Bundling

Bundling is one of the most common ways parasites are spread. It works like this: you install a piece of software you think looks good, and it invites some of its friends onto your computer behind your back.

When you run any piece of software, remember that it has the capability to do anything you can do—up to and including deleting all your files. Only install software from authors you trust, and look out for the warning signs of untrustworthy authors.

* Don’t just click ‘Next’

Some installers may have a screen giving notice of other (usually undesirable) programs they will be installing at the same time as the software you wanted. Sometimes there may even be an option not to install the software—an ‘opt-out’ install. (‘Opt-in’ installs are very uncommon.)

If you just click Next-Next-Next to get through the installer as quickly as possible, you will probably miss this and end up with unwanted software. Take your time.

* Read the EULA

Most software has an ‘End User Licence Agreement’ or ‘Terms of use’. Often this will be shown to you as you install the software. Read it. Often there will be some kind of warning there if the software plans to install parasites.

Look out for ‘agreements’ for other pieces of software, anything to do with ‘ad-supported’ components, installation of ‘third party’ software, ‘toolbars’, ‘enhancement technologies’ and so on. Saying you have to be at least 13 to use the software is a dead giveaway that it will be collecting privacy-sensitive information; saying you have to be 18 is an indicator that porn will likely be promoted.

* Understand the EULA

Many licence agreements are extremely long, and contain language that is unclear. Additionally some installers display this information in an unnecessarily small scrolling box, to make it difficult to review. (In some cases, you may be able to copy-and-paste this text into Notepad to read it more easily.)

If you don’t understand what the EULA says, or if it’s just too impractically long to read, simply don’t install the software. An unclear or gargantuan EULA is trying to hide something from you, and it’s probably parasites.

* Don’t trust the EULA

Just because the licence agreement seems clean, that’s no proof the software isn’t going to stab you in the back anyway. You can opt out of all the options there are, and still get hit by other parasites they ‘forgot’ to mention; some installers start loading parasites before even reaching the EULA screen. A lot of parasitic software is installed without any notice whatsoever.

In many countries it remains untested whether ‘click-through’ licences have any legal weight at all anyway. (They are not a real contract, and it is unclear whether simply running a program constitutes ‘copying’, which would require some sort of licensing scheme under copyright law.)

* Avoid heavily-promoted free software

Think about it: if a company wants you to use their software so much that they’re willing to spend money advertising it to you, they must get some kind of gain out of doing so.

In some cases, the software might be a freebie to promote the company and its other products. In many more cases, the software earns money by installing parasites.

* Avoid junk software

Some of the most heavily-promoted software is trivial or pointless in nature, aimed at users too inexpert to recognise this. Very often such software—worthless in itself—is created solely as bait, to install the parasites that come with it.

For example: the many programs to correct the computer’s clock. Windows XP already has this feature built-in and turned on by default; for other operating systems there are a thousand other tiny programs to do it using the standard internet NTP protocol, none of which feel the need to install parasites. (And anyway correcting the small amount of drift in a modern computer’s hardware clock by hand every six months is not really much of a hardship.) Yet adverts all over the web are trying to convince you that your clock is probably wrong and desperately needs fixing.

Other common examples include weather monitors, smiley icons, IM avatars and mouse pointers, web form-filling and screensavers. Beware also ‘snake oil’ products making technically questionable claims, such as software to prevent crashes, increase memory size or network speed, or to speed up file-sharing programs.

(Peer-to-peer file-sharing programs are themselves very often infested with large quantities of the worst parasites—take care.)

* Prefer “Free Software” to “FREE DOWNLOAD!!”

The Free Software and Open Source movements make the full source code of their software available. This makes it difficult to hide undesirable behaviour such as spying or advertising from its users. So Free and Open Source Software is generally more likely to be free of parasites.

Ensure you download from the software’s official project site. Some parasite-laden downloads have masqueraded as well-known open-source applications in the past, or implied they were open-source without actually being so (eg. openwares.org).

* Be sceptical

A company’s own assertion that their software contains “no spyware” is next to worthless. Aside from the possibility that they are simply lying, there are many ways the definition of spyware can be twisted to exclude whichever parasites they want to install.

If you’re not sure, do some research. Do a search for the program’s name together with ‘spyware’, ‘adware’ or ‘parasite’. See what people are saying about it.

Browsing

In theory, browsing a web page should be safe; the web was deliberately designed not to include active content. In practice however, poor security and user interface design make web browsing potentially dangerous.

Installation through the web browser is the other major source of parasites, through both ‘security hole exploit’ bugs that let software install automatically and tricks that mislead the user into allowing a download they didn’t want.

* Refuse unrequested downloads

When a prompt appears asking you whether you want to download a plugin, set your home page or give the web site extra permissions, close the window or choose ‘No’ unless you specifically asked for the download and completely trust the web site (including any of its associates such as advertising providers).

Some downloaders may respond by reloading the page and opening a window claiming that you must accept the download to view the page. Such high-pressure tactics are characteristic of the worst parasites. Keep choosing ‘No’ and try hitting the Escape key to stop the page reloading. In the worst case you may have to open the Task Manager (Ctrl-Alt-Delete) and end the browser process to get out of this trap.

* Distrust Authenticode

Authenticode is Microsoft’s mechanism for code-signing. A company can put its name on a piece of software using unforgeable cryptographic techniques. When ActiveX download windows appear, this company name is then shown to the user.

Unfortunately in practice Authenticode is almost completely worthless. The companies in charge of distributing certificates for code-signing (the ‘roots’, such as Thawte) routinely give out certificates with misleading company names like ‘CLICK YES TO CONTINUE’ or ‘MSN Technologies’ (not connected to Microsoft’s MSN), and in the case where companies are caught exploiting security holes or signing trojan code, they refuse either to revoke the certificates or to reveal the real contact details of the company in question. In one memorable occasion, the Verisign root was lax enough to accidentally release Microsoft’s own code-signing certificates.

Many downloader pages insist that the Authenticode popup means that the software is ‘safe’ or ‘approved by Microsoft’; in reality all it means is that the company that produced the software has enough money to buy a certificate.

* Secure your browser

Make sure you’re up-to-date on browser patches. For Internet Explorer, this can be done through the (alas often unreliable) interface at Windows Update; if you are using Windows XP this can be done automatically using ‘Automatic Updates’, which is on by default, if you trust it.

If you are using Internet Explorer on Windows XP, consider installing the XP Service Pack 2 update, which cuts down on unrequested ActiveX installer popups as well as working around a number of security bugs.

Consider locking down security settings. For Internet Explorer, disable ActiveX downloads until you need them, both in the Internet and the My Computer Zone (which is hidden by default), and set other sensitive options in the Internet Options->Security->Custom list to ‘Prompt’ instead of ‘Enable’. Alternatively, simply:

* Use a different browser

The vast majority of security hole exploits are aimed at Internet Explorer. This is partly because IE is (currently) the most widely-used browser, but, more than that, because its record of security holes is so very poor.

No web browser is 100% free of security problems, but the basic design of Internet Explorer, combined with Windows integration, make IE considerably riskier than most other browsers. Microsoft’s speed in fixing bugs has also been disappointing at times, some security-sensitive bugs going unfixed for several months. XP Service Pack 2 is a definite improvement, but no panacea.

You might still need to keep Internet Explorer around, for the occasional poorly-written site that only works on one browser (most notably Windows Update), but using an alternative browser for everyday web use reduces risk significantly; IE exploits can now be found all over the web, even on mainstream sites (most notably: CoolWebSearch).

Popular alternative browsers available for Windows include Firefox, Opera and the full Mozilla suite (from which Firefox evolved).

There are other ‘semi-alternative’ browsers for Windows, based on the Internet Explorer code. They can still be vulnerable to some if not all of its security holes; on the other hand they can be more compatible with poorly-designed web sites that do not work well in other browsers. Examples include Maxthon, AvantBrowser, Netcaptor, SlimBrowser and CrazyBrowser.

* Secure other browser-accessible software

If you have plug-ins like Sun Java or Flash installed, make sure they are also the latest versions. If you do not use them, uninstall them.

If you use Internet Explorer, installed ActiveX plug-ins can also be a rich source of security vulnerabilities. Some of them you will be able to see in the Downloaded Program Files folder (inside the Windows folder); delete any you don’t need.

* Look out for other people

If your computer is to be used by others—particularly children—who are naïve about computer security, limit their risk.

Lock down IE security settings, or, better, give them an alternative browser and hide IE. Give them a limited User account of their own so that any spyware they install can only compromise their account and not yours—if it will install under a restricted account at all.

* Consider other alternatives

It’s a bit of a drastic change to make just for the sake of avoiding parasites, but alternative operating systems are worth investigating if you are unsatisfied with Windows for other reasons too.

There are currently no parasites affecting the Mac, Linux or other Unix-derived operating systems. This is mostly because of the larger Windows user-base, but the other OSs do in general fare slightly better on desktop security, mostly because they don’t require that the user be logged in as an administrator at all times. Malicious code could still run, but shouldn’t be able to compromise the system as completely.

* And when all else fails...

Use anti-parasite software.

Parasite home...

CC