ITsecurity
twitter facebook rss

What makes a PUP?

Posted by on October 28, 2016.

I’ve been thinking about PUPs recently. Some people call them PUAs; but PUP (potentially unwanted program) has an onomatopoeic ring to it. These are the apps you choose because they say they do one thing, but then they covertly do other more damaging things.

They are called ‘potentially unwanted’ because it is possible that you might still want the app, despite all the hidden things they do. It’s a gray area. So gray that there isn’t even a standard definition for them.

One that I like is ‘a free application that pretends to be benign but proceeds to do unexpected possibly harmful things, and is difficult to get rid of.’ Endpoint security firms can help with the last point, but there is no real consistency over how they handle PUPs – and the security firms live with the fear of being sued if they remove or block an application that isn’t strictly malware.

Part 1. Is SpyHunter a PUP?

Malwarebytes has always had a reputation for being amongst the most aggressive security vendors in tackling PUPs. Indeed, they recently acquired ADWcleaner, which is a specialist PUP remover. Today they went so far as to announce on Twitter:

mbtweet

Kudos! But it will be worth watching since SpyHunter is litigious. It’s already suing BleepingComputer over a negative review.

PUP slapp?

SpyHunter is an anti-malware product. Enigma has not integrated its product with VirusTotal (full list here) nor joined the Anti-Malware Testing Standards Organization (list of members here). And you have to wonder why…

I recently came across a report http://sensorstechforum.com/krypte-ransomware-remove-restore-files/ on the Krypte ransomware. The report wasn’t as detailed as the malware analyses you get from companies like ESET and Sophos and Kaspersky and F-Secure and Panda and Malwarebytes, etcetera. So I asked a few AV contacts what they thought of Krypte. Nobody had heard of it.

Looking at the report you immediately see this:

PUP download

The Download button leads to SpyHunter.

A genuine well-known ransomware is Locky. If you google Locky you get hits on reports about Locky. If you google Krypte, you get hits on how to remove Krypte. Here are the top five hits on ‘Krypte’ from Google:

Krypte Ransomware – how to remove? – PCrisk.com (Norton gives the site a ‘caution’ rating; WOT quotes “Malware removal instructions are worthless. Site ‘pushes’ equally-worthless SpyHunter to remove malware. Avoid this site.”)
Krypte Ransomware Removal Report – Enigma Software (Enigma Software owns SpyHunter)
Remove Krypte Ransomware (.fear files) | Virus Removal – virusresearch.org (WOT quotes “Dubious malware help website whereby all the instructions result in users having to download Spyhunter which is a poor quality anti-virus which won’t remove any malware it detects unless it is paid for. It can be difficult to remove this software.”)
Delete Krypte Ransomware | Facts Worth To Know About Krypte – removemalwarevirus.com (WOT quotes “This site is an affiliate scam site which attempts to have users, who have been bitten by tech support scams to download Spyhunter, which can totally boggle your machine.”)
Krypte Ransomware Remove and Restore Your Files – sensorstechforum.com (WOT quotes “Highly suspicious site. Got a spyhunter download prompt just by clicking on “Spyhunter download and install instructions”, go figure. Has got a content writer from Enigma Software: https://www.linkedin.com/in/maya-yaneva-983926a6?authType=name&authToken… posting articles, absolutely no IT background. Site tries hard to look like a real IT help forum, but is a total fabrication. The Google Safe Browsing and 100 Website Reputation icons are fake, click and see.” I did. It’s true.)

So what we have is a dubious report on Krypte which the mainstream AV companies don’t recognize, and where all roads seem to lead to SpyHunter, which doesn’t have a good reputation. That’s strange, to say the least. Is SpyHunter a PUP? That’s for you to decide. Look at the arguments and do the math.

Part 2. Is Windows 10 a PUP?

Let’s remind ourselves of our definition: a free application that pretends to be benign but proceeds to do unexpected possibly harmful things, and is difficult to get rid of.

I use the ‘free’ version of Windows 10. Now technically, Microsoft Legal could say, no, it’s not actually free – it’s an upgrade to your paid-for Windows 7 (or 8), for which we are not charging. That’s just semantics. For me, it was free.

Strike one.

Point two: it pretends to be benign, but does unexpected possibly harmful things. I think that’s a given. Consider some of the earlier posts on this site:

New Microsoft Windows 10 update non-options
Windows 10 re-problems Internet connection
Windows 10 privacy concerns are growing
Windows 10 makes Google look like it still does no evil

Add to all of our local concerns the small issue of the French data protection regulator (CNIL) serving formal notice on Microsoft over its privacy practices: Serving Formal Notice to Microsoft Corporation.

Strike two.

Point three: it is difficult to get rid of. Well, yes and no. Technically, you just delete the Windows 10 operating system. Practically, however, there will be few users technically able to remove W10 and install Linux; or rich enough to dump the PC and buy a Mac. And it is almost impossible to simply stop W10 doing what you don’t want it to do (see here).

Can you have half a strike?

Using our definition of a PUP, Windows 10 seems to score 2.5 out of 3. No legal eagle would dare to call it a PUP. But when did the law favour the common man over big business? Is Windows 10 a PUP? Look at the arguments and do the math.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: