Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Software Windows

How To Hijack Your Own Windows System With Bundled Downloads 324

How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion: [N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.
This discussion has been archived. No new comments can be posted.

How To Hijack Your Own Windows System With Bundled Downloads

Comments Filter:
  • by RyuuzakiTetsuya ( 195424 ) <taiki@co x . net> on Tuesday January 13, 2015 @10:27AM (#48802777)

    If it's one thing I've learned after playing with OS X and Linux, it's that no matter what the OS is, an install script is an awful UX.

    This isn't a problem in OS X because most software installs via app bundles. Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.

    Also this isn't a problem in Linux because either you're usually installing from a repo or source, of which the requirement for any repo package or code base isn't going to be libtrackingmalwarelolpwn(64 bit; of course).

    Why does Windows keep this antiquated process around?

    • by gunner_von_diamond ( 3461783 ) on Tuesday January 13, 2015 @10:30AM (#48802819) Journal

      Why does Windows keep this antiquated process around?

      That's a great question. The only thing I can think of is someone making money off of having the crapware bundled together to offset the cost of offering their product as a free download.

      • by RyuuzakiTetsuya ( 195424 ) <taiki@co x . net> on Tuesday January 13, 2015 @10:35AM (#48802899)

        that's not what I meant.

        Why is it that in 2015, to install software from the internet, I need to let someone run a privileged script that can and will write whatever it wants, where it wants? Why can't I just get some archive bundle that I can drop into a collection of other applications?

        I think the OS X style application bundles are the right way to do things.

        • by Megane ( 129182 ) on Tuesday January 13, 2015 @10:58AM (#48803221)
          Because Microsoft came up with this abomination called "the registry", and by Bill, we're going to USE it. It can't be the wrong way to do things, because it's the way we've been doing things for years, so we're not going to stop now!
          • by digsbo ( 1292334 ) on Tuesday January 13, 2015 @12:13PM (#48804013)

            I'm pretty sure you're mistaken there. I've done installers with both RPMs and MSIs. Not my specialty, but I have some experience.

            In Windows, you don't need elevated privileges to install an application to a user-specific location. You only need it to install system-wide. The registry keys to track Windows Installer components can be referenced from either location in the registry (the administrative access part, or the user-only part).

            It's not all that different from RPM, though really it's a little easier to do user-only installs with Windows Installer. You need administrative privileges to install system wide w/ RPM. You can also do a bunch of RPM hacking to install to a user-only RPM database and installation folder without root, so long as you specify that you're running RPM against a non-default RPM database location, and someone went to a lot of trouble to permit user only installs in your RPM spec file. There's a bit of work to enable this in regular MSIs, too, but it's actually better supported that under RPM.

            • by Whatsmynickname ( 557867 ) on Tuesday January 13, 2015 @04:13PM (#48806327)

              In Windows, you don't need elevated privileges to install an application to a user-specific location.

              Where have you been? Unless you're deploying "Hello world" written in C++, it is certain you're going to have to distribute some library which insists of being installed in the system area along with registry entries. Therefore you will have to have admin privileges. Heck even just copying to Program Files takes admin privileges starting with Windows 7.

        • by mlts ( 1038732 )

          The ironic thing is that this can be done under Windows. VMWare's ThinApp, and Evalaze are utilities which can take a Windows package and turn the whole thing into a single file. ThinApp could even find the latest update of a packaged application in a share, so if one ran Word, it would execute the latest one.

          It takes up disk space, but it would be nice to have Windows offer a completely virtual machine (with virtual FS and Registry) so one could click on an application, and its data would be stored in a

        • by swb ( 14022 ) on Tuesday January 13, 2015 @12:18PM (#48804047)

          For much of the Mac's history this was also the case. If you wanted an application, you just copied the damn thing from one media to another.

          IIRC, it got worse over time on the Mac as apps got bigger (more supporting crap, stuff to copy to the System Folder, maybe a control panel or init, etc).

          One in a while you run into applications, often utilities, that are truly standalone -- you can copy it to a new system and just run it. And then there are the various techniques for making portable apps, some kind of hand-done with a wrapper, others that scan a system before install and after and package all the deltas and use a wrapper after running to redirect all the various accesses.

          I kind of blame shared libraries myself versus static linking. I've never quite groked the attraction of shared libraries. I get pilloried on Slashdot for saying this, of course. Usually its "ZOMG how will I patch my system when $library has a security weakness and 69 apps all use it" or "it takes too much disk space".

          #1 is a fair criticism, I guess, but means little on Windows which seems to use less of that kind of a shared library, but I also wonder if there isn't a counter argument by which not every app statically linked to a common library will have the same bug and won't need updating. And it's not like updating a shared library is always risk-free; there's always the chance that an updated dependent library may change in some way that borks some of the apps that depend on it or some of the problems and cruft from several versions of the same library on the same system.

          #2 seems like a bullshit criticism in this day and age. I'm curious what a "typical" OS install would be like space-wise if it was all statically linked.

          And if you had all-statically linked applications, updating them to new versions would be just a matter of copying in a new version which seems simpler and more manageable to me for some reason.

          Of course, none of this means much to apps which legitimately have a shit-ton of included resources which need to be shared system wide. Those have to go in their right places somehow, but if they are app specific they could just be in the same directory as the application. Maybe apps could um, register, their shared capability with the system so it would know to look for a resource in a virtual directory /app/resource/shared instead of a system-wide /resources directory -- the app itself remains self-contained, no installer required, and it could just register its capability at runtime with the system.

        • Microsoft has a solution to this problem. It's a walled garden called Metro and the Windows Store.

          In spite of some of Android's faults, I'd really like to see Google come up with a desktop design spec and have it replace Windows as the de-facto desktop OS.

          And no, linux on its own can't really do this because no developers can ever seem to agree on which libraries they want to use, making it a big giant gaggle-fuck as far as desktop applications are concerned. Android meanwhile has a respectable standard set

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Tuesday January 13, 2015 @10:51AM (#48803105)
      Comment removed based on user account deletion
      • by Iconoclysm ( 3885655 ) on Tuesday January 13, 2015 @10:55AM (#48803159)
        Isn't that exactly what Microsoft is now doing with the Windows Store and "modern" apps, though?
        • by godefroi ( 52421 )

          Yeah. If only the UI paradigm for "modern" apps didn't suck.

        • Pretty much.

          The Windows Store has more granular permissions, restricted UI modes, and reduced legacy API support. These things will lead to apps using modern security and UI conventions, which is mostly a good thing.

          A curated app store is probably good for normal users. As long as sideloading apps is always supported, this should make some headway on taming the burden of legacy software.

          I expect to see an unending avalanche of shitty Win32 apps for the rest of my life, but the Windows Store at least offers

    • by Richard_at_work ( 517087 ) on Tuesday January 13, 2015 @10:52AM (#48803123)

      Why does Windows keep this antiquated process around?

      Chocolatey.

      https://chocolatey.org/ [chocolatey.org]

    • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Tuesday January 13, 2015 @10:54AM (#48803135) Homepage
      Microsoft tried the easy install, walled garden approach with Windows 8. It didn't go over well.
    • by vux984 ( 928602 ) on Tuesday January 13, 2015 @11:00AM (#48803243)

      Why does Windows keep this antiquated process around?

      Try the windows 8 app store.

      The antiquated process is kept around because everybody rejected their solution. Admittedly the app store only carries 'new ui' apps, and the 'new ui' was, deservedly, the main reason for all the rejection.

      But a LOT of the issues with the 'antiquated' installer solution WERE actually resolved with it.

      Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.

      Have you tried using download.com as your source for mac software?

      • They need (yet again) to do a better job of marketing. The MS App Store doesn't just carry "new ui" apps. Developers can also submit links so people can find desktop apps and get them from the developer's site. Not perfect but still better than cnet.

    • I have used Linux for decades and am a fond believer in it being a better OS.

      However, it is now Microsoft that is the issue here. OsX and Linux have great package management and in most instances it is used. Once you get into commercial software the install shifts. I am not sure why they don't make RPM's, DEB's, etc but even the commercial Linux producers use these crappy installers. Try installing the NVidia Drivers from NVidia. They require you run the install script and run you through the next, next, ne

    • Why does windows keep this antiquated process around? What would you suggest? Maybe they should have curated store where people could go to get apps with a high level of confidence that they'll be safe. Hmm, that might just work. They would have to be careful and not switch to that new system all at once though since that would surely backfire and piss everyone off. They'd have to slowly tighten the screws over a period of releases.

      You should write them and make sure they know of this plan...

    • https://chocolatey.org/ [chocolatey.org] is a good way to install a lot of software on windows, a repo model for windows. I also like kde for windows.
  • You don't say !! (Score:5, Insightful)

    by amalcolm ( 1838434 ) on Tuesday January 13, 2015 @10:27AM (#48802779)
    Download.com installs crapware news at 11
    • by Anonymous Coward

      I was thinking the same... I can't think of a worse choice of site, except perhaps Tucows...

      It's getting so that you start looking for .ru on the end of a URL to indicate it's safe now...

    • Re:You don't say !! (Score:5, Interesting)

      by fermion ( 181285 ) on Tuesday January 13, 2015 @12:55PM (#48804435) Homepage Journal
      This is old news, but still of a concern because of Google. I have noticed lately that sometimes when I search for software to install on a new machine or try out for a project, one of the download services comes up as the first result instead of the actual place hosting the repositories and packages.

      This reminds me when link farms were more of an issue than they are today, and when just doing a search could kill your windows machine.

      Really it is the search engines that keep these people in business, and modifications of the algorithm could minimize the damage just like it did with link farms.

  • by ganjadude ( 952775 ) on Tuesday January 13, 2015 @10:28AM (#48802795) Homepage
    While I find download.com to be very useful, it has been that way for as long as i can remember. Mcaffe or some other bundled crap that no one asked for. wanting to auto run on startup, and damn hard to get rid of once its there. It got so bad at my house i actually blocked downloads from them for the rest of my family because I was sick and tired of fixing their machines everytime they needed a new video player to try and grab youtube videos in the case of my younger brother, etc.
    • Only since 2011. Prior to that, Download.com was excellent, and I used to recommend it highly. Now I recommend softpedia.... unfortunately, not a perfectly clean site, but still much better than download.com. Only go there with AdBlock, though.
      • Only go there with AdBlock, though.

        Is there anywhere worth going without adblock installed??

        • Well some pornsites say that their sites performance will suffer from adblock being turned on, so there's that ;)

  • by UnknownSoldier ( 67820 ) on Tuesday January 13, 2015 @10:30AM (#48802817)

    Download.com is crap.

    Sadly open source isn't immune to this crap with SourceForge [google.com] now doing this stupid shit of bundling malware, adware, toolbar hijacks, etc. Especially when you have yahoo's like FileZilla's admin approving(!) [filezilla-project.org] of this irresponsibility !?

    At least Git hasn't been effected (yet)

  • by shuz ( 706678 ) on Tuesday January 13, 2015 @10:30AM (#48802823) Homepage Journal

    Need SCP? Download it from winscp.net. Need VLC? Download it form videolan.org. Teach your non-geek how to think outside the box (just a little and be gentle). Teach them about digital trust. To locate website of the vendor that makes the software that they want. If that vendor redirects them to cnet, then that is where they should download the software from.

    For all driver needs tell them to download only from the original equipment manufactures website. If the driver doesn't exist anymore there is a reasonable chance the driver found on some third party website won't work anyways.

    • by mprinkey ( 1434 ) on Tuesday January 13, 2015 @10:42AM (#48802989)

      Ninite.com is the only place I go for software on a new Windows installation. Select what you want and it gives you one installer. And you get exactly what you asked for. No search bars or crapware. It has been working great for years now.

      • by BenFenner ( 981342 ) on Tuesday January 13, 2015 @11:13AM (#48803427)
        I wanted ninite.com to be the solution to all of my app downloading/installing problems, but it turned out not being the solution to any of them. The idea is great, but one simple test showed the issue with this service. They try to make insalling an application a one-click affair, and they do this assuming the software you are installing does not install bloatware of it's own. So take Foxit PDF Viewer for example. This was a great, secure alternative to Adobe PDF Reader which many of us used happily for a while. But, as with most software like this, is started getting loaded down with bloat. Specifically, it tries to get you to install certain browser toolbars, or other such madness. This is the true installer from Foxit's website.

        So, Ninite takes this installer, and makes sure nothing else has been added to it. However, they have no concept of the genuine installer forcing bloatware on you. It seems they are just checking for 3rd party bloat. So, with the genuine installer you have the option to uncheck this bloatware and not install it. This is not true with Ninite's one-click installer which accepts all of the defaults.

        For me, this made ninite a non-starter, and I do as most of us do, and go to the app provider's site to download.

        It's a shame.
    • The problem is that people doesn't want to think, they just want things to "work".

      For my non-technical friends I usually recommend that they use Ninite (https://ninite.com/) for installing the most common apps they need.

    • The problem with this is that at least 50% of the people out there (in my experience, anyway) haven't a clue whether they're on the official website or not. They just do a Google search, and click the first result (usually an ad that's practically guaranteed to be something bad.)
      I've had very good luck downloading from Softpedia, as they do not add their own installers; the only bundled junk you have to worry about is that which is included by the publisher of the title (which would also be on the downloa
    • Comment removed based on user account deletion
    • If that vendor redirects them to cnet, then that is where they should download the software from.

      Um, that is exactly the opposite of what I tell them. CNET is so riddled with crapware, that if anyone needs something that can only be found there, it is not good. PERIOD.

      If you find yourself at CNET, for any reason, LEAVE and call me. Yeah, it is that bad, and probably worse. The price you pay to de-crappify your computer is not worth whatever crap you're getting from CNET. Pay for legitimate software, it is cheaper, trust me.

      • This.

        I make people aware of the difference between Google and the Address Bar.

        For instance, some people have the (horrifying) habit of going to Chase bank by searching for it in Google, and then clicking on the first link.

        I teach them to put chase.com in the address bar.

        Even with Google, I teach them to look at the place they are about to go to make sure it;s not, say, chase.com.ru.

        In a perfect world, I would not have to do that, but ... advertisers.

    • or maybe work with search engine providers (you hearing this Google) so they prefer the sources over CNET when ranking search results. Yeah I know CNET pays Google money but paid results like this are what point naive users erroneously to Download.com in the first place.

  • by account_deleted ( 4530225 ) on Tuesday January 13, 2015 @10:31AM (#48802835)
    Comment removed based on user account deletion
  • Find the source (Score:4, Informative)

    by jandrese ( 485 ) <kensama@vt.edu> on Tuesday January 13, 2015 @10:31AM (#48802845) Homepage Journal
    Never download software from one of those "Free Software Download" sites. They always bundle in crapware. Instead, track down the original author's homepage and try to download it from there. That greatly reduces the amount of crap you have to deal with.

    Also, if you are forced to download from one of those sites, don't assume that just because you uncheck all of the crapware in the installer that it won't just go ahead and install it anyway, because it will. Basically, ask yourself if you really really need that app or if you could maybe find something else that does the same thing but is still supported. It's also a good idea to run whatever your favorite anti-spyware app is if you do have to install something like that.
    • just because you uncheck all of the crapware in the installer that it won't just go ahead and install it anyway,

      Exactly. Look what happens when you install Apple Quicktime. You explicitly uncheck the box to not do auto updates, but when you're done, the auto updater is installed. Same goes for iTunes.
    • by Galaga88 ( 148206 ) on Tuesday January 13, 2015 @10:55AM (#48803165)

      The process goes something like this:

      "Help. My computer is slow."
      "You need to clean up the malware."
      "Okay, I did a Google for malware cleaner. That only made it worse."
      "Oh, you have to install Malwarebytes. That software's a fake."
      "Okay, I don't know how I was supposed to know it was fake, but now I've installed Malwarebytes. Things got worse."
      "That's because the first search result in Google is actually an ad for somebody else distributing Malwarebytes with its own malware. You have to go to this page instead."
      "Okay, I don't know I was supposed to know that too, but now I've installed it. Why is it still not working?"
      "Because the malware on your computer redirects attempts to remove the malware on your computer."
      "Fuck this. I'm buying a tablet."

      (one month later)

      "How do I delete all this crap on my tablet?"
      "You can't unless you root it. Here's a guide that a five year old child could follow, with only a 10% chance of bricking your unit."
      "Then fetch me a fucking five year old child because I'm paralyzed by learned helplessness by this point."

      I think we forget how overwhelming and stacked against the user the entire process is.

  • Craptacular!

    Download.com used to be a great place, but it's like a dilapidated, crime infested neighborhood now; don't go there.

  • Not Surprising (Score:3, Informative)

    by Wycliffe ( 116160 ) on Tuesday January 13, 2015 @10:34AM (#48802887) Homepage

    Free software and free hosting has to make money some way. Even the more legitimate ones tend to bundle stuff like
    adobe acrobat, google chrome, google toolbar, or some other random search engine toolbar that presumably gives them
    a kickback. As long as people keep demanding free apps and free software then you will continue to see sneeky ways
    to monitize their software. That being said, some of the worst offenders I've seen are PAID software like norton and
    mcafee.

  • Anyone fool enough to download software from a generic [ad/spam-supported] host rather than the author's own site or somewhere with a reliable rep is just asking for trouble.
  • Malware (Score:4, Interesting)

    by ledow ( 319597 ) on Tuesday January 13, 2015 @10:40AM (#48802967) Homepage

    malware = stuff designed to do nothing more than harm your computer.

    adware / junkware = stuff not specifically designed to do that, but a pain in the butt, extremely annoying, probably unwanted but not necessarily "evil" as such.

    No malware doesn't mean it's "safe" or won't fill your computer with unwanted junk. Hell, even some AAA paid-for game titles will fill your computer with junk given half a chance.

    That said, download.com has been dead to me for a number of years. Precisely because, like a text conversation I had with an old friend just now, people eventually have to ask me to clean their machines after touching it. Sure, it's not doing damage, but slowing your machine, popping up junk, intercepting your default search etc. is not "malicious" so much as downright rude and annoying, if you've agreed to it.

    It's like the difference between posting some junk mail through my door, and posting some dog excrement. One is clearly intended to harm. The other's just a pain in the butt that I never really wanted (even if I "volunteered" for it at some point, somehow).

    Sorry, but I remove (and have more trouble removing) more "adware" / "junkware" in my professional life than I ever do malware. It doesn't mean it's okay, still, but it's not malware. It's not exploiting security holes, stealing your passwords,avoiding your antivirus,etc. Most of it will remove itself if you ask it to. But that doesn't mean that anyone actually WANTS it either.

    Sorry, the second you bundle unnecessary junk into your downloads, I stop using you. I've had to abandon several good pieces of freeware because of that (yes, I'm looking at you IZArc and lots of your friends because you just can't resist bundling some unwanted junk with a lovely freeware util that I'd gladly give you £10 for if it didn't have that stuff).

  • I used to always recommend download.com to non-technical users as a trusted source for freeware.

    Now, unless it is available through the ninite.com installer, I don't recommend users download anything themselves.

    I just went through a major ordeal with my mom's computer where I ended up having to ship the thing to me in order remove the infestation of malware she got because she was trying to install driver software herself. The stuff was basically making her computer unusable. I had to rebuil

  • Oracle on down ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Tuesday January 13, 2015 @10:47AM (#48803065) Homepage

    When Oracle bundles the ask.com shitware with Java, and you have to conscientiously know it's there and un-check it, is it any surprise pretty much everyone else does this stuff?

    Some ass is always trying to monetize your clicks, and 'free' comes with strings.

    I've noticed over the years CNET is doing this, so much so that I don't typically trust them as a source.

    The marketing assholes have pretty much wrecked the internet, and they pretty much use the same tactics as the malware people -- putting stuff on you don't want.

    • by godefroi ( 52421 )

      I see it as the evidence of the end of Java. Oracle sees Java as a vehicle for affiliate link clicks and adware kickbacks. It's more than a little sad.

      • by gstoddart ( 321705 ) on Tuesday January 13, 2015 @11:33AM (#48803637) Homepage

        When a multi-billion dollar company is resorting to looking for affiliate and adware kickbacks it's truly pathetic.

        By putting that ask.com crapware bundled with the core Java installer, Oracle have done more to undermine the existence of Java than pretty much anything.

        This is why we can't have nice things ... because it just gets bought and destroyed by a bigger tech giant who craps all over it.

        I've lost track of the number of times I've had to uninstall it from people's systems.

  • by Roodvlees ( 2742853 ) on Tuesday January 13, 2015 @10:54AM (#48803155)
    This is why many people happily accept walled gardens.
    • They're still idiots and now the owner of the garden is spying on them and rerouting their searches and sending them spam instead. Wow, big upgrade.
  • The last time I used it, I made the mistake of doing an express install, and wound up with at least 5 pieces of malware on my PC. CNet is dead to me.
  • ...most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. ...

    Working as designed. The purpose of the installers is to get the secondary software installed, so why make it easy not to meet that goal?

  • Us geeks despise the idea of a walled garden source for software installs, but at least it nominally protects users against this kind of stuff.

    Yes - things sneak through from time to time, but it's still orders of magnitude safer than Joe User hoping to find a program online to perform the same task that won't bring his web browsers grinding to a halt with fifteen toolbars.

  • Fifteen or twenty years ago, when I used a cheesy mass-market OS from Microsoft, nonags.com was the place to go for good, free software with no bullshit. Is that still a good source for grandma to get software for Windows?

  • I don't normally use Windows except as a launcher for certain Windows-only games that I play (I'm primarily an OS X user), and even when I use a web browser, it is NOT Internet Exploder. A few weeks ago I ended up running one of those crapware installers on a W7 laptop. Fortunately the very fact that I don't use Windows for much helped me, because I noticed the problem immediately and could see all the new stuff simply sorting by date.

    A couple of things I noticed: turning off my WiFi didn't persist over a

  • This is why I run deep freeze on my family's PC. We can install stuff with impunity and, if it behaves well, I may even re-install it on the unfrozen machine when I get around to applying the windows updates. I wish my Dad would do the same. It's not as if the installation of these packages is usually time consuming. The only issues are with taking the time to save backups of game progress data for my kid so he doesn't lose his "progress".
  • Here's what I do to set up a new PC with IMGBurn and a couple other bundled software that I still want on every PC I build. Put the installer on a flash drive, drop the computer off the internet for a bit, run the installer. Any installer I've ever seen contacts to the internet to see what the top-bid scam of the month is that it should download and if it can't immediately contact the internet, it simply skips the malware installation step. Then reconnect to the internet and configure the software to nev
  • by Opportunist ( 166417 ) on Tuesday January 13, 2015 @12:28PM (#48804153)

    Anything that does something which is not in the interest of the owner of the system is malware.

    The owner of the system defines what is in his interest.

    Simple as that.

You know you've landed gear-up when it takes full power to taxi.

Working...