good pup

PUP makers: digital snake oil, part 3

But wait, there’s more!

We have explained our recent changes to our PUP classification, where we have decided to include Registry Cleaners and Driver Updaters behaving aggressively.

We see some pretty lame excuses from software manufacturers when they apply for reconsideration, and perhaps it would be time to address the most common ones we encounter.


So, your software has been listed by Malwarebytes Anti-Malware as a “Potentially Unwanted Program” or PUP for short.

When a software manufacturer bundles all their software together, if one of the application runs afoul and is listed as a PUP, the others will be as well. Some would refer to this practice as “diversifying their offering portfolio” but we respectfully disagree.

A registry cleaner behaving badly, will result in flagging the bundled driver updater as well. This would fall under the “Malicious Bundling” category.

This software manufacturer has proven to what lengths it is willing to go in order to extract payment with one program. Why should we expect anything less from a different program, made by the same people?

Applications do not need buddy processes. Making the removal of a program difficult by having a watcher process will only cement our decision to list this application as a PUP.

Having an application exhibit different behavior in a virtualized environment to that of a live machine is actually part of the criteria for PUP classification.

PUPs are starting to ape analysis evasion techniques that were mostly only seen in malware and these techniques do not have a real world usefulness other than that of malfeasance.

Now that the most egregious behaviors are out of the way, we can explain a question we often hear our users ask…


Why do software manufacturers make PUPs?

Our loyal readers might be interested in learning what takes place behind the scenes of the affiliate marketing driven applications ecosystem, Potentially Unwanted Program makers, and other shady online marketers.

A great number of PUP we detect are pushed onto users through affiliate marketing schemes.

A simple explanation of this scheme goes like this:

  • A software manufacturer makes an application. (They don’t distribute it.)
  • They hire affiliates to distribute said application. (The more affiliates are successful at this, the better for them.)
  • The affiliates push the application, users install the application.
  • Users purchase the application.
  • The software manufacturer and the affiliates split the profits. (Sometimes as high as 50/50!)

As with bundlers, we are not saying that all affiliate programs are bad, only that they are rife for abuse and that many of these programs are indeed abused.

The software creators remove themselves from the distribution process, and entrust this to affiliates, who are highly incentivized to generate the largest number of installations.

The larger the number of installs, the greater the chance that they will result in a purchase, or conversion. If you design your application to be very aggressive, you increase your conversions, as some users will purchase the application, if only to make the nag screens, reminders, and pop-up reports go away.

Sadly, some of these affiliate sales program are abused with the express knowledge and blessing of their orchestrators.

As such:


Blaming a rogue affiliate for bad behavior is not a viable excuse. It never was. It never will be.

Allow us to explain. If a software manufacturer is using an affiliate-based mechanism to distribute their products, they are responsible for policing it.

All affiliate sales platforms rely on comprehensive metrics. It is the core mechanism used to track sales or conversions, and is how participants divvy up their share of the profits.

Metrics are at the very heart of such programs.

Affiliates programs that have poor metrics don’t flourish, as the participants feel cheated. They can’t accurately track their progress. Orchestrators cannot track successful installations. Affiliates flee en masse and the program flounders.

This means that all successful affiliate distribution schemes require incredibly granular, super accurate, and exquisitely detailed tracking metrics.

They have to. They have no choice. They cannot be successful without them. As a direct result, the orchestrator of the affiliates and the program is in a privileged position to detect fraud.


Not knowing affiliates were misbehaving is difficult to believe in light of this fact.

If a software manufacturer witnesses an affiliate that generates a large number of sales or conversions, it is their duty and obligation to investigate them.

If they are gaming the system, it hurts the affiliate platform in the long run.

If affiliates are pushing aggressively modified installers, turning a blind eye while the wheel barrels of money are rolling in is most certainly not the correct way to address fraud.

Waiting until someone calls the software manufacturer out on this, and then attempting to shift blame for this situation on a few “bad apples” will not work.

Incidentally, having the owners of the software company secretly be super affiliates on the side, so that they can better game their own system, is just as unacceptable.

Finally it goes without saying that actually providing affiliates with modified installers that generate different results, has a different level of aggressiveness, and a silent installation is never acceptable. No amount of mental gymnastics will ever justify resorting to such tactics.


Maximizing R.O.I. with “support”?

Intentionally making the registration mechanism difficult, with product keys displayed in small white fonts, on a grey background, requiring three pages worth of scrolling through paragraph after paragraph, displaying an 1-800 number to call is wrong.

All of this is done in an effort to drive prospective customers to “up-sale” centers masquerading as legitimate tech support and is morally reprehensible.

Malwarebytes is already leading the fight in classifying rogue tech support and we will flag them as fraudulent and add them to our resource page.

Whether the support is done in-house or that aspect of the operations is outsourced to outfits from Mumbai to Florida, subcontracting does not remove the software manufacturer from responsibility or guilt. Victimizing users by upselling them to expensive support packages that they do not need is wrong.

Incidentally, this kind of outsourcing never ends well.


Moving up the chain?

Endlessly “white labeling” a product, effectively making it a ready-made affiliate marketing scheme framework, for others to abuse does not remove its creator from guilt or culpability. This behavior mirrors that of rogue AV’s re-branding to counter word of mouth and negative search engine results.


Further up the chain?

Colluding with and in some cases even creating a payment processing company, to better monitor “chargebacks” all in an effort to insure the affiliates remain as close as humanly possible to, but below the thresholds credit card companies have established for fraudulent transactions is not a good business decision.

The changes to our PUP classification criteria promise to be challenging, as many software manufacturers have become quite adept at walking a fine line. They act maliciously while trying to insulate themselves from responsibility using the techniques we have described throughout this blog post.

We added the categories Registry Cleaners, Optimizers, Defragmenters and Driver Optimizer, Updater, etc. after listening to our community of users as well as the many technician who use our products.

We have even seen instances of their “tech support” illegally using Malwarebytes Anti-Malware as part of their solution, and charging unsuspecting users several hundreds of dollars to do so.

Having to explain to the victims of these scams that it wasn’t us and that they’ve been swindled is truly a heartbreaking experience.

We will continue to give you the tools to identify and act against PUPs. We believe you not only have the fundamental right to a malware-free existence, but also the right to understand and control what software runs on your computer.

As always, our product includes a fully functional trial that is best downloaded directly from our website.