Archived

This topic is now archived and is closed to further replies.

BigEd1

Malware on Install

Recommended Posts

Upgraded to 3.4.1 from 3.2. Proper shutdown on 3.2, all was good but after install no torrents loaded and all settings were gone. Had to reset settings, reload torrent files and all is good again. Buggy install is what I would say and I've been doing this for many years for myself and others.

 

Main Problem is Malware. During install the `PUP.Optional.OpenCandy` malware was detected along with some other cleanup utility. Both were killed during the install and not infected. You'll probably say I had it prior but it wasn't even a hour prior to install that my weekly scans finished and I was clean. I even fired up a fresh VPN and tried a install there and bam... Same Malware nabbed. 

 

Online scanning isnt detecting it in the actual install file, so I'm thinking it maybe coming in from one of the advertizers or other link established during install.

 

clamav.gif

2014-03-29 PUA.Win32.Packer.Upx-26
2014-03-29 MalWareBytes (during install) found PUP.Optional.OpenCandy
 

Share this post


Link to post
Share on other sites

Don't click on agree if you don't want them. ;)

 

It's a bit dirty trick to get you install it, I'll agree on that.

Your missing the point, you do have the option of not installing the extra, which I highly recommend you dont agree, but the PUP.Optional.OpenCandy malware is installed without option, without choice, and for someone without malware protection that can kill it off you are stuck with it.

Share this post


Link to post
Share on other sites

No, see the word Optional?

There's an agree-button you clicked on somewhere during install.

 

Post a screenshot of the installer and we can tell you where to click.

Share this post


Link to post
Share on other sites

No, see the word Optional?

There's an agree-button you clicked on somewhere during install.

 

Post a screenshot of the installer and we can tell you where to click.

I know where to click, and I selected `NO`. No need for screenshots. Read my original post and you'll see 2 different problems. 1st Detected was the malware, no options, no screens, no nothing. Then came the optional garbage install which anyone with a right mind will not install or select. As you dwell on this optional install garbage, 3.4.1 is starting to get banned on sites. I've already seen a few posts related to the malware problem on some irc sites. Been confirmed and now I'm back to 3.2.

Share this post


Link to post
Share on other sites

OpenCandy, Optional Install ? Why would any company subject their customers to malware. Maybe someone should try an install there to see what the heck is gong on. Looks like some people are being left out of the loop and are clueless as to what is going on with the setup/install of the program. Load up MalWareBytes and try an install, you wont need a screenshot then as you'll see for yourself. My install/updates have always been `No` on anything extra then immeadiatley go into settings turn off any other setings related to advertising, etc. So that leaves anything else to an unwanted install, but this time it was caught and no one there wants to acknowledge it other than `Yes, and OpenCandy is an optional install, that you agreed to install somehow.` which is a false statement too.

Share this post


Link to post
Share on other sites

As stated here, OpenCandy is a POTENTIALLY Unwanted Program. It's actually just that it is often used to distribute software you wouldn't really want.

Meaning there is no actual malware in the installer, just sponsored software which, in turn, might be malware (since OpenCandy doesn't really check what they send your way).

 

Meaning µTorrent is malware free, so long as you skip the software offer.

Share this post


Link to post
Share on other sites

OpenCandy is a technology that software companies can add to installers to earn money from optional software offers that are based on a system scan and the user's location in the world.

According to the FAQ on the OpenCandy website, the installer queries the company server for a list of recommended apps for the user location, operating system and language and checks those against the installed applications on the system and prerequisites that those programs may depend on. The first recommendation to pass all tests is then selected and presented to the user in the installer.

OpenCandy sends anonymous statistics back to the server which is used to improve the technology and to provide software companies with analytic insights.


What OpenCandy collects:
    operating system version and language
    country location
    timezone
    language of the software installer
    if the installer was completed or canceled
    if a third party recommendation was made, and whether it was accepted or declined
    if the recommendation was downloaded and the installer initiated
    if the installation completed successfully


Is OpenCandy adware?
 The answer depends on the definition of adware. According to Wikipedia, adware is any software package which automatically renders advertisements. The answer must be yes then, as OpenCandy displays automatic advertisement for another software product during the installation process.

Can you bypass OpenCandy?
  Some programs support the /NOCANDY parameter which you can add to the run command when you start the installer to bypass OpenCandy during installation. While this works with some applications, it does not seem to work with all that you may come across.


Conduit Toolbar/Bunndle Crap can also be installed if you're not careful at installation but that's for another Day.

Share this post


Link to post
Share on other sites

So opencandy was from utorrent? My malware scan found this but I didn't know where it came from. Now with all these bundle crap, I will be switching torrent software soon when I have some free time.

Share this post


Link to post
Share on other sites

OpenCandy isn't malware, just advertising for software like Winzip and whatnot. Just decline the offers and carry on.

They are not opt-out - you have to explicitly pick yes or no for these, so you can't accidentally get the offer.

Share this post


Link to post
Share on other sites

Google is report the MuTorrent Control product as malware prior to downloading the file. (https://support.google.com/webmasters/answer/3258249).

 

I'm appending it to this message as the correlation (even at this distance - given the extremely small users who would post) may indicate it's time to refresh 'clean coding environments' with the devs / sysadmins.

 

Please let me know when the product is clean.

Share this post


Link to post
Share on other sites

I can confirm that the potentially unwanted program (PUP), OpenCandy, is detected by some antimalware applications during the install of uTorrent; that it is not an optional component; and that detection occurs before anything is accepted or clicked during the installation process.

 

I had personally experienced this myself before and knew it to be true, so I decided to investigate thoroughly; detail my findings; and make some suggestions to both uTorrent uses and developers.

 

 

My testing rig & process
To test this issue I used uTorrent 3.4.1.30888 (stable), which was the latest version available at the time of writing. I ran the tests on a VirtualBox virtual machine (VM) running a clean installation of Microsoft Windows 7 SP1, with all updates installed. I used Malwarebytes Anti-Malware 2.0.1.1004 (free), with up-to-date definitions, as the example antimalware application. For full disclosure the only other applications installed on this VM were Microsoft Security Essentials and VirtualBox Guest Additions. Both of these were up-to-date, and have no relevance to the testing.

I knew from experience that uTorrent downloads the OCSetupHlp.dll file to the %TEMP% directory but names it uttXXXX.tmp (where XXXX is some random combination of capital letters and numbers, normally 3-4 hexidecimal digits). So before running the uTorrent installer I took a screenshot showing the clean %TEMP% folder.

 

post-370718-0-24232000-1398564477_thumb.

 

I then ran the uTorrent installer, and did not click on anything in the installer. I just left it on the opening page. After a few seconds, some files appeared in the %TEMP% folder. The important one in this case was uttA93.tmp. Right-clicking on this file and scanning it with Malwarebytes detected PUP.Optional.OpenCandy, as shown in the screenshot below.
 

post-370718-0-73629400-1398564486_thumb.

 

For the eagle-eyed among you, you will notice that after I scanned it with Malwarebytes, I renamed the uttA93.tmp file to uttA93.tmp.dll just so that I could right-click on it and get the properties for the DLL. This had no influence on the detection. It's also worth pointing out that I detected this by manually scanning the file. Obviously, if I had the premium version of Malwarebytes it would have been detected automatically by it's realtime protection when the file was created. Also, since the file is not code signed, some antimalware software may warn that it is unknown or untrusted, and offer to sandbox it.

 

 

So uTorrent does contain malware then?

Simple answer: No, it contains a fairly harmless PUP that you probably shouldn't be afraid of.

 

Firstly, the uTorrent.exe file does not contain the OpenCandy DLL. It downloads it. I can confirm this because the offending file does not appear if you disable / disconnect your network connections before launching the uTorrent installer. Secondly, OpenCandy is not malware. I would even hesitate to call it adware. I would describe it as Malwarebytes does. It's a potentially unwanted program (PUP).

 

As Beasly, and others, have discussed, OpenCandy is an important source of revenue for uTorrent. It acts kind of like click-through ads on a website. That said, it still collects some anonymous data about your system and your location so that it can recommend some applications to you. In that sense it is quite invasive and therefore justifies being tagged by some antimalware applications as a PUP.

 

It should be noted that OpenCandy is clearly mentioned in section 7 (in the tested version) of the end-user license agreement (EULA) which you agree to before being offered any software. I'll admit I'd never read the EULA until I researched this issue. Does anyone? Strictly speaking therefore, you can't complain about being recommended the offered software. You agreed to it. What makes it interesting though is that uTorrent downloads and loads the OpenCandy DLL before you ever get to the EULA page. It could be argued therefore that OpenCandy is running on your machine before you actually agree to accept it's terms. I'm no legal expert, but I would suggest that, at least in Europe, this may not be acceptable under the law.

 

 

My suggestions to users

There is no need to panic and switch torrent application. If your antimalware application detects OpenCandy, it's only being thorough. Once again, it is a potentially unwanted progam (PUP). It is not harmful to your system. Depending on your feelings about sharing the information Beasly mentions, you can safely clean, quarantine, or even ignore the warning. If you clean or quarantine the file you won't share any personal information and you won't be shown any offers, but uTorrent will install just fine.

 

To put your mind at ease, uTorrent doesn't actually install OpenCandy on your computer. It merely creates a temporary library file which it uses to search for appropriate offers for you. It should delete this temporary file when it is complete, but it doesn't seem too. At least not in my tests. Clearing your temporary files after the install should remove all traces of it though.

 

If you want to avoid the OpenCandy offers and any perceived infection by OpenCandy completely, I would suggest one of the following solutions:

  • If you are installing uTorrent for the first time, disable or disconnect your network connection for the duration of the uTorrent install process. That way, OpenCandy will not be downloaded on to your computer and no offers will be made.
  • If you're upgrading uTorrent, don't go through the install process. An old, but useful, advanced uTorrent tip is to overwrite the currently installed uTorrent.exe with the new installer (obviously, you should probably back it up first). For 3.3.x and later this mean copying the uTorrent.exe to the %APPDATA%\uTorrent folder. For older versions, I think (it's been a while) you copy it to the %PROGRAMFILES%\uTorrent folder (or %PROGRAMFILES(x86)%\uTorrent on 64-bit systems).

 

 

My suggestions to the developers

If you want to avoid posts about uTorrent being infected with malware, and the damage that does to your brand, no matter how unjustified, I would suggest:

  • Don't use OpenCandy. I know that's not really an option. It's a valuable revenue stream, and in truth most antimalware software no longer detects OpenCandy at all, since it's reputation is improving.
  • If you're going to stick with OpenCandy, don't download the DLL until after the EULA is accepted. At the very least that would prevent any possible legal ambiguity over whether personal data was collected before the user had given permission.
  • Maybe before downloading the OpenCandy DLL, you should include a warning explaining that it may be detected as a PUP by some antimalware applications. That way you'd at least be able to explain how harmless OpenCandy is; what a PUP is; and the benefits of the program to the development of uTorrent. Yes, users should understand that a PUP is not harmful, but to many they see the red flashing warning and that's all that matters. Brand and reputation damaged, possibly forever.
  • At the very least, delete the OpenCandy DLL from the %TEMP% folder when the installation is cancelled or completed. That way you can't be accused of installing OpenCandy on a users system.

 

If it is true that this issue is always dismissed as a PEBCAK, I hope you now see that this not the case. I hope my explanation, screenshots, and analysis are acceptable proof that this issue does exist, and that it would actually be fairly trivial to address.

 

 

[EDIT: The images failed to add correctly to this post originally, so I have re-added them.]

 

Share this post


Link to post
Share on other sites

[EDIT: Screenshots for my previous post were not added correctly, and in my frustration I created a new post and included them here rather than just editing my previous post. I have now fixed my previous post so this one is redundant.]

Share this post


Link to post
Share on other sites

I think the INTENTIONAL confusion is on the OC Agree page.

Button reads "Update or Upgrade" in stead of continue.

Have to admit almost cancelled then and there! And I definitely checked for HMPFFF goodies after install.

 

And I do not fault the authors of this program, must be very difficult to keep it free. Even the in-line ads they included a way to disable...VERY cool!

Us DFUs just need to pay close attention @ install!

 

Copy only uT exe?

How do u extract that from installer?

Not only a folder of garbage, but errors too.

Share this post


Link to post
Share on other sites

The uTorrent.exe file that you download is both the installer and the application itself. I believe it runs as an installer if there is no settings.dat in the same folder, otherwise it runs as the application (this is how you make uTorrent portable). You don't need to extract anything. Just copy the downloaded uTorrent.exe file to the appropriate location.

 

Also, I'm not sure what you mean by the OpenCandy agree page. If you mean the pages you get with each of the offers on? I agree that they are not always very clear. It's not ideal, but it looks like for the time being at least, you're just going to have to watch what you agree to install. As I stated previously, by the time you get to the offers, you've already consented to the use of OpenCandy to deliver offers to you, so you can't really hold them legally liable for anything. You're perfectly entitled to complain about it though.

 

Share this post


Link to post
Share on other sites

I would love to click and say not install,,, but the router we just got wont even let the download come into the server... see below:

 

 

Gateway Anti-Virus Alert
  This request is blocked by the Firewall Gateway Anti-Virus Service. Name: OpenCandy.F_2 (Adware)

 

 

 

I did not this this referral before i started another,,, but I believe  as more of the high end routers are including more functions  we will see more of these problems..   I got a letter from Comcast last week or so and they are saying they will be releasing a new service that stops any and all Adware at their servers, all Comcast clients will then be protected fro any form of Adware... Sounds like a good deal, but i cannot even imagine how many sites and programs will get stopped at the Comcast servers and never reach their household computer... 

 

Share this post


Link to post
Share on other sites