Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Hijack Your Own Windows System With Bundled Downloads

Posted by timothy on from the would-be-funny-if-not-evil dept.

How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion: [N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.

23 of 324 comments (clear)

  1. Application installers suck. by RyuuzakiTetsuya · · Score: 4, Insightful

    If it's one thing I've learned after playing with OS X and Linux, it's that no matter what the OS is, an install script is an awful UX.

    This isn't a problem in OS X because most software installs via app bundles. Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.

    Also this isn't a problem in Linux because either you're usually installing from a repo or source, of which the requirement for any repo package or code base isn't going to be libtrackingmalwarelolpwn(64 bit; of course).

    Why does Windows keep this antiquated process around?

    --
    Non impediti ratione cogitationus.
    1. Re:Application installers suck. by gunner_von_diamond · · Score: 5, Funny

      Why does Windows keep this antiquated process around?

      That's a great question. The only thing I can think of is someone making money off of having the crapware bundled together to offset the cost of offering their product as a free download.

    2. Re:Application installers suck. by RyuuzakiTetsuya · · Score: 4, Interesting

      that's not what I meant.

      Why is it that in 2015, to install software from the internet, I need to let someone run a privileged script that can and will write whatever it wants, where it wants? Why can't I just get some archive bundle that I can drop into a collection of other applications?

      I think the OS X style application bundles are the right way to do things.

      --
      Non impediti ratione cogitationus.
    3. Re:Application installers suck. by houghi · · Score: 5, Interesting

      Why does Windows keep this antiquated process around?

      Liability? The software that people install is not Microsoft software, nor is it compiled by Microsoft.

      With Linux there are also some third party install programs. Most because they are not open source.

      So it is not Windows that keep this antiquated process. It is the people who write the programs who all have a different idea on how to do things. Just having a discussion if a user should or should not have an option as default will give various answers.

      https://ninite.com/ will do already a lot already to overcome that.

      Obviously what Microsoft could easily do is make something similar and ask developers to give the programs to them in a certain format. I am also sure that Microsoft does not want to be a reseller.

      --
      Don't fight for your country, if your country does not fight for you.
    4. Re:Application installers suck. by Richard_at_work · · Score: 5, Informative

      Why does Windows keep this antiquated process around?

      Chocolatey.

      https://chocolatey.org/

    5. Re:Application installers suck. by The+MAZZTer · · Score: 5, Informative

      Microsoft tried the easy install, walled garden approach with Windows 8. It didn't go over well.

    6. Re:Application installers suck. by Iconoclysm · · Score: 4, Interesting

      Isn't that exactly what Microsoft is now doing with the Windows Store and "modern" apps, though?

    7. Re:Application installers suck. by Megane · · Score: 4, Insightful

      Because, thanks to nonsense like the registry, installing an app into Windows is a non-trivial operation. So everybody uses one of two or three installer shells that all use that "wizard" mode where you have to click next ten times.

      The sad part is that it is possible to make a trivial app that doesn't need to be installed. Putty does it, and I've done one before, too. But MS never came up with a "bundle" concept like OS X (I think it was in 9 as well) that presents a folder as through it were a single application, nor is there a default applications directory that multiple users can all access by simply dropping stuff into it. So if you've got files that need to tag along with the .exe (especially DLLs) or want the app installed for more than one user, you're stuck with installer hell.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    8. Re:Application installers suck. by swb · · Score: 4, Interesting

      For much of the Mac's history this was also the case. If you wanted an application, you just copied the damn thing from one media to another.

      IIRC, it got worse over time on the Mac as apps got bigger (more supporting crap, stuff to copy to the System Folder, maybe a control panel or init, etc).

      One in a while you run into applications, often utilities, that are truly standalone -- you can copy it to a new system and just run it. And then there are the various techniques for making portable apps, some kind of hand-done with a wrapper, others that scan a system before install and after and package all the deltas and use a wrapper after running to redirect all the various accesses.

      I kind of blame shared libraries myself versus static linking. I've never quite groked the attraction of shared libraries. I get pilloried on Slashdot for saying this, of course. Usually its "ZOMG how will I patch my system when $library has a security weakness and 69 apps all use it" or "it takes too much disk space".

      #1 is a fair criticism, I guess, but means little on Windows which seems to use less of that kind of a shared library, but I also wonder if there isn't a counter argument by which not every app statically linked to a common library will have the same bug and won't need updating. And it's not like updating a shared library is always risk-free; there's always the chance that an updated dependent library may change in some way that borks some of the apps that depend on it or some of the problems and cruft from several versions of the same library on the same system.

      #2 seems like a bullshit criticism in this day and age. I'm curious what a "typical" OS install would be like space-wise if it was all statically linked.

      And if you had all-statically linked applications, updating them to new versions would be just a matter of copying in a new version which seems simpler and more manageable to me for some reason.

      Of course, none of this means much to apps which legitimately have a shit-ton of included resources which need to be shared system wide. Those have to go in their right places somehow, but if they are app specific they could just be in the same directory as the application. Maybe apps could um, register, their shared capability with the system so it would know to look for a resource in a virtual directory /app/resource/shared instead of a system-wide /resources directory -- the app itself remains self-contained, no installer required, and it could just register its capability at runtime with the system.

    9. Re:Application installers suck. by Gr8Apes · · Score: 4, Interesting

      Because, thanks to nonsense like the registry, installing an app into Windows is a non-trivial operation. ... So if you've got files that need to tag along with the .exe (especially DLLs) or want the app installed for more than one user, you're stuck with installer hell.

      a) it's crappy developers that force the registry hell on you. There's no reason to use it, nor any requirement to use it.
      b) There's no problem building a single EXE with all required DLLs (or there didn't used to be.)
      c) there's nothing preventing you from shipping a zip (because windows still doesn't understand a tarball) which has everything packaged up nice and neat (ie, a bundle)
      d) multiple users can use an app that you drop into the appropriate places, some will require that when you drop it there, you have to elevate your privs, but that's pretty standard
      There's no excuse to have installer hell. Just say no.

      --
      The cesspool just got a check and balance.
  2. You don't say !! by amalcolm · · Score: 5, Insightful

    Download.com installs crapware news at 11

    --
    Time for bed, said Zebedee - boing
    1. Re:You don't say !! by fermion · · Score: 4, Interesting
      This is old news, but still of a concern because of Google. I have noticed lately that sometimes when I search for software to install on a new machine or try out for a project, one of the download services comes up as the first result instead of the actual place hosting the repositories and packages.

      This reminds me when link farms were more of an issue than they are today, and when just doing a search could kill your windows machine.

      Really it is the search engines that keep these people in business, and modifications of the algorithm could minimize the damage just like it did with link farms.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  3. Or just pick better sources ... by UnknownSoldier · · Score: 4, Interesting

    Download.com is crap.

    Sadly open source isn't immune to this crap with SourceForge now doing this stupid shit of bundling malware, adware, toolbar hijacks, etc. Especially when you have yahoo's like FileZilla's admin approving(!) of this irresponsibility !?

    At least Git hasn't been effected (yet)

    1. Re:Or just pick better sources ... by nine-times · · Score: 4, Informative

      Also ninite is still safe, AFAIK. It's especially helpful if you want to download and install a bunch of different applications at once.

  4. Download from the source by shuz · · Score: 4, Informative

    Need SCP? Download it from winscp.net. Need VLC? Download it form videolan.org. Teach your non-geek how to think outside the box (just a little and be gentle). Teach them about digital trust. To locate website of the vendor that makes the software that they want. If that vendor redirects them to cnet, then that is where they should download the software from.

    For all driver needs tell them to download only from the original equipment manufactures website. If the driver doesn't exist anymore there is a reasonable chance the driver found on some third party website won't work anyways.

    --
    There is or can be built a machine that can simulate any physical object. -Church-Turing principle
    1. Re:Download from the source by mprinkey · · Score: 4, Informative

      Ninite.com is the only place I go for software on a new Windows installation. Select what you want and it gives you one installer. And you get exactly what you asked for. No search bars or crapware. It has been working great for years now.

    2. Re:Download from the source by BenFenner · · Score: 4, Informative

      I wanted ninite.com to be the solution to all of my app downloading/installing problems, but it turned out not being the solution to any of them. The idea is great, but one simple test showed the issue with this service. They try to make insalling an application a one-click affair, and they do this assuming the software you are installing does not install bloatware of it's own. So take Foxit PDF Viewer for example. This was a great, secure alternative to Adobe PDF Reader which many of us used happily for a while. But, as with most software like this, is started getting loaded down with bloat. Specifically, it tries to get you to install certain browser toolbars, or other such madness. This is the true installer from Foxit's website.

      So, Ninite takes this installer, and makes sure nothing else has been added to it. However, they have no concept of the genuine installer forcing bloatware on you. It seems they are just checking for 3rd party bloat. So, with the genuine installer you have the option to uncheck this bloatware and not install it. This is not true with Ninite's one-click installer which accepts all of the defaults.

      For me, this made ninite a non-starter, and I do as most of us do, and go to the app provider's site to download.

      It's a shame.

  5. Oracle on down ... by gstoddart · · Score: 5, Insightful

    When Oracle bundles the ask.com shitware with Java, and you have to conscientiously know it's there and un-check it, is it any surprise pretty much everyone else does this stuff?

    Some ass is always trying to monetize your clicks, and 'free' comes with strings.

    I've noticed over the years CNET is doing this, so much so that I don't typically trust them as a source.

    The marketing assholes have pretty much wrecked the internet, and they pretty much use the same tactics as the malware people -- putting stuff on you don't want.

    --
    Lost at C:>. Found at C.
    1. Re:Oracle on down ... by gstoddart · · Score: 4, Insightful

      When a multi-billion dollar company is resorting to looking for affiliate and adware kickbacks it's truly pathetic.

      By putting that ask.com crapware bundled with the core Java installer, Oracle have done more to undermine the existence of Java than pretty much anything.

      This is why we can't have nice things ... because it just gets bought and destroyed by a bigger tech giant who craps all over it.

      I've lost track of the number of times I've had to uninstall it from people's systems.

      --
      Lost at C:>. Found at C.
  6. Re:Find the source by Galaga88 · · Score: 5, Funny

    The process goes something like this:

    "Help. My computer is slow."
    "You need to clean up the malware."
    "Okay, I did a Google for malware cleaner. That only made it worse."
    "Oh, you have to install Malwarebytes. That software's a fake."
    "Okay, I don't know how I was supposed to know it was fake, but now I've installed Malwarebytes. Things got worse."
    "That's because the first search result in Google is actually an ad for somebody else distributing Malwarebytes with its own malware. You have to go to this page instead."
    "Okay, I don't know I was supposed to know that too, but now I've installed it. Why is it still not working?"
    "Because the malware on your computer redirects attempts to remove the malware on your computer."
    "Fuck this. I'm buying a tablet."

    (one month later)

    "How do I delete all this crap on my tablet?"
    "You can't unless you root it. Here's a guide that a five year old child could follow, with only a 10% chance of bricking your unit."
    "Then fetch me a fucking five year old child because I'm paralyzed by learned helplessness by this point."

    I think we forget how overwhelming and stacked against the user the entire process is.

  7. Re:Malware by phorm · · Score: 4, Informative

    I classify adware/junkware as malware, as - at the very least - the extra use of resources (memory, disk) is a drain on the PC. Even browser toolbars tend to reduce the performance of a computer.

  8. Re:Libreoffice by galaad2 · · Score: 4, Informative

    these days they dropped the sourceforge crap for their own crap built-in into the main installer, silently downloaded in the background from sites such as coapr14pool _DOT_ com AND THEN executed while having elevated full admin rights. This is typical trojan dropper / infector / keylogger behavior.

    source: http://www.pdfforge.org/blog/p...
    (in comments)

    --
    root@127.0.0.1
  9. I don't think that's quite right. by digsbo · · Score: 5, Informative

    I'm pretty sure you're mistaken there. I've done installers with both RPMs and MSIs. Not my specialty, but I have some experience.

    In Windows, you don't need elevated privileges to install an application to a user-specific location. You only need it to install system-wide. The registry keys to track Windows Installer components can be referenced from either location in the registry (the administrative access part, or the user-only part).

    It's not all that different from RPM, though really it's a little easier to do user-only installs with Windows Installer. You need administrative privileges to install system wide w/ RPM. You can also do a bunch of RPM hacking to install to a user-only RPM database and installation folder without root, so long as you specify that you're running RPM against a non-default RPM database location, and someone went to a lot of trouble to permit user only installs in your RPM spec file. There's a bit of work to enable this in regular MSIs, too, but it's actually better supported that under RPM.