|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
|
Malware: Eric Howe's ''Crapware'' Count |
|
|
April 29, 2003
I was talking to a reporter from USA Today this morning about the problem with
"spyware," "home page hijackers," "drive-by-downloaders," "adware," and "porn
dialers" -- or, more generally, "crapware." This man wanted *numbers.*
So, I dusted off a few old CD-Rs and dug up some old versions of the
AGNIS block list. I pulled all the entries of the "crapware" and "dialers"
sections from each date/version and began counting. I then put together a table
that gives an interesting picture of the growing problem with obnoxious,
unwanted commercial software -- a table that I thought you all might enjoy
looking at as well.
Overview
The table below is a count of the different types of "crapware" and the
various domains associated with "crapware" purveyors. By "crapware" we mean unwanted, commercial software that is installed without the user's
full knowledge, consent, and understanding, and that primarily serves the interests of commercial parties
associated with the "crapware," not the end users on whose systems those unwanted applications are installed. The term "crapware" covers such appplications as:
- adware: commercial software that piggybacks on "free" software and that is installed along with the host application (such as KaZaA or Grokster). "Adware" stands for "advertising supported software," and the piggybacking applications often display ads or collect marketing data for use by direct marketing companies.
- spyware: commercial software that monitors users' computer and
Internet behavior, gathers other data (often personally identifiable information) about users, and transmits those data to direct marketing firms (who often use those data for targeted advertising). Note that by the term "spyware" we do NOT mean such applications as keystroke loggers (keyloggers) or other similar
system monitors that are used to spy on users. Those applications do not have a direct marketing tie-in or use; commercial/marketing "spyware" does.
- home page
hijackers: applications or web sites that set the user's default browser home page to an unwanted
URL or change the default search engines defined within the browser to unwanted search engines and sites. These applications
and web sites may also configure Windows to prevent users from changing those settings back to the users' preferences. These applications
and web sites may also edit the HOSTS file to tie known web sites to certain IP addresses, thus ensuring that users are unwittingly directed to
unexpected, unwanted web pages.
- drive-by-downloaders: unwanted applications that install automatically when the user visits a web site. These are usually ActiveX controls and plug-ins, and users may or may not (depending on their Internet Explorer Security zone
settings) see a pop-up requesting agreement to a EULA that authorizes installation of the application.
- porn
dialers: applications that employ users' modems to dial 1-900 numbers (often overseas) and connect with online services that distribute porn. The 1-900 phone charges that result from these phone calls are usually astronomical and outrageous. Moreover, these porn dialers are often installed via "drive-by-downloads," and
users are frequently unaware that their modems are even being used to connect to 1-900 numbers (they find out
later when the phone bill arrives).
There are many other terms that people have coined for these types of "crapware,"
however, "crapware" is a comprehensive term for all of these types of malicious commercial software.
Keep in mind that any one application may fulfill several of the above
definitions. Thus, there can be "adware" that is also "spyware." There may be "drive-by-downloaders" that are both "spyware" and
"home page hijackers." And so forth...
"Crapware" is often distinguished from other (more traditional) forms of malicious software such as viruses, trojans, and worms by
the fact that,
in most cases, the user clicks through a EULA at some point (by
contrast, no virus will ever ask you to agree to a EULA). Nonetheless, this "crapware" is
unwanted by and unknown to users even though they may have
technically (legally) agreed to the installation of that software.
Table 1: "Crapware" Count
| Date |
Types |
Domains |
| Jan 03, 2002 |
22 |
61 |
| Apr 19, 2002 |
56 |
125 |
| Nov 26, 2002 |
230 |
568 |
| Apr 30, 2003 |
493 |
1317 |
Definitions
- Types:
Varieties of "crapware." Example: C2 Media's Lop.com toolbar and plug-in is considered one "type" or "variety" of "crapware. The Xupiter toolbar and plug-in (from
www.xupiter.com) is considered a distinctly different "type" or "variety" of "crapware."
Please note that for the purposes of this count "crapware"
also includes web sites that are
known to engage in "home page hijacking" but which may not
distribute traditional binary applications (such as the Lop.com and
Xupiter toolbars).
- Domains:
Internet domains, such as website.com (as distinguished from web sites such as
www.website.com or ads.website.com). Each type of
"crapware" may have multiple domains associated with it
(and each domain may have multiple web sites under it). Lop.com, for example, has 126 domains associated with it. Other types may have only a single associated domain. By "associated," we mean that the domain is known to be a domain where the type of
"crapware" can be encountered, or that the domain is owned by the
"crapware" purveyor, or that the domain is owned by a company/organization that has some sort of relationship with the
"crapware" purveyor. Keep in mind that
"crapware" pushers often use multiple front companies and business partners to spread their applications.
How These Numbers Were Gathered
These counts are taken from the "full original" AGNIS blocklists released on the dates indicated above. AGNIS can be obtained from:
- http://www.staff.uiuc.edu/~ehowes/resource.htm
The AGNIS block list package contains multiple versions of a basic
block list. Some versions of the AGNIS block list are "stripped down" or edited for efficiency and thus target fewer
domains. The "full original" AGNIS versions can be found in
the ORG directory of the AGNIS installation directory.
The "full original" versions of AGNIS are divided into named
sections or categories. The entries counted for the table above were
taken only from the AGNIS sections titled "Crapware Domains"
and "Dialers" (entries in other sections were ignored).
One other note: even though only four AGNIS dates/versions are used or listed
in
the table above, there were plenty of other updates to AGNIS in between those
dates/versions. Thus, it is not the case that one AGNIS version came out in
November of 2002 and the next in April of 2003. There were dozens of updates between those two updates. In other words, these four dates/versions are just
samples or instances from a larger series of updates.
Notes/Caveats
- Classification problems
Others in the "anti-spyware" scene/business may classify applications
and web sites differently than I do. For example, where I classify several minor variations of an application as essentially the same "type" of
"crapware," others may those minor variations as separate "types" -- and vice versa.
"Crapware" is often released under different names or even re-used by different affiliated companies, so constructing a completely accurate, indisputable
"taxonomy of crapware" is difficult. Also, some people may
include or list as "spyware" only traditional binary
applications, whereas the "crapware" counts in the table
above include web sites that are known to engage in "home page
hijacking" but which may not distribute binary
"crapware." See in particular the following web page (from Patrick Kolla, author of
SpyBot Search & Destroy):
http://security.kolla.de/index.php?lang=en&page=knowledgebase/targetpolicy
...for one person's attempt to classify and define all the varieties of "crapware." Note that not all of the types of software listed on that page are targeted by the AGNIS block list.
- Observer bias
It's entirely possible that I (the person who builds the AGNIS block list) have become savvier and more skilled at finding domains associated with
"crapware." It's also possible that users are reporting problems with
"crapware" more diligently and prominently, allowing me to add more domains to the AGNIS block list. Thus, some of the increase in numbers we see from Jan. 3, 2002 to Apr. 29, 2003
may be explained by those factors or biases. Just how much of that increase can be attributed to observer bias is not known.
- Dead companies/applications/domains
Some of the types of "crapware" and some of the domains targeted in the very latest AGNIS blocklist may be defunct or out of use.
("Crapware" purveyors have been affected by the dot-com "bust" just like other Internet companies.) Just how many is not known.
More Information
This web site contains more information about "crapware"
and how you can protect your system. See in particular:
Questions & Contact
If you have any questions about the information presented above, please don't hesitate to ask.
Best,
Eric L. Howes
eburger68@myrealbox.com |
Please read this Disclaimer
© 2000-2003 Eric L. Howes (eburger68@myrealbox.com) |
|
|
|
