Saturday, December 21, 2013

In Depth: Can free software kill your PC?

In Depth: Can free software kill your PC?

In Depth: Can free software kill your PC?

The internet wants you dead, or at least it wants your PC dead - and it's free stuff that's delivering the fatal blow. What are we going on about? Free stuff is great, free stuff is cool, free stuff is, well, free. We all love free stuff, right?

The problem, as the old cliche goes, is that there's no such thing as a free lunch. Companies and sites offering something for gratis tend to expect something in return - the question is, what? And, really, how bad can this deal with the digital devil be?

To try to answer that, we've taken a honey-pot system and gone out of our way to download, install, agree to and generally sweep up as many third-party add-ons as the internet has to offer. And boy, does the internet have a lot to offer. Why would we do that? Well, for a good old laugh, but also in the name of research. By breaking things you can learn a lot - not only how to avoid such dangers, but also how to fix them.

It isn't all bad news, as what can be installed can also be uninstalled. We might be attempting to hobble a system as badly as possible, but we're also going to try to bring it back from the brink. The most obvious help here comes from browsers providing ways of controlling, disabling and removing third-party add-ons and toolbars. As this is the most often used route of attack, then it's a handy way to stop any misbehaving plug-ins.

That's certainly not the end of your problems, as there are plenty of installer add-ons, but it's certainly a start. Users need to agree to download and install these, but people do and our aim is to see what happens after that. As part of this PC-killing project, we'll be keeping an eye on performance to see what effect such add-ons can have on system resources and stability.

It's also interesting to see what the security experts have to say on the subject and how you can better protect not only yourself, but your tech-clueless friends and family with a couple of basic tools.

Back in the day, when humble magazines ruled the shelves and Geocities seemed a good idea, there was a monthly tome known as PC Answers. Not surprisingly, it used to be a sister publication to PC Format. One of its most popular regular features was The Clinic, a monthly diagnostic dissection of a reader's broken PC. Having written that section for a number of years, editor Alan Dext er is probably twitching with a mix of posttraumatic stress from the latenight hairtearing sessions and trying to fix systems of their obscure ailments.

Despite its popularity, The Clinic was one of the most loathed sections to work on. That loathing was nothing to do with the readers involved, but the amount of time and effort required to actually figure out what was wrong with a system. Whereas you could spend an uncomplicated day reviewing a graphics card, the unknown complexities of what lay inside a The Clinic PC filled even the most hardened PC Answers expert with a sense of dread.


Horrible reminiscing aside, a common theme amongst The Clinic PCs was troublesome downloaded software. PC Answers even got caught up in the Comet Cursor controversy from the early 2000s, when we correctly pointed out how ea sily it could be unwittingly installed by users, while seemingly doing nothing but compromising your stability. Despite scaring PC Format's largely hungover legal team, the program was ultimately blacklisted by Symatec and Lavasoft as spyware. So, oddly, we're siding with them.

This tame story highlights what was a slowly growing but ill-defined menace. Part of the problem is that many programs - such as toolbars and add-ons - can have or seem to have genuine uses. This means it's hard to directly label them as viruses, or even as malicious.

The term 'malware' - integrating the potentially libellous accusation of something being malicious - has been watered down more recently to the anaemic-level accusation of 'potentially unwanted program'. It's like calling a tapeworm or attached leech a potentially unwanted parasite - there is NO WAY you want that thing inside or attached to you. But hey, let's not hurt its feelings, right?

The malware world has evolv ed - in the 80s and 90s, the main threat seemed to be from viruses, but what did that gain the writer other than notoriety? Notoriety is great when you're living in your parents' basement, but it's not going to pay your mortgage. So when a nice chap who runs a business offers you a pot of money to write a browser toolbar, which may or may not send browsing details of the users, and who may or may not have consciously consented to such things in a 90-page EULA, put simply, you're unlikely to say no.

This leaves us in today's world, where these smart people are producing all sorts of cleverly packaged services that are just dying to get onto your PC.

Our victim

More freebies

We'd never dare let the wrath of the internet loose on a real system - the consequences are too horrific to contemplate, and frankly w e can't face reinstalling yet another system, for no good reason. For this cheery task, we're taking a default Windows 7 VirtualBox clone, giving it 4GB of memory to play with and running it with full access to the four cores of an Intel Core i5 2500K processor.

It had a base Windows 7 installation with security patches in place - it also had Microsoft Security Essentials in place and running, along with Internet Explorer 9, FireFox 23 and Chrome 29. All security settings were on the default levels.

So what we were using was not a million miles away from many a standard system out there in the real world. As a base, this booted in 22 seconds and used 494MB of memory with no browsers loaded. This jumped to 773MB with all vanilla browsers fired up. Individually, Internet Explorer used 24MB, FireFox 46MB and Chrome 27MB. We'll be keeping an eye on how bad these figures become to help relate to just how much, if any, of a system hog these add-ons can become on real systems.

So what foolish antics do you have to get up to, to come home with a suitcase full of dodgy downloads? Well, antics as crazy as searching Google and clicking its sponsored top results. Crazy times!

While our methodology is hard to precisely document in a scientific way, it largely involved searching for "free X downloads" where the 'X' is going to be music, screensavers, games and wallpapers. Then choosing a selection of the results from the first page of results. You know, the sort of thing you'd do in real life.

We weren't going out of our way to locate 'dodgy' sites, we hear ones ending in RU can be more like the Wild West (or is that Digital Eastern Block?). We were discounting known legit solutions as there's no point in installing Spotify, now, is there? We should also point out that on our relatively short travels we came across some legitimate sites, too. It's not entirely impossible to find kindly people and companies out there , it's just the opposite seems to be the rule rather than the exception.

Adware's rise and rise

Low space

While much was made of malware and adware in the early 90s and 2000s, it seems nothing has been done to stop the proliferation of adware. All the software we tried was happy to work on a modern Windows 7 system and alongside the latest incarnations of all the browsers. Despite the security features browsers come with, it's easy to allow add-ons and plug-ins to change the default search engines and add their own toolbars.

Quite quickly, we stumbled across competing systems trying to wrestle back control of the default search engine - with plenty of pop-ups, from the system dialogue to their own built-in warnings about other programs attempting to change settings.

The unnecessary and annoying brow ser toolbar is one of the most favoured means for companies to crowbar their way into your life. It's an effective and ever-present advertising strip, in which companies can inject their adverts and services - all the while looking like a search service.

One bright-red banner informed us we had "6 massages" (sic) waiting for us, which aptly enough swooped us off to a dating site - fun times ahead. Another popular approach is the use of adverts that proclaim your PC has a threat or is running low on space. It uses the phishing technique of looking like a legit system dialog with a button to fix the problem.

We stumbled across a number of these on our journeys and decided to install a couple to see what the result would be. It's ironic to be told by a system-hogging diagnostic program you're unable to quit and runs itself, on top of starting alongside Windows, that your system is slow. We also at one point had both installations launching at the same time , running in tandem.

The result


It took less than an hour to bring the system to its knees. It wasn't long before FireFox and Internet Explorer were both crawling and at times unusable, seemingly frozen with add-ons. Chrome seemed to handle the issues a little better, and oddly one of the extra installed packages was the Chrome-styled Torch browser, which seemingly dodged a lot of the bullets.

In real terms, boot times doubled to more than 40 seconds. More annoyingly, various programs demanded boot-time attention, requiring administrator approval to run. Other programs simply had pop-ups that remind you how you should sign up for their services.

One program, Pokki, which seems a legitimate app service, decided to consistently crash on start-up, despite initially working fine. FireFox appea red to have an extra six toolbars, a new start page, a new search default and a number of extra toolbar icon tools.

Internet Explorer faired the worst, with seven new toolbars, alongside a new homepage and search engine with 24 add-ons. Chrome managed to dodge some of the issues, but it still had a new homepage, a couple of new tool icons and greatly increased memory usage.

Resource monitor

The system impact of this was the start-up memory jumping to 1.1GB - up 600MB. With all three browsers running, this grew to 1.8GB - more than 1GB over the basic installation. Individually, Internet Explorer was up 126MB to 150MB, FireFox was worst hit at 186MB from its original 46MB, and Chrome had done pretty badly, leaping from 27MB to 135MB.

What these figures don't get across adequately is the extra burden these additi ons put on your browsers. The start-up times for both FireFox and Internet Explorer became excruciating. At times, we had to abandon one or the other, as the browser froze in place. This wasn't a permanent state of affairs, and we could gain access to the add-on managers, so that a clean-up could be made possible. More troubling was that the processor usage appeared to be running at over 30 per cent, despite nothing running. With FireFox open, it consumed an additional 25 per cent, while doing nothing. This created an idle processor load of almost 60 per cent.

We mentioned we had Microsoft Security Essentials running, right? So what did it make of all the shenanigans? On the whole, very little. Throughout the whole procedure, we had two medium-level warnings while installing two downloads. One was highlighted as the software bundler DealPly and the other was the adware system WebCake. It's not an overly reassuring performance from what you would hope to be a more cent ralised system for blocking such software.

Cleaning up

Microsoft Security Essentials

As part of our delving, we wanted to see if it was possible to restore the system to its original state. Part of the confusing position with malware and PUPs is that you can remove the legitimate elements through the normal Uninstall a Program section of the Control Panel.

We started there and uninstalled the 30-plus items that had appeared. A problem, even with uninstall options, is that removal isn't at the top of these companies' minds. So the BearShare uninstaller was seemingly locked, until I forcibly quit the original running executable - at which point, it finished correctly.

While uninstalling many, we were taken to a final browser page imploring us to reinstall the product - one even amusingly had a phishin g advertisement instructing the user to click a fake button to finish removing everything. Another uninstall left us with no Explorer interface at all, which would be very confusing for a novice user.


Rather annoyingly, it became apparent that for many systems, despite installing in one go, this process often left separate uninstallers for the main products, such as the FireFox toolbar and the Internet Explorer toolbar. Despite all of this, after sweeping through the Uninstall Control Panel (followed by a quick reboot), Windows was left in a far better state. FireFox still retained 7Go Game, LinkSwift and a disabled BrowserPlus2 extension, but even its default start page and search engine were restored. Internet Explorer was also clear of toolbars, but retained a number of search providers and the start p age. Chrome was similar, retaining just the BrowserPlus2 extension and an alternative start page.

Looking deeper into the system, firstly with Microsoft Security Essentials, it appeared WebCake had left various Javascript elements behind, but it detected nothing else. The free version of Spybot Search & Destroy seemed largely interested in cookies. Trend Micro Hijack spotted a couple of rogue registry entries, but nothing that seemed too concerning. It was Malwarebytes Anti-Malware that seemed to spot the most remaining detritus, consisting largely of left-behind installation files from the array of PUPs we had running around.

Post clean-up, the system was back to 504MB memory used (659MB with all three browsers open). That's less than there was originally, as I'd reset the start pages to blank ones. We suspect we were lucky with most of the PUPs we encountered, as they largely uninstalled themselves. However, it's frightening to see what damage can be done after even a short time of downloading free packages.


< img width="1" height="1" src="" border="0"/>

No comments:

Post a Comment

//PART 2