by Thomas Salomon, head of AVAST Software ‘s German Software Development team
In a previous blog post we wrote about the statistics from avast! Browser Cleanup. These statistics have become even worse:
- More than 1,000,000 (one million!) browser add-ons are available for the three main browsers
- More than 82% of all add-ons have a bad or very bad rating from our user community
- Two thirds of all add-ons in our database are from only three companies
- We see around 30,000 new add-ons per day of which 90% have a bad or very bad rating
As we can easily see the numbers are still rising. It’s now time to share some more details about the bad add-ons we’ve noticed so far.
Toolbar details
As already mentioned in the last blog post, we analyzed many of these add-ons in order to learn how they behave, how we can remove them, and what we should expect in the future. During this analysis it became clear that the bad add-ons are even worse than we initially thought. In fact, a high percentage of add-ons installed on our customers’ computers behave similarly to malware. The common name for such “programs in-between” is grayware. You could also call them “Malware with a EULA”.
One of the most interesting (or rather, scary) features of grayware are the techniques used to prevent removal. Some of the vendors are very creative:
- The uninstall program shipped with the toolbar is often a fake. If you run it from your Programs and Features applet in the control panel, a lot of times it just does nothing but inform you that the stuff has been removed.
- In some cases, the name of the toolbar is totally different than the entry in the control panel so you have almost no chance of finding the right entry.
- They prevent deactivation on so-called group policy level. This means by adding the toolbar to the software policy settings of Windows they avoid removal by the user. Most users will simply not have enough experience to resolve such restrictions.
- They change the name of the toolbar to prevent detection or automated actions. Typical examples for such a naming schema are (the sample below comes with more than 90,000 variants!):
Browse2save | Searcehh—NewTab | CooupoonIt |
BrowseToSave | SSeeAArcch—NewTaab | CCoupoooneIoto |
BrowSoe2savE | Searcehh—NewTab | CouponIt |
Browsee2save | SSeeAArcch—NewTaab | CCoUpponnItu |
Bruowse2saavee | SyeaarCh-NNeWTabb | CyoupounIt |
Browyse2Saave | Searcehh-NewTab | CoupiOnIIt |
… | … | … |
- They install an additional Windows service (a hidden background program) which is for “installing updates” and (behind the scenes) prevents the user from resetting their homepage and search provider. Also this service makes sure that the toolbar gets reinstalled if the user tries to remove it.
- They install an additional Windows file called a dynamic link library (DLL) which is automatically loaded together with another program. This DLL does a similar job to the Windows service mentioned above.
- Sometimes a regular (functioning) uninstaller is provided. However, this uninstaller might offer the installation of other grayware program so by removing toolbar X you get toolbar Y instead.
Avoiding the Grayware
So what can you do in order to prevent such grayware making it to your computer? There is one simple rule which should prevent them quite often (but not always):
Slow down and read carefully. The toolbars are most often ‘opt-out’ during the installation process of free software. That means the box allowing it to install is already checked for you. So carefully check and read each page presented to you by the installer. Uncheck everything if you are not sure what you are getting. If you are still unsure, you should avoid the software entirely and consider using another one.
In the worst case – if you have already captured such grayware – avast! Browser Cleanup helps you get your Internet Browser clean again. The tool is available for download here: http://files.avast.com/files/tools/avast-browser-cleanup.exe
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on Facebook, Twitter, Google+, and now, Instagram.