How To Hijack Your Own Windows System With Bundled Downloads

How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion: [N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.

Or just pick better sources ...

[UnknownSoldier]

Download.com is crap.

Sadly open source isn't immune to this crap with SourceForge now doing this stupid shit of bundling malware, adware, toolbar hijacks, etc. Especially when you have yahoo's like FileZilla's admin approving(!) of this irresponsibility !?

At least Git hasn't been effected (yet)

Re:Application installers suck.

[RyuuzakiTetsuya]

that's not what I meant.

Why is it that in 2015, to install software from the internet, I need to let someone run a privileged script that can and will write whatever it wants, where it wants? Why can't I just get some archive bundle that I can drop into a collection of other applications?

I think the OS X style application bundles are the right way to do things.

Re:Application installers suck.

[houghi]

Why does Windows keep this antiquated process around?

Liability? The software that people install is not Microsoft software, nor is it compiled by Microsoft.

With Linux there are also some third party install programs. Most because they are not open source.

So it is not Windows that keep this antiquated process. It is the people who write the programs who all have a different idea on how to do things. Just having a discussion if a user should or should not have an option as default will give various answers.

https://ninite.com/ will do already a lot already to overcome that.

Obviously what Microsoft could easily do is make something similar and ask developers to give the programs to them in a certain format. I am also sure that Microsoft does not want to be a reseller.

Re:Application installers suck.

[Iconoclysm]

Isn't that exactly what Microsoft is now doing with the Windows Store and "modern" apps, though?

Re:Application installers suck.

[swb]

For much of the Mac's history this was also the case. If you wanted an application, you just copied the damn thing from one media to another.

IIRC, it got worse over time on the Mac as apps got bigger (more supporting crap, stuff to copy to the System Folder, maybe a control panel or init, etc).

One in a while you run into applications, often utilities, that are truly standalone -- you can copy it to a new system and just run it. And then there are the various techniques for making portable apps, some kind of hand-done with a wrapper, others that scan a system before install and after and package all the deltas and use a wrapper after running to redirect all the various accesses.

I kind of blame shared libraries myself versus static linking. I've never quite groked the attraction of shared libraries. I get pilloried on Slashdot for saying this, of course. Usually its "ZOMG how will I patch my system when $library has a security weakness and 69 apps all use it" or "it takes too much disk space".

#1 is a fair criticism, I guess, but means little on Windows which seems to use less of that kind of a shared library, but I also wonder if there isn't a counter argument by which not every app statically linked to a common library will have the same bug and won't need updating. And it's not like updating a shared library is always risk-free; there's always the chance that an updated dependent library may change in some way that borks some of the apps that depend on it or some of the problems and cruft from several versions of the same library on the same system.

#2 seems like a bullshit criticism in this day and age. I'm curious what a "typical" OS install would be like space-wise if it was all statically linked.

And if you had all-statically linked applications, updating them to new versions would be just a matter of copying in a new version which seems simpler and more manageable to me for some reason.

Of course, none of this means much to apps which legitimately have a shit-ton of included resources which need to be shared system wide. Those have to go in their right places somehow, but if they are app specific they could just be in the same directory as the application. Maybe apps could um, register, their shared capability with the system so it would know to look for a resource in a virtual directory /app/resource/shared instead of a system-wide /resources directory -- the app itself remains self-contained, no installer required, and it could just register its capability at runtime with the system.

Re:You don't say !!

[fermion]

This is old news, but still of a concern because of Google. I have noticed lately that sometimes when I search for software to install on a new machine or try out for a project, one of the download services comes up as the first result instead of the actual place hosting the repositories and packages.

This reminds me when link farms were more of an issue than they are today, and when just doing a search could kill your windows machine.

Really it is the search engines that keep these people in business, and modifications of the algorithm could minimize the damage just like it did with link farms.

Re:Application installers suck.

[Gr8Apes]

Because, thanks to nonsense like the registry, installing an app into Windows is a non-trivial operation. ... So if you've got files that need to tag along with the .exe (especially DLLs) or want the app installed for more than one user, you're stuck with installer hell.

a) it's crappy developers that force the registry hell on you. There's no reason to use it, nor any requirement to use it.
b) There's no problem building a single EXE with all required DLLs (or there didn't used to be.)
c) there's nothing preventing you from shipping a zip (because windows still doesn't understand a tarball) which has everything packaged up nice and neat (ie, a bundle)
d) multiple users can use an app that you drop into the appropriate places, some will require that when you drop it there, you have to elevate your privs, but that's pretty standard
There's no excuse to have installer hell. Just say no.