Slashdot Mirror
How To Hijack Your Own Windows System With Bundled Downloads
How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion:
[N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.
If it's one thing I've learned after playing with OS X and Linux, it's that no matter what the OS is, an install script is an awful UX.
This isn't a problem in OS X because most software installs via app bundles. Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.
Also this isn't a problem in Linux because either you're usually installing from a repo or source, of which the requirement for any repo package or code base isn't going to be libtrackingmalwarelolpwn(64 bit; of course).
Why does Windows keep this antiquated process around?
Non impediti ratione cogitationus.
Download.com installs crapware news at 11
Time for bed, said Zebedee - boing
While I find download.com to be very useful, it has been that way for as long as i can remember. Mcaffe or some other bundled crap that no one asked for. wanting to auto run on startup, and damn hard to get rid of once its there. It got so bad at my house i actually blocked downloads from them for the rest of my family because I was sick and tired of fixing their machines everytime they needed a new video player to try and grab youtube videos in the case of my younger brother, etc.
have you seen my sig? there are many others like it but none that are the same
Download.com is crap.
Sadly open source isn't immune to this crap with SourceForge now doing this stupid shit of bundling malware, adware, toolbar hijacks, etc. Especially when you have yahoo's like FileZilla's admin approving(!) of this irresponsibility !?
At least Git hasn't been effected (yet)
Need SCP? Download it from winscp.net. Need VLC? Download it form videolan.org. Teach your non-geek how to think outside the box (just a little and be gentle). Teach them about digital trust. To locate website of the vendor that makes the software that they want. If that vendor redirects them to cnet, then that is where they should download the software from.
For all driver needs tell them to download only from the original equipment manufactures website. If the driver doesn't exist anymore there is a reasonable chance the driver found on some third party website won't work anyways.
There is or can be built a machine that can simulate any physical object. -Church-Turing principle
Some AVs will detect and remove PUPs (Possible Unwanted Programs).
http://www.pcworld.com/article...
Life is not for the lazy.
Never download software from one of those "Free Software Download" sites. They always bundle in crapware. Instead, track down the original author's homepage and try to download it from there. That greatly reduces the amount of crap you have to deal with.
Also, if you are forced to download from one of those sites, don't assume that just because you uncheck all of the crapware in the installer that it won't just go ahead and install it anyway, because it will. Basically, ask yourself if you really really need that app or if you could maybe find something else that does the same thing but is still supported. It's also a good idea to run whatever your favorite anti-spyware app is if you do have to install something like that.
I read the internet for the articles.
Free software and free hosting has to make money some way. Even the more legitimate ones tend to bundle stuff like
adobe acrobat, google chrome, google toolbar, or some other random search engine toolbar that presumably gives them
a kickback. As long as people keep demanding free apps and free software then you will continue to see sneeky ways
to monitize their software. That being said, some of the worst offenders I've seen are PAID software like norton and
mcafee.
malware = stuff designed to do nothing more than harm your computer.
adware / junkware = stuff not specifically designed to do that, but a pain in the butt, extremely annoying, probably unwanted but not necessarily "evil" as such.
No malware doesn't mean it's "safe" or won't fill your computer with unwanted junk. Hell, even some AAA paid-for game titles will fill your computer with junk given half a chance.
That said, download.com has been dead to me for a number of years. Precisely because, like a text conversation I had with an old friend just now, people eventually have to ask me to clean their machines after touching it. Sure, it's not doing damage, but slowing your machine, popping up junk, intercepting your default search etc. is not "malicious" so much as downright rude and annoying, if you've agreed to it.
It's like the difference between posting some junk mail through my door, and posting some dog excrement. One is clearly intended to harm. The other's just a pain in the butt that I never really wanted (even if I "volunteered" for it at some point, somehow).
Sorry, but I remove (and have more trouble removing) more "adware" / "junkware" in my professional life than I ever do malware. It doesn't mean it's okay, still, but it's not malware. It's not exploiting security holes, stealing your passwords,avoiding your antivirus,etc. Most of it will remove itself if you ask it to. But that doesn't mean that anyone actually WANTS it either.
Sorry, the second you bundle unnecessary junk into your downloads, I stop using you. I've had to abandon several good pieces of freeware because of that (yes, I'm looking at you IZArc and lots of your friends because you just can't resist bundling some unwanted junk with a lovely freeware util that I'd gladly give you £10 for if it didn't have that stuff).
When Oracle bundles the ask.com shitware with Java, and you have to conscientiously know it's there and un-check it, is it any surprise pretty much everyone else does this stuff?
Some ass is always trying to monetize your clicks, and 'free' comes with strings.
I've noticed over the years CNET is doing this, so much so that I don't typically trust them as a source.
The marketing assholes have pretty much wrecked the internet, and they pretty much use the same tactics as the malware people -- putting stuff on you don't want.
Lost at C:>. Found at C.
Why do you _assume_ free is good?
Just to drive the point home:
STDs such as Aids are "free" too.
Just because it is free, doesn't imply it is good (for you.)
Free source code: Good .exe + malware: Bad
Free standalone binary: Good
Free
This is why many people happily accept walled gardens.
Thank you, Bradley Manning, Edward Snowden and so many others, for courageously defending humanity, my freedom and more!
Some times you only have to get it from the authors intended source for it to be an issue - the reason I dropped PDFCreator as a tool was the bundled crap from the Sourceforge download.
Nothing like false equivocation.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
these days they dropped the sourceforge crap for their own crap built-in into the main installer, silently downloaded in the background from sites such as coapr14pool _DOT_ com AND THEN executed while having elevated full admin rights. This is typical trojan dropper / infector / keylogger behavior.
source: http://www.pdfforge.org/blog/p...
(in comments)
root@127.0.0.1
Download.com is the Detroit of download sites.
I'm pretty sure you're mistaken there. I've done installers with both RPMs and MSIs. Not my specialty, but I have some experience.
In Windows, you don't need elevated privileges to install an application to a user-specific location. You only need it to install system-wide. The registry keys to track Windows Installer components can be referenced from either location in the registry (the administrative access part, or the user-only part).
It's not all that different from RPM, though really it's a little easier to do user-only installs with Windows Installer. You need administrative privileges to install system wide w/ RPM. You can also do a bunch of RPM hacking to install to a user-only RPM database and installation folder without root, so long as you specify that you're running RPM against a non-default RPM database location, and someone went to a lot of trouble to permit user only installs in your RPM spec file. There's a bit of work to enable this in regular MSIs, too, but it's actually better supported that under RPM.
Anything that does something which is not in the interest of the owner of the system is malware.
The owner of the system defines what is in his interest.
Simple as that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Really? It's the solution to the great majority of the issues here, (Bundled crapware) and just plain easy to use as well.
Downside -- it always needs admin rights, not particularly surprising.
How to install? Hit the win key -- type cmd in the search box, hold control-shift - tap enter. Viola - An Administrative rights command prompt pops up.
Then paste: @powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin
(Note you should copy that from chocolatey.org's website yourself - don't trust me!)
When it finishes, type : choco install sysinternals
or choco install libreoffice, choco install javaruntime, etc.
Of course you can stack installs: choco install javaruntime libreoffice paint.net notepadplusplus.install googlechrome 7zip.install firefox putty filezilla
When you think there might be updates: type: cup all
in a command prompt. It'll let you know when it's done.
- Jeff