Cb Connect 2018 | Power of You | Register Now


What Happens Under the Hood When Installing Free Software?

What Happens Under the Hood When Installing Free Software install hotspot shield free download
May 15, 2014 / Jeffrey Guy

(Editor’s Note: this post originally appeared on carbonblack.com in June 2013. We are republishing here to further demonstrate Carbon Black’s toolset for readers who have asked to see Carbon Black in action.)

I always caution my family to be very careful downloading freeware applications from such collections as download.com and tucows.com. My justification is a hand-waving, fear-mongering response: “you never know what extra things are hidden inside.”

I want to give more of a detailed answer than that, but it has always taken too much time. Carbon Black changes that.

Many freeware and shareware authors make money from Pay-Per-Install schemes. It’s a murky, grey area between legitimate advertising and malicious behavior. Dell, HP and other PC OEMs make money from the extra applications they install, somewhat legitimizing the practice. Your home Internet service provider probably hijacks failed DNS lookups to increase ad impressions on their “helpful” pages. Freeware apps do similar things, sometimes hidden behind a subtle checkbox during the install process: “do you also want to include….”


The size of that checkbox can be deceiving. The installed applications usually dwarf the small freeware application you believe you’re installing.

The worst part is that freeware authors sometimes overstep the line from the installation of almost-legitimate advertising software, installing malware instead.

As reported by Information Week in 2011, a group of researchers presented their findings at USENIX 2011 on malware distributed via pay-per-install schemes. They found 12 of the 20 most common malware families rely on pay-per-install to compromise client machines.

Part of the challenge, even for computer security experts, is the difficulty of tracking what occurs under the hood when installing software. Tools such as process monitor or the “installation modification trackers” like WhatChanged suffer from too much output that’s too poorly organized.

Carbon Black makes these investigations simple.

As we were developing Carbon Black, I spent time using it to explore these kinds of malicious processes.


From CNET’s list of “Most Popular Downloads,” I downloaded and executed No. 8, the “Free YouTube Downloader” and Carbon Black detected a flurry of activity. Take a look at the screenshot below:


(This is the full process tree from Carbon Black that includes the YouTube Downloader.)

Carbon Black retains records of all execution. The image above is all processes created by installing the “Free YouTube Downloader.” The red circle to the left (indicated by #1) is my explorer.exe instance. The IE icon to the right (#2) was my instance of IE. “Free YouTube Downloader” is the process with the red TV icon one more level to the right (#3).

From there, you see the chaos. There are more than 60 new child processes, from a dozen different executables. Just by looking at the graphic you can see several MSI installers, a string of command shells and even a new Web browser that looks like Chrome, has a Chrome-like icon, but is not Chrome. (That string of cmd.exe’s looks like a bug in the DealPlay adware—the original command line: c:\windows\system32\cmd.exe /d /c timeout 3 & cmd /d /c cmd /d /c cmd /d /c cmd /d /c cmd /d /c del “c:\users\cbadmin\appdata\local\temp\dealpl~1.exe.” Somehow I doubt five nested cmd.exe’s are required to delete the installation file in temp.)

Within five minutes of installing “Free YouTube Downloader,” I received an email from the Carbon Black Alliance: six of the child processes are malware, according to four or more antivirus vendors:


Based on the reports, they appear to all be advertising-based malware that oversteps the line of acceptable behavior. More detail about each binary, including links to the reports, can be found below in Carbon Black’s watchlist email below.

Finally, it’s important to note that these unwanted payloads were downloaded dynamically, at the time of install. Freeware authors (or the pay-per-install vendor) can make decisions dynamically about what extra package to install when and where. For this blog post, I reproduced the installation steps to get more screenshots and detail, but got a completely different set of unwanted payloads than previously. This time, I only received one alert: for the main FreeYouTubeDownloader.exe installation package itself.

The dynamic installation logic means CNET authors probably don’t receive the unwanted packages when validating the application and providing their “Very Good” 3.5 star rating. The pay-per-install authors can simply review the source IP addresses of all incoming requests and ensure they never give the CNET editors malware.


So there you go, Mom. Next time you ask why you can’t download the free package of cute kitten screensavers from download.com, I’m sending you this blog post. You may get your kittens, but you’ll also get a lot more. I know you’ll probably do it anyway, but at least you’ll have Carbon Black installed so I’ll know what to go clean up.

———- Forwarded message ———-

From: Cb Watchlist Notification <no-reply@carbonblack.com>

Date: Fri, Apr 19, 2013 at 9:28 AM

Subject: 6 new hit(s) found for your Carbon Black Watchlist: Alliance: VirusTotal Score > 3


6 new hit(s) found for Carbon Black Watchlist: Alliance: VirusTotal Score > 3


Don’t want to receive notifications for this watchlist? Unselect the checkbox next to the watchlist entry’s name.


Watchlist: Alliance: VirusTotal Score > 3

Module Watchlist: 6 new hit(s)


md5: 7FD71A59FFC56A2814091F2786B21812

alliance_score_virustotal: 4



md5: 2E43CF9DECD9067F335DF3D92469CDB1

alliance_score_virustotal: 7



md5: 8D43C0F2F8922FF09C1283A377F5A116

alliance_score_virustotal: 17



md5: 9850E5F26F37C339424408A93E945C4A

alliance_score_virustotal: 5



md5: 8432C6C2D4ED3797B981138017696F00

alliance_score_virustotal: 15



md5: D79B88BAB3231EBEBD3C6505AB68CE56

alliance_score_virustotal: 4




TAGS: Carbon Black / cnet / detection / Free software downloads / malware / pay per install