Toolbars, downloaders, installers, even McAfee's Security Scan Plus : they may all be classed as Potentially Unwanted Programs. Sometimes you might want one of these - toolbars can sometimes offer useful extra functionality or specialist operations. Very often though they just seem to arrive out of nowhere and the first inkling you might have that something has been installed is when a program such as Malwarebytes alerts you to their presence. McAfee's own scanning may pass over some of these programs without comment, because they are borderline cases.

 

What makes something a Potentially Unwanted Program? That is open to some debate, but Malwarebytes (which has a very restrictive approach and classifies as a PUP many programs that McAfee does not) has a checklist to determine whether to allow the program or not : see the list at https://www.malwarebytes.org/pup/

 

 

Here's an excerpt from the list, showing just some of the more obvious criteria -

 

Altering search results

Does your application alter the search results that a user receives?

Inserting search results

Does your application alter the search result with insertions?

Toolbars that bring no value

Is your application a toolbar where the value proposition is skewed in favor of the maker of the toolbar vs. its user?

Hijacking search engines

Does your application change the default search engine in the browser?

Hijacking the home page

Does your application change the default home page of the browser or all browsers?

 

 

So how do these programs get on to your system? Because you've been tricked into letting them be downloaded. Sometimes the permission to accept them is hidden away in the EULA (End User License Agreement) for a free software download that you do want, but in other cases the whole download operation is deliberately designed to confuse and deceive, even if you're alert to the more obvious tricks.

 

How to end up with bundled software.PNG

 

How to end up with bundled software 3.PNG

 

 

There are a couple of Malwarebytes blogs about this, and one of them analyses the methods used by Softango, a third-party site offering a Malwarebytes download which came bundled with all sorts of unwanted programs.

 

http://blog.malwarebytes.org/malvertising-2/2014/07/pups-are-persistent/

http://blog.malwarebytes.org/fraud-scam/2013/10/tango-down-softango/

 

Malwarebytes from Softango.PNG

 

This is a good example of how the deception begins. Companies pay Google to have their site appear prominently displayed at the head of search result listings. Google even encourages companies to do this to achieve maximum visibility. The problem is that for even a moderately-experienced user, a listing at the top of page 1 in search results might imply that the site is respected, reliable, or more important than a site appearing further down or on a later page. How many people bother to click through past page one or two to see what else there is?

 

Google Adwords paid search placings.PNG

 

It's good for Google, certainly (and also for Bing, and hence Microsoft; possibly other search engines as well). They get paid to promote these websites, to allow them to punch above their weight. It's good for the website owners, who are guaranteed to get lots of viewings for their site (especially if they're using keywords that are going to crop up frequently). It can be thoroughly confusing though to be presented with something like this (courtesy of Bing) ...

 

How to end up with bundled software 2.PNG

 

That screenshot comes from a CERT blog from Carnegie-Mellon University. The blog author decided to get 7-Zip from CNET Downloads, and he shows each step of the download process, with PUP's foisted on him all the way. (Hint : if you download something from Download.com then beware : the installer wrapper is not above suspicion).

 

There are sites that are known for bundling installers for the purpose of generating advertising revenue, such as Download.com, Softonic.com, or Winstally.com. Let's look at a single download from one of the many sites where you can download software, in particular, KMPlayer from CNET Download.com. I chose this application from the list of popular downloads that Download.com provides. In any given week, this application is downloaded approximately half a million times.

A simple thing to do with a file that you're curious about is to upload it to virustotal.com. The results of the KMPlayer installer from Download.com are interesting. As of the publication of this blog entry, four different AV products detect that the Download.com installer for KMPlayer contains potentially unwanted software.

As it turns out, the behavior of the Download.com installer wrapper has been known for years. The Electronic Frontier Foundation (EFF) wrote about it in 2011. Several other sources have discussed Download.com installer issues as well. It's pretty clear that installing software from Download.com and other similar sources may result in unwanted software being installed with the software you wanted.

 

The version of Internet Explorer in the virtual machine I used for testing was horribly out of date, so I clicked away to get the update. Look at the VirusTotal report for this download. This one looks even scarier than the last. Every new application loaded onto the system comes bundled with even more unwanted software. At this point, between the pop-ups, the runaway CPU usage, and application crashes, the virtual machine was nearly unusable.

This all started from a single application installed from Download.com. The other advertising-supported recommendations from my original search engine query also put the system in a similar state in the end: slow, bloated, and having an increased attack surface.

 

 

Of course, sometimes there is no deception, or it's relatively mild. Adobe (Flash updates) and Oracle (Java updates) offer extras as part of their downloads, and make no effort to conceal what is being offered. What they do though is to pre-select the offering so that someone clicking through in a hurry will end up with something they didn't want, usually the Ask toolbar or (ahem) McAfee's Security Scan Plus. All quite legal and above board, nothing concealed - or rather, it's concealed in plain sight.

 

Java Ask toolbar.PNG

 

 

There's a name for this sort of thing : Dark Patterns.

 

Dark patterns are UI (User Interfaces) that have been carefully researched and designed to trick the user.

Normally when you think of “bad design”, you think of the creator as being sloppy or lazy but with no ill intent. This type of bad design is known as a “UI anti-pattern”. Dark Patterns are different – they are not mistakes, they are carefully crafted with a solid understanding of human psychology, and they do not have the user’s interests in mind.

 

 

And if you want more information about Dark Patterns, you should go to http://darkpatterns.org/ - there's a 30-minute YouTube video which is said to explain it all (okay, disclaimer : I haven't watched it yet. If it's no good I'll have to come back and say so).

 

 

So you've got a load of stuff you don't want and hadn't realised you'd got? Conduit Toolbar, Babylon Toolbar, any one of a host of others? Now perhaps you may have an inkling of the carefully-laid traps that lie in wait for the unwary. Where there is free software on offer - unless it comes direct from a trusted site such as Malwarebytes, Piriform, Microsoft, and of course McAfee - watch out for the hidden extras that may come with it.

 

 

EDIT : (I can see there may be a few afterthoughts about the whole PUP thing)

The author of one of the Malwarebytes blogs I linked to above replied to a blog comment about a program I hadn't come across before : Unchecky. I won't link to it because I can't give a guarantee it's a safe program; but if anyone has tried this I would welcome opinions about whether it does what it's claimed to do and how effective it is.

 

I will have to investigate Unchecky. Sounds like an interesting tool to add to my tool kit. What worries me is that some “Dark Patterns” consist of pre-populating a check box on one installer screen, while forcing the user to populate another check box, in a subsequent window to specifically decline the next “offer”. Aren’t “Dark Patterns” fun?

 

Majorgeeks has reviewed it, but makes the point that the program is (or was, at that time) a Beta offering.

 

MajorGeeks reviews Unchecky.PNG