Free files (with some ads)

August 13, 2018

You’re always careful about opening e-mails from strangers, extra cautious contemplating great deals, and assiduously avoid adult content. So how could you wake up one day to a bunch of new browser toolbars, an excess of ads, and PC optimizers you know you never installed? What went wrong?

Odds are, the culprit is an affiliate service. Affiliates negotiate agreements with file-sharing services to replace desired files with installers that bundle the file you want with some other products: browsers, optimizers, adware. The affiliate, in turn, pays for each download. Our experts dug in for the details of how it all works.

Why do people store files on such sites?

File-sharing sites that have affiliates are interested in gaining more users. So, in addition to storing content, they may offer a small amount of money to those who upload their files to the site. For example, one of the resources we studied pays users 4 rubles (about 6 cents) for every download of the uploaded file. It’s not much, but it sweetens the deal.

A user looking to make money on this will not only upload videos, books, music, and game mods to such a file-sharing site — he or she will also publish a link to it online, somewhere in a forum or fan page, for example, whose owners don’t know anything about the affiliate.

Downloading to download

Other users then find the link in the course of browsing through a forum or searching for rare content. The link takes them to the file-sharing site, which often looks like a legitimate cloud service, such as Google Drive. There, they find the file. It may look like an archive, a torrent file, an ISO image, or an HTML document.

But what the user downloads after clicking on that file is an executable — the installation file hidden in a password-protected ZIP archive, say, or a file that looks as if it has two extensions (super-new-map.zip.exe). It often comes with detailed installation instructions: Unzip the archive contents, enter this password, etc. The complexity is meant to obscure the questionable nature of the file from browsers and antivirus software.

And what is this installation file?

Here’s what happens when the user has finished unzipping, entering passwords, and whatever else the downloaded archive requires, and finally launches the executable. First, the installer tells an affiliate server everything about the user’s computer, including user name and list of launched tasks. The server responds with a list of affiliate programs that could potentially be installed on the computer. The response also contains the name of the file the user originally wanted to download.

Then, for each affiliate program, the installer checks if the users’ system has one of the security solutions that could spot that something weird is going on. The affiliate owners attempt to set everything up so as not to sound any alarms and get the user’s attention.

Only after all of that does the installer finally offer to download the desired file (and three to five affiliate programs “well-suited” for your system). An Internet Explorer–style download window pops up. In addition to the name of the original file the user desired, it lists everything else that will be downloaded, but in a very tiny, grayish font. In addition to that, most of the information is kept from view; you’d have to resize the window to see all of the programs about to be installed. At this stage, the user could smell a rat, deselect all of the check boxes, and prevent the program from installing anything extra, but that would require attention — and supersharp vision.

Ads and more ads — and a little bit of malware

When purveyors of a file-sharing service come to an agreement with a “partner,” they think only of their own profit. In other words, they really don’t care what happens to users’ devices; the only thing they care about is getting paid.

As a result, users download many dubious files through the “partners.” It’s mostly adware. However, in 20% of cases, real malware is downloaded. By the way, in 5% of cases, the “payload” will appear to be a common browser. (If that’s what the user gets, they may consider themselves fortunate.)

Safe download, no registration required

How can you download a useful file without getting useless trash (or worse) along with it? Here’s our advice:

  • Pay close attention to your browser’s address bar. File-sharing sites, naturally, try to resemble innocuous services like Dropbox or Google Drive, but the URL doesn’t go there. If the site looks right but the URL isn’t, you’d better avoid downloading anything from there.
  • If they offer an executable (.EXE) file instead of the filetype you’re after, don’t download and launch it.
  • Never download any additional installers, no matter how much a site insists you have to.
  • Use a reliable security solution that won’t allow you to download suspicious apps. For example, Kaspersky Security Cloud is a good choice.