How To Hijack Your Own Windows System With Bundled Downloads

How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion: [N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.

Application installers suck.

[RyuuzakiTetsuya]

If it's one thing I've learned after playing with OS X and Linux, it's that no matter what the OS is, an install script is an awful UX.

This isn't a problem in OS X because most software installs via app bundles. Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.

Also this isn't a problem in Linux because either you're usually installing from a repo or source, of which the requirement for any repo package or code base isn't going to be libtrackingmalwarelolpwn(64 bit; of course).

Why does Windows keep this antiquated process around?

Re:Application installers suck.

[Megane]

Because Microsoft came up with this abomination called "the registry", and by Bill, we're going to USE it. It can't be the wrong way to do things, because it's the way we've been doing things for years, so we're not going to stop now!

Re:Application installers suck.

[Megane]

Because, thanks to nonsense like the registry, installing an app into Windows is a non-trivial operation. So everybody uses one of two or three installer shells that all use that "wizard" mode where you have to click next ten times.

The sad part is that it is possible to make a trivial app that doesn't need to be installed. Putty does it, and I've done one before, too. But MS never came up with a "bundle" concept like OS X (I think it was in 9 as well) that presents a folder as through it were a single application, nor is there a default applications directory that multiple users can all access by simply dropping stuff into it. So if you've got files that need to tag along with the .exe (especially DLLs) or want the app installed for more than one user, you're stuck with installer hell.

You don't say !!

[amalcolm]

Download.com installs crapware news at 11

Oracle on down ...

[gstoddart]

When Oracle bundles the ask.com shitware with Java, and you have to conscientiously know it's there and un-check it, is it any surprise pretty much everyone else does this stuff?

Some ass is always trying to monetize your clicks, and 'free' comes with strings.

I've noticed over the years CNET is doing this, so much so that I don't typically trust them as a source.

The marketing assholes have pretty much wrecked the internet, and they pretty much use the same tactics as the malware people -- putting stuff on you don't want.

Re:Oracle on down ...

[gstoddart]

When a multi-billion dollar company is resorting to looking for affiliate and adware kickbacks it's truly pathetic.

By putting that ask.com crapware bundled with the core Java installer, Oracle have done more to undermine the existence of Java than pretty much anything.

This is why we can't have nice things ... because it just gets bought and destroyed by a bigger tech giant who craps all over it.

I've lost track of the number of times I've had to uninstall it from people's systems.

Re:Or just pick better sources ...

[TheCarp]

Perhaps he is confused by the fact that many small developers, especially of game mods, distribute directly from github, and indeed, github is not adding anything to those downloads.

A lot of people don't seem to realize that git is a thing quite aside from github

There is a very easy definition of malware

[Opportunist]

Anything that does something which is not in the interest of the owner of the system is malware.

The owner of the system defines what is in his interest.

Simple as that.