New Series on Spyware Installation Methods
April 11, 2005
So-called "adware" companies say nonconsensual installations of their programs are just an "urban legend." (See section 7 of 180's claims in a recent interview.) But when I talk to users whose computers have become infected, I'm consistently told that they don't know how they got the unwanted programs, and they say they certainly didn't consent. How can we understand this divergence? How are users PCs receiving this unwanted software?
My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users' computers. Some installations rely on tricking users -- for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want -- sometimes telling users what they're getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits -- without any user consent at all, thanks to defects in users' web browsers or other software. (See the security hole video and write-up I posted last fall.)
There's lots to be done in documenting how unwanted software gets onto users' PCs. My Installation Methods page indexes my work to date, to the extent it's posted online. But I have much more documentation still to be posted -- for example, scores more videos showing security exploits. I'll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I'm still looking! Send suggestions.)
Today I'm also starting what I intend to be a series of weekly updates to my site -- tentatively entitled "misleading installation of the week." Sometimes I'll show massive security hole exploits that render users' computers nearly useless, but sometimes I'll post more "ordinary" infections that "merely" show extra ads or send users' browsing habits to a remote server. At every turn I'll emphasize the trickery common to most installation methods -- the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to "accept" software that offers them little or no genuine benefit.
I'm starting this series with 3D Desktop's Misleading Installation Methods. 3D's Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what's included, users must puzzle through a dizzying array of licenses -- scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don't track users' behavior, but my hands-on testing proves otherwise.
Interestingly, BlazeFind's license mentions that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to "clean up" its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.