Last week’s Virus Bulletin conference was preceded by a meeting of a fledgling operation with noble aims – to solve the problem of “unwanted” software and make sure that when we install things on our computers, those things are what we really wanted to install and nothing more.
Unwanted software has been an irritant to both computer users and security providers for many years now.
This is the stuff you get when you visit one of the many “free” software download websites, grab a copy of the PDF reader/video player/specialist tool you need, and then click through all those “Next” buttons without paying much attention to what the screens are saying to you.
So you end up with various toolbars, system optimisation packages and much more besides, none of which you had any intention of installing when you headed to the download site.
The root of the problem is our assumption that everything on the internet should be free, from news services and social media websites to music, movies, and yes, software.
Of course, these things don’t just appear out of nowhere, and for the most part the people who devote their time and efforts to making them still need money to feed and clothe themselves.
The music business has been learning over the last few years that fighting our demand for “free” is an enormous and mostly unrewarding task – they seem to be finally admitting that a change in their business model is required, and providing their wares through download and streaming sites funded by advertising or “freemium” subscriptions.
Those same advertising dollars have been funding the bulk of the internet for years, and software downloads are no exception.
“Adware”, or software supported by advertising, has been a mainstream term for a long time now. “Ad-supported” can mean the product itself displays advertising, or carries a secondary promotion-pushing product, or simply that the install process changes some settings on your system to point you to a different search engine to get some pennies from the search provider’s affiliate scheme.
In many cases the software itself is entirely legitimate and blameless, with many small software houses unable to monetize their work in any other way. Indeed, in some cases the items being bundled by advertisers are genuinely free, open source software.
Escalating arms race
For security product developers this presents a double headache. Users demand that foistware they don’t want and didn’t think they’d installed should be detected and blocked by their security products. Meanwhile, the developers of the ad-funded software and its components insist that they are legitimate business people and that their “customers” were shown EULAs and opted to install their items.
Quite often, they use lawyers to help get this message across, leaving the security teams caught in the middle, trying to balance the conflicting demands of their support and legal departments.
This has led to the emergence of “potentially unwanted” as a category slightly above real malware – stuff that most people probably don’t want, but that can’t be referred to in the same breath as a product of crime, or automatically blocked in many cases, thanks to pressure from those producing it.
This in turn has produced something of an arms race, as the ad-supported software industry tries to avoid being flagged or removed by security solutions, often using devious tricks that push it ever closer to the malware it claims to be so separate from.
Alongside the tricksy language and design of both download sites and the layered installer packages wrapped around those bits of software people actually go looking for, a range of techniques has been developed to keep hold of a user once they’ve got themselves onto their systems – from obscure and difficult removal processes to rootkit-like hidden components and blocking of rival products.
The use of these techniques, of course, only makes these ostensibly “clean” items look all the more suspicious to security solutions on the lookout for deviousness, leading to ever more advanced evasion methods.
The Clean Software Alliance
But finally it seems like both sides are ready to sit down and iron out their differences, to find a better way forward. Last week’s meeting was described as a “Launch” of the Clean Software Alliance (CSA), but the organisation has been in gestation for over a year now, with involvement from both the anti-malware industry and the people making, distributing and funding advertising-supported software.
A summary of the work done so far was given in a side track of the VB2015 conference itself, jointly presented by representatives of Microsoft and Google, which indicates how seriously many major players are taking this initiative.
Of course, both those firms have their feet in both camps and fingers in both sides of the pie, dedicating much time and effort to keeping their users safe, secure and happy, while at the same time providing a large chunk of the funding for unwanted installs through affiliate fees for their “search engine” advertising platforms.
The main work of the CSA so far has been developing a set of guidelines summing up what is allowed and what is not, drawing a line in the sand between what will be considered OK and what behaviours will lead to something being considered malicious, with no more vague middle ground in between.
To back up these rules, a tagging system is being developed based on the IEEE Taggant system currently in use for tracking packed and obfuscated software. Bundled software packages and their components will be cryptographically tagged so that the source of any given item should be trackable, making it simple to block any player in the system if they start breaking the rules.
The big question is, of course, will it work? The answer will depend on a lot of things, but the most important factor here is trust – if what have, in the past, been the two opposing sides of this debate can now develop a trusting relationship and rely on each other to behave fairly and properly, there’s a good chance of success.
The best way to develop that trust is to get to know and understand each other’s viewpoints, and meetings like this seem like the ideal place to work on those relationships,
In the meantime, if you feel the need to install some software, and you can’t go direct to the developer’s site (or in many cases, even if you do get it from an official source), pay close attention to every stage of the process and every offer screen, and make sure you know what it is you’re agreeing to before you click “Next”.