Spyware Installation Methods
Benjamin Edelman - Spyware Research, Legislation, and Suits

[ Findings | Discussion | Disclosures ]

This page indexes installation methods used by spyware programs and other unwanted software.

 

Related Projects

180solutions & Affiliate Commissions

Advertisers Using WhenU

WhenU Violates Own Privacy Policy

Documentation of Gator Advertisements and Targeting

"Spyware": Research, Testing, Legislation, Suits

Other Research by Ben Edelman

Index of Installation Methods

Installer Description / documentation / analysis
Installation through security holes
Java and MSXML Exploits - example Installs ComScore RelevantKnowledge, Deskwizz/Searchingbooth, Look2me, and WebBuying. Exploit occurs at the ExitExchange banner farm. Exploit installs software from the TopInstalls and SearchClickAds bundlers.
IFRAME Exploit - example Installs 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy (eXact Advertising), ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates, WinAD, WindUpdates, and more.
CHM Exploit - example

AlwaysUpdatedNews exploit and installation.

Exploit is syndicated through the targetnet.com ad network (operated by Mamma Media (Nasdaq: MAMA)) onto multiple distribution web sites.

Exploit installs 180solutions, Clearsearch, Direct Revenue, DyFuca, eXact Advertising, IBIS WebSearch, MySearch (Ask Jeeves), SurfSideKick, ShopAtHomeSelect, TSA, WindUpdates, and more.

CHM Exploit - example

Pacimedia exploit and installation.

Exploit is syndicated through the Yieldmanager.com ad network.

Exploit installs 180solutions, ContextPlus, eXact Advertising, Integrated Search Technologies, MediaAccess, New.net, Powerscan, SearchAccuracy, ShopAtHomeSelect, Sidefind, SurfSidekick, YourSiteBar, and more.

WMF Exploit - example

Exploit is syndicated through the Exitexchange.com ad network.

Exploit installs: 180solutions (bypassing the S3 installation prompt), Ad-w-a-r-e, Adservs, Integrated Search Technologies, Internet Optimizer, Media Tickets, New.net, Quicklinks, Surfsidekick, Tagasaurus, Targetsaver, Toolbar888, Ucmore, Webhancer, Web Nexus, WinFixer, and more.

Ebates Video showing Ebates installed through security holes. Ebates subsequently claims affiliate commissions on users' online purchases.
Others On file / forthcoming.
Installations even if users specifically decline
Grokster Installs SearchLocate/SideBar and TVMedia even if users press "cancel" to reject Grokster's license agreemnt decline installation.
Installations not disclosed by bundled software
Ask Toolbars Installs an Ask toolbar without any notice whatsoever and without giving users any opportunity to grant or deny consent.
Misleading popups
Ask Jeeves Installs AJ software with a single click. On-screen disclosure is confusing and incomplete -- a single 41-word sentence with six verbs. Fails to mention toolbar to be added to user's web browser.
CDT Falsely claims "In order to view this site, you must click yes." Repeatedly displays installation prompts even if users decline.

Claria

Various. Recruiting users via ads shown by exploit-installed spyware. Installing Claria without on-screen mention of the word "pop-up."

Enternet Media

Falsely claims "You have an out of date browser" and suggests its software as a remedy.
PacerD Offers "free browser enhancements" without mention of advertising, privacy, reliability, or speed effects. Installs 180solutions, AdDestroyer, Ad Power Zone, Apropos Media, Desktop Traffic, Direct Revenue, multiple programs from eXact Advertising, Elitebar, IBIS WebSearch, PeopleOnPage, Shop At Home Select, Surf Side Kick, TopConverting, and Virtual Bouncer. See also PacerD installations via a security hole exploit.
Windows media popups - example

Falsely claims "You must agree to our terms and conditions."

Installs 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, Direct Revenue, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, and Winpup32.

Others On file / forthcoming.
Companies facilitating infections

How VeriSign Could Stop Drive-By Downloads

How Google's Blogspot Helps Spread Unwanted Software

Bundles - Peer-to-peer filesharing
eDonkey Installs Webhancer, GloPhone, Web Search Toolbar, New.net. Narrow license window shows 3-5 words per line. Multiple licenses merged into a single scroll box. Failure to disclose even general functions of some software to be installed.
Grokster

Installs Claria, 411 Ferret/ActiveSearch, AdRoar, Altnet/BDE, BroadcastPC, Cydoor, Direct Revenue, Flashtrack, MyWay/Mybar, SearchLocate/SideBar, Topsearch, TVMedia, WebRebates, and more.

Installs SearchLocate/SideBar and TVMedia even if users press Cancel to decline installation.

iMesh Installs AskJeeves (MySearch) toolbar, but never uses the word "toolbar" in its installation disclosure and first mentions a "search bar" fueature at page 27 of a 56-page license. Broken links in license agreement.
Kazaa

Installs Claria, Cydoor, Instafinder, My Search Toolbar, various desktop icons.

Analysis of terms and presentation of Claria's license, as shown by Kazaa. Shows or references a total of 22,606 words of licenses filling 182 on-screen pages.

Kiwi Alpha Installs multiple programs including 180solutions. Bundled programs are disclosed only in a lengthy scroll box, without any other warning as to what will be installed. For example, the disclosure of installation of 180solutions occurs at page 15 of a 54-screen license agreement.
Morpheus Installs Direct Revenue. Restrictions on permitted removal methods. Purported grant of permission to remove other programs. Failure to disclose certain information collected.
Bundles - Screen savers
3D Flying Icons Installs 180solutions, DyFuca, Internet Optimizer, MediaAccess, Neo/TIBS/WebSearch, ShopAtHome Select, and TaskAd. Some bundled programs are not disclosed at all. Others are disclosed only through a link at bottom of installer's license agreement.
Others Forthcoming.
Bundles - Games
Dope Wars Installs Claria. Prominent terms make no mention of effects on privacy.
Others Forthcoming.
Misleading banner advertisements
180solutions

180solutions's Misleading Installation Methods - Ezone.com.

180solutions's Misleading Installation Methods - Dollidol.com.

Ask Jeeves

Ask Jeeves Toolbar Installations via Banner Ads at Kids Sites. More on file / forthcoming.

Current Practices of IAC/Ask Toolbars - Advertising at kids sites, via "deceptive door opener" offers.

Claria Claria's Misleading Installation Methods - Ezone.com. More on file / forthcoming.
Hotbar Hotbar Installs via Banner Ads at Kids Sites.
Others On file / forthcoming.
Installations without an uninstaller in Control Panel
Claria Dope Wars - No uninstaller provided. Defective removal instructions.
Others On file / forthcoming.

 

Return to top

Discussion

The practices described and linked above are but a few of the misleading ways that unwanted programs arrive on users' computers. I am currently working to document other such methods and to post such documentation. Please send suggested additions.

Misleading installations are but one way that spyware harms users. This page omits discussion of the consequences of spyware on computer privacy, security, speed, and reliability. This page also omits discussion of spyware practices hindering detection and removal.

 

Return to top

Disclosures

My interest in spyware originally arose in part from a prior consulting engagement in which I served as an expert to parties adverse to Gator in litigation. See Washingtonpost.Newsweek Interactive Company, LLC, et al. v. the Gator Corporation. More recently, I have served as an expert or consultant to other parties adverse to spyware providers.

 

Last Updated: June 29, 2007 - Sign up for notification of major updates and related work.