17 Sep. 2005

"Crapware" Count
 

Overview

The table below is a count of the different types of "crapware" and the various domains associated with "crapware" purveyors. By "crapware" we mean unwanted commercial software that is installed without the user's full knowledge, consent, and understanding, and that primarily serves the interests of commercial parties associated with the "crapware," not the end users on whose systems those unwanted applications are installed. The term "crapware" covers such applications as:

  • adware: "advertising supported software" -- i.e., "free" software that is supported by the display of advertising -- often within the main window of the application -- or the use of the user's PC for other commercial purposes (e.g., distributed computing). This advertising is often accompanied by the collection and transmission of marketing and demographic data for the purpose of targeted advertising, which makes such applications spyware as well (see below for a definition of spyware). Although the software is billed as "free," the user in fact "pays" for the application by putting up with advertising as well as the collection of data (often about the user's behavior with the application or on the internet). Moreover, although the user typically clicks through EULA, thus consenting to this advertising and data collection, many (if not most) users are unaware of the true functionality of this software.
     
  • foistware: commercial software that piggybacks on "free" software (a "host") and is installed along with the host application (such as KaZaA or Grokster).  An alternative to straight "adware" that serves the same function, "foistware" often displays ads or collects marketing and demographic data for use by direct marketing companies, in which case such applications are spyware as well (see below for a definition of spyware). These piggybacking applications are referred to as "foistware" because they are unwanted by the user. Although users may have technically (legally) agreed to the installation of these "foistware" components during setup of the host application by clicking through a EULA, many (if not most) users are either unaware of these foistware applications or do not fully understand them.
     
  • spyware: commercial software that monitors users' computer and Internet behavior, gathers other marketing and demographic data, and transmits those data to direct marketing and advertising firms, who often use those data for targeted advertising. Collected data may include personally identifiable or sensitive information, as well as information about users' internet behavior, computer usage, and usage of the application. Note that by the term "spyware" we do NOT mean such applications as keystroke loggers (keyloggers) or other similar system monitors that are used to spy on users. Those applications do not have a marketing or advertising tie-in or use; commercial/marketing "spyware" does.
     
  • hijackware: applications or web sites that set user's default browser home page to an unwanted URL,  change the default search engines defined within the browser to unwanted search engines and sites, or add unwanted toolbars and other custom plugins/add-ons to the user's browser and system. These applications and web sites may also configure Windows to prevent users from changing those settings back to the users' preferences or uninstalling the unwanted toolbars and plug-ins/add-ons. These applications and web sites may also edit the HOSTS file to tie known web sites to certain IP addresses, thus ensuring that users are unwittingly directed to unexpected, unwanted web pages.
     
  • drive-by-downloaders: unwanted applications that install automatically when the user visits a web site. These are usually ActiveX controls and plug-ins, and users may or may not (depending on their Internet Explorer Security zone settings) see a pop-up requesting agreement to a EULA that authorizes installation of the application. In all cases, though, the download is initiated by the web site being visited, not the user.
     
  • porn dialers: applications that employ users' modems to dial 1-900 numbers (often overseas) and connect with online services that distribute porn. The 1-900 phone charges that result from these phone calls are usually astronomical and outrageous. Moreover, these porn dialers are often installed via "drive-by-downloads," and users are frequently unaware that their modems are even being used to connect to 1-900 numbers (they find out later when the phone bill arrives).

There are many other terms that people have coined for these types of "crapware," however, "crapware" is a comprehensive term for all of these types of malicious commercial software. 

Keep in mind that any one application may fulfill several of the above definitions. Thus, there can be "adware" that is also "spyware." There may be "drive-by-downloaders" that are both "spyware" and "hijackware." And so forth...

"Crapware" is often distinguished from other (more traditional) forms of malicious software such as viruses, trojans, and worms by the fact that, in most cases, the user clicks through a EULA at some point (by contrast, no virus will ever ask you to agree to a EULA). Thus, the companies who push "crapware" on users can claim that users "elected" to install their applications. Nonetheless, this "crapware" is unwanted by and unknown to users even though they may have technically (legally) agreed to the installation of that software.

For a fuller, more complete description of "crapware," see the What "Crapware" Does section below. And for advice on dealing with a "crapware" infestation on your PC, see the Dealing With "Crapware" section.


Table 1: "Crapware" Count

Date Types Domains
Jan 03, 2002 22 61
Apr 19, 2002 56 125
Nov 26, 2002 230 568
Apr 30, 2003 493 1317
Dec 13, 2003 1039 3715
Jan 18, 2004 1106 4050
Mar 1, 2004 1156 4243
Jul 14, 2004 1236 5150
Dec 16, 2004 1317 5785
Jul 17, 2005 1349 9587

Definitions

  • Types:
     
    Varieties of "crapware." Example: C2 Media's Lop.com toolbar and plug-in is considered one "type" or "variety" of "crapware. The Xupiter toolbar and plug-in (from www.xupiter.com) is considered a distinctly different "type" or "variety" of "crapware." Please note that for the purposes of this count "crapware" also includes web sites that are known to engage in "home page hijacking" but which may not distribute traditional binary applications (such as the Lop.com and Xupiter toolbars).
     
  • Domains:
     
    Internet domains, such as website.com (as distinguished from web sites such as www.website.com or ads.website.com). Each type of "crapware" may have multiple domains associated with it (and each domain may have multiple web sites under it). Lop.com, for example, has over 125 domains associated with it. Other types may have only a single associated domain. By "associated," we mean that the domain is known to be a domain where the type of "crapware" can be encountered, or that the domain is owned by the "crapware" purveyor, or that the domain is owned by a company/organization that has some sort of relationship with the "crapware" purveyor. Keep in mind that "crapware" pushers often use multiple front companies and business partners to spread their applications.

How These Numbers Were Gathered

These counts are taken from the "full original" AGNIS blocklists released on the dates indicated above. AGNIS can be obtained from:

http://www.spywarewarrior.com/uiuc/resource.htm

The AGNIS block list package contains multiple versions of a basic block list. Some versions of the AGNIS block list are "stripped down" or edited for efficiency and thus target fewer domains. The "full original" AGNIS versions can be found in the \ORG directory of the AGNIS installation directory. 
 
The "full original" versions of AGNIS are divided into named sections or categories. The entries counted for the table above were taken only from the AGNIS sections titled "Crapware Domains" and "Dialers" (entries in other sections were ignored). 
 
One other note: even though only four AGNIS dates/versions are used or listed in the table above, there were plenty of other updates to AGNIS in between those dates/versions. Thus, it is not the case that one AGNIS version came out in November of 2002 and the next in April of 2003. There were dozens of updates between those two updates. In other words, these four dates/versions are just samples or instances from a larger series of updates.


Notes/Caveats

  1. Classification problems
     
    Others in the "anti-spyware" scene/business may classify applications and web sites differently than I do. For example, where I classify several minor variations of an application as essentially the same "type" of "crapware," others may those minor variations as separate "types" -- and vice versa. "Crapware" is often released under different names or even re-used by different affiliated companies, so constructing a completely accurate, indisputable "taxonomy of crapware" is difficult. Also, some people may include or list as "spyware" only traditional binary applications, whereas the "crapware" counts in the table above include web sites that are known to engage in "home page hijacking" but which may not distribute binary "crapware." See in particular the following web pages...

        SpyBot Search & Destroy - Target Policy (Patrick Kolla)
        http://security.kolla.de/index.php?lang=en&page=knowledgebase/targetpolicy
     
        SpywareGuide.com - Categories
        http://www.spywareguide.com/category_list_full.php
     
        SpywareGuide.com - Intro to Spyware
        http://www.spywareguide.com/txt_intro.php
     
        Lavasoft Threat Assessment Chart
        http://www.lavasoftusa.com/support/resources/
     
        PC Pitstop - What is Spyware?
        http://www.pcpitstop.com/spycheck/whatis.asp
     
        and.doxdesk.com - Parasites
        http://www.doxdesk.com/parasite/
     
        Kephyr - Spyware
        http://www.kephyr.com/spywarescanner/library/glossary/spyware.phtml
     
        Pest Patrol - Glossary
        http://research.pestpatrol.com/WhitePapers/Glossary.asp
     
        SpywareData - Definitions
        http://www.spywaredata.com/definitions.php
     
        COAST - Glossary
        http://research.pestpatrol.com/WhitePapers/Glossary.asp
     
        ArsTechnica - Malware
        http://arstechnica.com/articles/paedia/malware.ars
     
        Webopedia.com - Spyware
        http://www.webopedia.com/TERM/s/spyware.html

    ...for other attempts to classify and define all the varieties of "crapware." Note that not all of the types of software listed on those pages are targeted by the AGNIS block list. And for a report of one attempt to measure just how widespread "crapware" is, see this article from New Scientist:
     
        Lurking "spyware" may be a security weak spot
        http://www.newscientist.com/news/news.jsp?id=ns99994745
     
    That article is reporting on the following study done by researchers at the University of Washington:
     
        Measurement and Analysis of Spyware in a University Environment
        http://www.cs.washington.edu/homes/tzoompy/publications/nsdi/2004/spyware.html
     
  2. Observer bias
     
    It's entirely possible that I (the person who builds the AGNIS block list) have become savvier and more skilled at finding domains associated with "crapware." It's also possible that users are reporting problems with "crapware" more diligently and prominently, allowing me to add more domains to the AGNIS block list. Thus, some of the increase in numbers we see from Jan. 3, 2002 to Apr. 29, 2003 may be explained by those factors or biases. Just how much of that increase can be attributed to observer bias is not known.
     
  3. Dead companies/applications/domains
     
    Some of the types of "crapware" and some of the domains targeted in the very latest AGNIS blocklist may be defunct or out of use. ("Crapware" purveyors have been affected by the dot-com "bust" just like other Internet companies.) Just how many is not known.

What "Crapware" Does

"Crapware" is a broad term that covers a wide variety of unwanted software applications that are pushed on users. "Crapware" often uses one or more of the following tactics:

  • Stealth/Rogue Installation
     
    automatically installs with little notice or warning when users visit "crapware"-infested web sites with active content options enabled, as many sites require them to be (and, yes, "crapware" entrepreneurs consider this sufficient "consent");
     
    tricks users into installation by the use of deceptive buttons and hyperlinks, false error boxes and system notices, uncloseable popups, or other confusing GUI elements;
     
    falsely poses as Microsoft Windows Update software, "anti-spyware" software, or other software that may be desired by users; 
      
    uses known "malware" such as the W32.DlDer.Trojan and/or exploits known security holes in Internet Explorer and Windows to install on users' systems and reconfigure users' systems;
     
    piggybacks on other host applications and web sites which install the accompanying "crapware" modules -- even when users uncheck the appropriate boxes and decline the installations -- and often provides no visible means to opt-out of the "crapware" installation alone;
     
    uses frequently changed/morphed installers and installation methods to avoid detection by "anti-crapware" applications such as SpyBot Search & Destroy and Ad-aware;
     
  • High Pressure Installation
     
    foists itself on users by piggybacking on other host applications which require installation of that "foistware";
     
    uses scare tactics (e.g., displays of users' drive contents, IP addresses, or browser headers; opening the CD-ROM drive) to exploit users' fears and pressure them into installation;
     
    is required by ISP's in order to provide "member content" and "connection maintenance" to users (who are already paying rising costs for their internet connections);
     
    installs along with drivers for hardware and is required for proper functioning of that hardware, or installs as part of a BIOS/CMOS software package;
     
  • Stealth Execution
     
    configures itself to automatically launch and run silently in the background every time Windows or Internet Explorer start without notifying users or seeking their knowing consent;
     
    obscures or hides its execution and behavior from users and "anti-crapware" utilities;
     
  • Rogue System Reconfiguration

    reconfigures users' systems to allow itself unfettered access to the Internet and allow "crapware" servers uninhibited access to users' computers;
     
    hijacks users' web browsers to drive users to unwanted web sites and search services by making undesired system customizations and locking users out of the settings that would allow them to restore their browsers to a preferred state;
     
    adds unwanted or unsolicited toolbars, searchbars, and other custom plug-ins or add-ons to the users' browsers or systems;
     
    replaces critical Windows system files, thus interfering with the normal and proper operation of the users' systems and even imposing a system "death penalty" on the PCs of users who do attempt to uninstall it;
     
  • Data Gathering
     
    monitors users' use of their computers and the internet, collects usage data and other personally identifiable or sensitive data about users, and provides those data via a network connection to direct marketing and advertising companies;
     
  • Backdoor Connectivity
     
    establishes unannounced, unwanted network connections for the purposes of making unrequested updates to the software and users' systems or supplying data to interested parties;
     
    makes unauthorized dial-up connections to 1-900 numbers without users' full understanding and consent;
     
  • Obfuscation
     
    buries key notices, terms, and conditions in complex EULAs and Privacy Policies that few consumers can make any sense of;
     
    provides insufficient notice of installation, data gathering, backdoor connectivity, system reconfiguration, or other undesirable behavior;
     
  • No Choice (Opt-Out/In)
     
    won't take "no" for an answer because it provides no readily available means to opt-out of (let alone opt-in to) privacy invasive data gathering, system reconfiguration, and/or system updating for good;
     
    demands that consumers to agree to outrageous terms & conditions such as the acceptance of unannounced / unsolicited updates, renunciation of third-party uninstallation methods (i.e., the use anti-"crapware" utilities such as SpyBot Search & Destroy and Ad-aware), or the uninstallation of "conflicting" programs (i.e., anti-"crapware" utilities such as SpyBot Search & Destroy and Ad-aware).
     
  • Uninstallation Countermeasures
     
    provides no visible means for uninstallation and removal;
     
    refuses to be uninstalled when the host application is uninstalled;
     
    provides broken uninstallers or uninstallers that actually install more "crapware";
     
    takes active measures to avoid being uninstalled by "crapware" removal utilities like Ad-aware and SpyBot Search & Destroy, blocks the download and installation of those utilities, and even silently uninstalls such utilities without the user's permission; 

Dealing with "Crapware"

If your PC has been hijacked by an online marketing firm or "crapware" entrepreneur and you're trying to clean up the mess, your first stop ought to be Lavasoft's web site, where you can download and install Ad-aware, a free "crapware"-removal utility. Another good, free "crapware"-removal program is SpyBot Search & Destroy.

Both Ad-aware and SpyBot Search & Destroy work much like standard anti-virus programs, so if you're familiar with Norton AntiVirus or McAfee VirusScan, you shouldn't have any problem running Ad-aware and SpyBot Search & Destroy. Both utilities will scour you computer for all instances of "crapware" and offer to remove them for you. You might be surprised at what they find on your system. Ad-aware and SpyBot Search & Destroy are fast, effective, and easy to use. If you surf the Net a lot or frequently install "free" programs from the Net, an anti-"crapware" utility is a must-have program, just like an anti-virus program.

If you're currently dealing with a "crapware" infestation, swing by the SpywareInfo Support Forums, where you can post a HijackThis! log of your system and knowledgeable users can give you step-by-step advice for removing unwanted "crapware" applications from your computer.

For general information on "crapware," you also ought to consider visiting one of these excellent sites:

Those web sites offer a wealth of tips and advice for dealing with "crapware." And for links to still more information and software to deal with corporate "crapware," see THIS page and THIS page.

Finally, to protect yourself against corporate "crapware," you ought to consider locking down your browser, esp. if it's Internet Explorer. Two other excellent programs to help prevent "crapware" from ever being installed behind your back by obnoxious web sites are JavaCool's free SpywareBlaster and SpywareGuard.

And this very web site offers two other ways to lock down Internet Explorer so that "crapware" pushers can't hijack your browser or install unwanted software behind your back without your knowledge or permission:
 

IE-SPYAD: A long list of known advertisers, marketers, and "crapware" pushers that can be added to the Restricted sites zone of Internet Explorer. Once this list is merged into your Registry, most direct marketers and "crapware" pushers will not be able to resort to the usual "tricks" (e.g., cookies, scripts, ActiveX controls, popups, et al) they use to track your behavior and push unwanted software on you while you surf the Net.
   
Enough is Enough! A lockdown utility for Internet Explorer 5 and 6 that automatically and securely configures Internet Explorer's Privacy and Security settings to stop obnoxious "crapware" pushers and other pushy direct marketers.
 

More Information

This web site contains more information about "crapware" and how you can protect your system. See in particular:

This web page was put together in response to an inquiry from Byron Acohido, a reporter with USA Today. You can read Mr. Acohido's story online HERE.


Questions & Contact

If you have any questions about the information presented above, please don't hesitate to ask.

Best,

Eric L. Howes

Last Updated 17 Jul. 2005

Home [frames]          Home [no frames]

Please read this Disclaimer

2000-2005 Eric L. Howes