you will continue to see sneeky ways
    to monitize their software. That being said, some of the worst offenders I've seen are PAID software like norton and
    mcafee.

  4. Re:Or just pick better sources ... by nine-times · · Score: 4, Informative

    Also ninite is still safe, AFAIK. It's especially helpful if you want to download and install a bunch of different applications at once.

  5. Re:Application installers suck. by Richard_at_work · · Score: 5, Informative

    Why does Windows keep this antiquated process around?

    Chocolatey.

    https://chocolatey.org/

  6. Re:Application installers suck. by The+MAZZTer · · Score: 5, Informative

    Microsoft tried the easy install, walled garden approach with Windows 8. It didn't go over well.

  7. Re:You don't say !! by CohibaVancouver · · Score: 2, Informative

    Whatever happened to the great days of shareware?

    The people making 'shareware' realized they had rent to pay and kids to feed.

  8. Re:Malware by phorm · · Score: 4, Informative

    I classify adware/junkware as malware, as - at the very least - the extra use of resources (memory, disk) is a drain on the PC. Even browser toolbars tend to reduce the performance of a computer.

  9. Re:Libreoffice by galaad2 · · Score: 4, Informative

    these days they dropped the sourceforge crap for their own crap built-in into the main installer, silently downloaded in the background from sites such as coapr14pool _DOT_ com AND THEN executed while having elevated full admin rights. This is typical trojan dropper / infector / keylogger behavior.

    source: http://www.pdfforge.org/blog/p...
    (in comments)

    --
    root@127.0.0.1
  10. I don't think that's quite right. by digsbo · · Score: 5, Informative

    I'm pretty sure you're mistaken there. I've done installers with both RPMs and MSIs. Not my specialty, but I have some experience.

    In Windows, you don't need elevated privileges to install an application to a user-specific location. You only need it to install system-wide. The registry keys to track Windows Installer components can be referenced from either location in the registry (the administrative access part, or the user-only part).

    It's not all that different from RPM, though really it's a little easier to do user-only installs with Windows Installer. You need administrative privileges to install system wide w/ RPM. You can also do a bunch of RPM hacking to install to a user-only RPM database and installation folder without root, so long as you specify that you're running RPM against a non-default RPM database location, and someone went to a lot of trouble to permit user only installs in your RPM spec file. There's a bit of work to enable this in regular MSIs, too, but it's actually better supported that under RPM.

  11. Re:Application installers suck. by Anonymous Coward · · Score: 2, Informative

    Most developers either used sparkle (http://sparkle-project.org) or rolled their own. With the rise of the App Store you see less and less of this you, other than the kind of software that App Store can't (or won't) carry.