Technology forums are full of complaints and questions about "Potentially Unwanted Programs", or PUPs. Users complain that "a virus has infected their browser" or "a toolbar has hacked into the PC" and they justifiably feel extremely aggrieved by this. However, this does not involve malware in the traditional sense, and the majority of such "infections" can actually be avoided. Overall, the subject of PUPs is a complex problem for users and for the AV industry – yet in fact it is now a distinct line of business for the distributors.
Malware generally refers to software intended to damage the infected device or to steal information that can be used to carry out criminal activities such as identity theft or fraud, without the consent of the user. However, it is not always straightforward to draw a clear line between malware and other nuisances such as adware or PUPs.
AV providers are asked again and again by those affected to adapt their security solutions so they detect these pests more often. However, the majority of PUPs get onto computers not because they exploit security holes, for example, but because the users have installed them themselves – unwittingly in many cases. An AV program does not intervene if the software is not malicious and the user has given permission to install it. There is no doubt that PUPs are bad news. In the most frequent instances, they change browser settings (browser hijackers), display unwanted advertising (adware), spy on the user in the background (spyware) and sometimes embed themselves deep in the system. However, the programs are not malicious in the stricter sense. Many people actually want to use the functions of the software – hence the name "Potentially" Unwanted Programs.
Generally third-party providers take popular, free programs and pack them into a new executable file along with a PUP (bundling). This is then offered as a download on third-party provider sites, where the popular freeware acts as bait. The websites with the bundled programs are positioned as well as possible in search engines via (blackhat) search engine optimisation (SEO), thus increasing the number of potential customers. However, large, reputable software companies also occasionally offer software with piggy-backed programs.
This is how the providers earn their money: on the one hand per download and/or installation, and on the other by displaying advertising in the installed PUP. Nowadays there are companies that have specialised in providing PUP distribution services. Moreover there are countless sets of instructions circulated on the Internet on how to make money out of PUP installations.
During installation of the rebundled original software, the user is then given options to install little helpers, toolbars etc. When doing so, the selection boxes are frequently pre-checked (opt out), indicating "Yes, I want to install this additional option". Consequently, if the user simply keeps clicking on the "Next" button without paying attention or reading the options, he will also install the PUP. This exploits the typical user behaviour of quickly clicking "Next".
In some cases the third-party providers also pretend that a "Skip" button for the PUP options in the installation dialogue is unavailable, by greying it out. The user then clicks on "Next" because it looks like they have no other option.
Another deceptive tactic is skilful selection of dialogue text. Double negatives are sometimes used here, meaning that clicking on "Yes" or "No" requires particular attention.
Especially perfidious is the tactic of hiding PUPs in software that is itself supposed to offer protection against malware and PUPs. As with fake AV software, the user is apparently offered help functions that can be activated on payment of fees.
PUPs are rightly considered to be a plague, and AV software providers would ideally like to place many of the programs that are of questionable value to the user on a blacklist – immediately and permanently. However, the programs are legal and can generally be avoided by applying a few simple rules prior to installation.