OpenCandy

Last updated

OpenCandy was an adware module and a potentially unwanted program classified as malware by many anti-virus vendors. [1] [2] [3] [4] They flagged OpenCandy due to its undesirable side-effects. [5] [6] It was designed to run during installation of other desired software. Produced by SweetLabs, it consisted of a Microsoft Windows library incorporated in a Windows Installer. When a user installed an application that had bundled the OpenCandy library, an option appeared to install software it recommended based on a scan of the user's system and geolocation. Both the option and offers it generated were selected by default and would be installed unless the user unchecked them before continuing with the installation. [7] [8]

Contents

OpenCandy's various undesirable side-effects included, changing the user's homepage, desktop background or search provider, inserting unwanted toolbars, plug-ins and extension add-ons in the browser. It also collected and transmitted various information about the user and their Web usage without notification or consent. [1] [9] After massive criticism of the software occurred, it was eventually discontinued in August of 2016.

Development

The software was originally developed for the DivX installation, by CEO Darrius Thompson. When installing DivX, the user was prompted to optionally install the Yahoo! Toolbar. DivX received $15.7 million during the first nine months of 2007 from Yahoo and other software developers, after 250 million downloads. [8]

Chester Ng, the former DivX business development director, is chief business officer and Mark Chweh, former DivX engineering director, is chief technology officer. [8]

Windows components

Components that the program used may have differed but here are some similar names based on versions of the software.

Files dropped

Processes

DNS and HTTP queries

Software known to have included OpenCandy

Workarounds

There were workarounds to bypass OpenCandy by running some installers with a /NOCANDY parameter on the command line, which was up to the installer to support or not. [39]

Related Research Articles

Morpheus was a file sharing and searching peer-to-peer client for Microsoft Windows, developed and distributed by the company StreamCast, that originally used the OpenNap protocol, but later supported many different peer-to-peer protocols. On April 22, 2008, distributor StreamCast Networks filed for Chapter 7 bankruptcy after a long legal battle with music companies; all of their employees were laid off and the official download at www.morpheus.com stopped being available, though for a small period the website remained online. As of October 29, 2008, the official Morpheus website is offline, including all other websites owned by StreamCast Networks, specifically MusicCity.com, Streamcastnetworks.com and NeoNetwork.com.

<span class="mw-page-title-main">Browser Helper Object</span> Plug-in module for Internet Explorer

A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.

<span class="mw-page-title-main">FileZilla</span> Free software, cross-platform file transfer protocol application

FileZilla is a free and open-source, cross-platform FTP application, consisting of FileZilla Client and FileZilla Server. Clients are available for Windows, Linux, and macOS. Both server and client support FTP and FTPS, while the client can in addition connect to SFTP servers. FileZilla's source code is hosted on SourceForge.

CNET Download is an Internet download directory website launched in 1996 as a part of CNET. Initially it resided on the domain download.com, and then download.com.com for a while, and is now download.cnet.com. The domain download.com attracted at least 113 million visitors annually by 2008 according to a Compete.com study.

PDFCreator is an application for converting documents into Portable Document Format (PDF) format on Microsoft Windows operating systems. It works by creating a virtual printer that prints to PDF files, and thereby allows practically any application to create PDF files by choosing to print from within the application and then printing to the PDFCreator printer.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

Christopher Boyd, also known by his online pseudonym Paperghost, is a computer security researcher.

<span class="mw-page-title-main">ImgBurn</span>

ImgBurn is an optical disc authoring program that allows the recording of many types of CD, DVD and Blu-ray images to recordable media. Starting with version 2.0.0.0, ImgBurn can also burn files and data directly to CD or DVD. It is written in C++. It supports padding DVD-Video files so the layer break occurs on a proper cell boundary.

CutePDF is a proprietary Portable Document Format converter and editor for Microsoft Windows developed by Acro Software. CutePDF Writer can create PDF files, and CutePDF Form Filler can edit simple PDF forms so that they can be sent without using more expensive PDF authoring software.

<span class="mw-page-title-main">Foxit PDF Reader</span> Freemium PDF tool

Foxit PDF Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files. Foxit Reader is developed by Fuzhou, China-based Foxit Software. Early versions of Foxit Reader were notable for startup performance and small file size. Foxit v3.0 was found to be comparable to Adobe Reader. The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting, and drawing. Until version 9.7.2 Foxit Reader had PDF creation features, including a "Foxit PDF Printer" for Windows, allowing all programs to "print" output to PDF; they were removed in May 2020 from later versions. Foxit PDF Reader also includes an Enterprise version, which requires a Foxit account.

<span class="mw-page-title-main">Babylon (software)</span> Computer dictionary and translation program

Babylon is a computer dictionary and translation program developed by the Israeli company Babylon Software Ltd. based in the city of Or Yehuda. The company was established in 1997 by the Israeli entrepreneur Amnon Ovadia. Its IPO took place ten years later. It is considered a part of Israel's Download Valley, a cluster of software companies monetizing "free" software downloads through adware. Babylon includes in-house proprietary dictionaries, as well as community-created dictionaries and glossaries. It is a tool used for translation and conversion of currencies, measurements and time, and for obtaining other contextual information. The program also uses a text-to-speech agent, so users hear the proper pronunciation of words and text. Babylon has developed 36 English-based proprietary dictionaries in 21 languages. In 2008–2009, Babylon reported earnings of 50 million NIS through its collaboration with Google.

3wPlayer is malware that disguises itself as a Media player. It can infect computers running Microsoft Windows. It is designed to exploit users who download video files, instructing them to download and install the program in order to view the video. The 3wPlayer employs a form of social engineering to infect computers. Seemingly desirable video files, such as recent movies, are released via BitTorrent or other distribution channels. These files resemble conventional AVI files, but are engineered to display a message when played on most media player programs, instructing the user to visit the 3wPlayer website and download the software to view the video.

<span class="mw-page-title-main">CCleaner</span> Suite of utilities for cleaning disk and operating system environment

CCleaner, developed by Piriform Software, is a utility used to clean potentially unwanted files and invalid Windows Registry entries from a computer. It is one of the longest-established system cleaners, first launched in 2004. It was originally developed for Microsoft Windows only, but in 2012, a macOS version was released. An Android version was released in 2014.

PrimoPDF is a freeware program that creates PDF files from printable documents on computers running Microsoft Windows. It works as a virtual printer. It does not present the user with advertisements, but does utilize the OpenCandy Adware program, and its terms of service say that it may use OpenCandy to recommend other software to the user. PrimoPDF is developed by the same company that develops the commercial Nitro PDF software. According to the download link on its Web site in February 2023, version 5.1.0.2 remained current.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

μTorrent Proprietary adware BitTorrent client

μTorrent, or uTorrent, is a proprietary adware BitTorrent client owned and developed by Rainberry, Inc. The "μ" in its name comes from the SI prefix "micro-", referring to the program's small memory footprint: the program was designed to use minimal computer resources while offering functionality comparable to larger BitTorrent clients such as Vuze or BitComet. μTorrent became controversial in 2015 when many users unknowingly accepted a default option during installation which also installed a cryptocurrency miner.

<span class="mw-page-title-main">FreeFileSync</span> Free and open-source file synchronization program

FreeFileSync is a free and open-source program used for file synchronization. It is available on Windows, Linux and macOS. The project is backed by donations. Donors get access to a Donation Edition that contains a few additional features such as an auto-updater, parallel sync, portable version, and silent installation. FreeFileSync has received positive reviews.

Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize shareware and downloads. These software items are commonly browser toolbars, adware, browser hijackers, spyware, and malware. Another group of products are download managers, possibly designed to induce or trick the user to install adware, when downloading a piece of desired software or mobile app from a certain source.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

WiperSoft is an anti-spyware program developed by Wiper Software. It is designed to help users protect their computers from such threats as adware, browser hijackers, worms, potentially unwanted programs (PUPs), trojans, and viruses. Currently available only for Microsoft Windows.

References

  1. 1 2 PUP.Optional.OpenCandy, Malwarebytes, retrieved 3 February 2018
  2. OpenCandy, Sophos, retrieved 3 February 2018
  3. ADW_OPENCANDY, Trend Micro, retrieved 3 February 2018
  4. Virustotal analyses of OpenCandy, Virus Total, retrieved 3 February 2018
  5. Richards, Gizmo (16 April 2017), Controversial Advertising Program Now Being Embedded in More Software, Tech Support Alert, retrieved 2 February 2018
  6. ADW_OPENCANDY: Trend Micro page, 30 April 2016
  7. Needleman, Rafe (11 November 2008), OpenCandy brings ad market to software installs. What?, CNET news, retrieved 18 August 2009
  8. 1 2 3 Marshall, Matt (10 November 2008), OpenCandy inserts recommendations when you install software , retrieved 18 August 2009
  9. "What is OpenCandy and How to remove it?". Appuals.com. 24 January 2016. Retrieved 31 January 2022.
  10. "OpenCandy". 7 December 2023.
  11. "Antivirus notes". 7 December 2023.
  12. "Inquiry about detection of Auslogics Defrag Free Edition – ESET NOD32 Antivirus". 22 January 2014.
  13. "Complete Version history / Release notes / Changelog".
  14. "CDBurnerXP: FAQ".
  15. "FileZilla OpenCandy" . Retrieved 24 July 2013.
  16. "Format Factory – Free media file format converter".
  17. "Does Foxit Reader free 6.1.4.0217 have malware?". Foxit Corporation Forums.
  18. Zenju. "FreeFileSync".
  19. "FrostWire: Downloader, BitTorrent Client and Media Player".
  20. "GOMlab.com include technical information and download link of GOM Player, GOM Audio, GOM Video Converter and GOM Remote".
  21. LIGHTNING UK! (16 June 2013). "The Official ImgBurn Website: Change log". www.imgburn.com. Retrieved 3 October 2017. Changed: No longer bundling/offering the Ask.com toolbar in the setup program, OpenCandy now handles product offerings during installation.
  22. LIGHTNING UK! (16 June 2013). "The Official ImgBurn Website: Download". www.imgburn.com. Retrieved 3 October 2017.
  23. "MD5 doesn't match any downloadable installers – ImgBurn General". forum.imgburn.com. 29 October 2016. Retrieved 3 October 2017.
  24. "Wrong hash? – ImgBurn Support". forum.imgburn.com. 23 June 2016. Retrieved 3 October 2017.
  25. "Wrong Hash 2 – ImgBurn Support". forum.imgburn.com. 31 January 2017. Retrieved 3 October 2017.
  26. "ImgBurn". fileforum.betanews.com. 17 June 2013. Retrieved 3 October 2017. CLEAN INSTALL! No OpenCandy bundled.
  27. "ImgBurn Download: Changelog". Softpedia . 31 March 2017. Retrieved 3 October 2017. no more 'opencandy' adware!
  28. "Codecs.com | Downloads for ImgBurn 2.5.8". www.free-codecs.com. 20 June 2016. Retrieved 3 October 2017. Download ImgBurn 2.5.8 – without OpenCandy!
  29. "ImgBurn". www.majorgeeks.com. 23 June 2016. Retrieved 3 October 2017. This is a clean, no OpenCandy version.
  30. 1 2 3 gizmo, richards (8 February 2014). "Controversial Advertising Program Now Being Embedded in More Software". Gizmo's Freeware. Archived from the original on 7 August 2014. Retrieved 30 August 2014. OpenCandy (OC) is a relatively new advertising product that more and more software developers are bundling with their programs. It can now be found in the installers of dozens of popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more.
  31. "MP3 Support Analysis – herdProtect".
  32. Archived 9 April 2016 at the Wayback Machine On the Help/Facts page
  33. Discussions on pdfforge Forums Archived 4 March 2016 at the Wayback Machine
  34. PhotoScape – Virus and Malware
  35. Schember, John (21 January 2012). "Sigil 0.5.0 Released". Archived from the original on 24 April 2016. Retrieved 17 March 2012.{{cite web}}: CS1 maint: numeric names: authors list (link)
  36. "Malware on Install". 29 March 2014.
  37. "WinSCP – OpenCandy". Archived from the original on 7 April 2014. Retrieved 3 April 2014.
  38. Found in FL Studio 12.1.2 Installer – By Windows Defender: PUA:Win32/CandyOpen / OCSetupHlp.dll
  39. "OpenCandy explained: what you need to know about the technology". www.ghacks.net. 6 August 2021. Retrieved 12 May 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.