A word on Driver Updaters.

You may recall that we recently blogged about our change of stance in regards to the PUP classifications of “Registry Cleaners”. This blog post is a continuation of our efforts as we do not plan on simply stopping there.

Scammers often build scenarios that are predicated on the same, or similar themes. Basically, you take a scam that works, in this case the bogus registry scanner, put a dress and some lipstick on it and extend the lifespan of the scam.

With this technique, unscrupulous software manufacturers can diversify their offerings and increase their chances of having new victims to bilk money from. A prospective mark who is familiar with one scam and would therefore avoid it, may fall victim to a variation on the theme.

The scam only needs to be different enough for weary users to fail in recognizing it for what it is.

Having built a successful money printing machine, based on registry scanner snake oil, how do they diversify? Driver Updaters!

You build an application that scans the system, generates a report on the drivers installed on the computer, and recommends updating the drivers, whether needed or not.

 

Who makes this software?

There are many software companies all over the world who make Driver Updaters. Not all of them are included in our PUP classification.

We will discuss why some get added to our PUP list later in this blog post, but for now, let’s look at what a driver updater is exactly in greater depth.

 

What is a Driver?

A driver, also known as a device driver is a computer program that operates or controls a particular type of device that is attached to a computer. The driver effectively allows your computer to talk to the corresponding hardware component and function properly. If you have a sound card, you have a sound card driver. The same applies for all the components in your personal computer.

 

Where are drivers stored on my computer?

There isn’t a centralized location where you drivers are kept.

Some are “native” and are included as part of Windows. Others come with hardware and must be installed manually from a disk.

Some manufacturers include all of the pertinent drivers for a system in a specific folder. Others store them in a hidden partition on the hard drive, only to be used as part of a system restore.

Once installed, the many files that make a driver can be several places on your hard drive. This lack of standardization can make installing and updating drivers challenging.

 

When were drivers added to Windows?

Since day one. Windows operating systems have always required them to make the myriad of peripherals that can be connected to personal computers function properly. From printers to sound cards, all these devices need drivers to work.

 

So how does that make driver updater programs bad?

Everything would seem to indicate that updating drivers should be a good thing, and there are several reputable driver updater programs in existence. We agree that there are edge cases where updating a driver would be beneficial. However the vast majority of systems do not require driver updates to function properly.

 

Where a driver updater program would run afoul of our PUP classification is in the delivery of the message.

 

This slideshow requires JavaScript.

Let’s take a fairly common driver that is often detected as requiring an update for our example: Your network card.

You might benefit from an update for this driver, but if your network is functioning just fine, should you even do this? Further muddying the waters is the fact that several drivers will function perfectly with the network card installed in your computer.

  • You might have a branded network card that uses a licensed chipset and design made by a different hardware manufacturer. (These are usually the same drivers, but they might have slight differences…). Your network card will ALSO work with the reference drivers available on the site of the original chipset designer. (They designed the original chipset, so no surprise here).
  • Your network card might also work with drivers that a completely different company who ALSO licensed the original chipset design and branded it to their particular version. (Since more than one brand can license the same chipset, all these drivers are essentially identical under the hood).
  • There might be Microsoft certified drivers available for your card. These are known as WHQL drivers which stands for Windows Hardware Quality Lab testing drivers. These drivers will also work with your card. They are digitally signed, and tend to favor stability over performance.

This means that an unscrupulous driver updater program can scan your system and almost always detect a different version of a driver for some component. Is it advisable to update them if it should?

 

We don’t think so. The potential risks do not outweigh the benefits.

Does that mean that we will add all these programs to our PUP definitions? No, as we mentioned earlier, not all driver updaters meet our PUP definition criteria.

We can tell you these programs are snake oil, but we’re not going to try and force you not to use them. We don’t condone forcing stuff onto people, but forcing programs onto users is exactly how a driver updater would wind up flagged as a PUP by Malwarebytes Anti-Malware

Screen Shot 2015-06-24 at 10.24.08 AM

No conflicts, no update really needed.

If your network card, to use the example we gave above, is detected as having a newer driver available, you should only really update it if it isn’t working properly. The need to update drivers really hinges on what you are doing with your computer. Unless you are on a quest to eek out the maximum performance out of a gaming rig, or you are experiencing problems with some specific hardware component, best leave what is already working alone.

Choosing the proper drivers and updating them was a bit of a black art in the earlier days of the Windows operating system. Microsoft has made great strides in alleviating these problems. A large number of drivers are now included with your operating system. Windows will detect them automatically during the installation process. Many drivers can also be updated via the “Windows Update” feature, negating the need for a driver updater program.

 

Let’s look at an example of how this happens.

 

Step 1

A software manufacturer partners with another software company that makes “bundlers” or “wrappers” to distribute their driver updater program. Let’s stick with the name bundlers for this example.

Bundlers put a bunch of programs together and offer the user these additional programs during the initial installation process. Sadly, many software companies do this, even some pretty big ones. We are not saying that all bundled software is malicious, only that this practice is rife for abuse.

(Not all PUP’s use a bundler, but the ones that do tend to misbehave…)

Remember, all the bundler wants to achieve is the maximum number of installations. It’s their business model. It’s how they get paid. It is also therefore not surprising that they would bend the rules as far as they can in order to achieve this.

(A side effect of surrendering the distribution of your program to a third-party is that you can then insulate yourself from their bad behavior… Right there we have an ethical quandary.)

 

Step 2

The bundler pre-populates the installation check box for several programs, including their partnered driver updater. They then seed the Internet with their bundled installer. This can be through an affiliate marketing scheme to distribute the bundle, aggressive online adverts, or any number of other ways.

 

Step 3

A user, either seeking one of the other programs that are part of the bundler or deceived into installing it through “dark patterns” winds up with the driver updater installed. Some of these software manufacturers will go so far as to have two versions of their programs.

  • An official one, available from their website, that reports a low or no driver update count, has opt-in partner program installations and looks innocuous.
  • An affiliate version, that has opt-out partner programs, a silent install, and an aggressive driver update count. That version can only be found on the web during an active affiliate campaign. This is done so the software vendor can claim innocence and blame a rogue affiliate for the aggressive nature of the program.

 

Step 4

The driver updater configures itself to run at start up, perform a scan, and generate a report showing drivers need updating. (Hint, driver updaters will ALWAYS find drivers that need updating, even on a fully functional operating system! The trick is that these software manufacturers are classifying possible driver updates as critical events that require “fixing”.)

This program now runs at every start up, generating the “push for sale” popup, with the results of the scan and numerous “driver updates”.

Sometimes the UI is designed to make the window difficult to close.

Sometimes the driver updater periodically displays the “push for sale” pop up AGAIN in the same session, despite the user having closed it and declined to purchase the software. They may use bubble notifications in the taskbar.

 

Step 5

The user clicks on the fix button of the report, and is funneled to a purchase page for the driver updater. The user buys the software, alarmed at the report showing drivers that apparently need to be updated.

The bundler, the affiliates, and the software manufacturer split the profits. The user has installed a program that is at best useless and at worst could damage the system by installing the wrong drivers and make some components of the computer unusable.

Keen eyed readers will notice that the process from installation to purchase for this application is nearly identical to the registry cleaners we discussed previously.

This is where we get to the heart of the problem. These driver updater programs may actually solve an issue and install the updated drivers on occasion, but for the majority of cases they are substituting one identical driver for another and asking for payment.

Dishonest software manufacturers make driver updater software to offer a fix for a problem that doesn’t really exist. Updating drivers on devices that are already functioning properly may be unnecessary and sometimes potentially dangerous. As we stated earlier, we think the performance gains achieved by using these applications do not outweigh the potential risks.

These are the PUP criteria that merit such a program be flagged as a Potentially Unwanted Program:

  • Malicious bundling
  • Pre-populated checkboxes, and the recently added
  • Driver Optimizer, Updater, etc.

You can find our complete PUP criteria classification page here.

The changes to our PUP classification took place as a result of listening to our user base.

We have seen the large number of complaints on forums about these programs. We have seen the deceptive methods they use to sneak onto computers in an effort to extract payment for unnecessary driver updates by a program of little or no value.

We have revised our Potentially Unwanted Program stance in the past, and now have revised it again to include Driver Updaters that exhibit these aggressive traits.

Presently our default behavior is to quarantine PUP’s. Unlike the programs that we classify as such, when using Malwarebytes Anti-Malware you decide what to keep or remove, and our free version provides you with full removal capabilities, should you chose the latter.

By pushing the limits of marketing techniques, by playing the numbers games on unwanted installations, by claiming innocence and blaming overzealous affiliates for repeated bad behavior, the purveyors of this digital snake oil will earn a well deserved potentially unwanted program classification.

Our vision statement at Malwarebytes is that “everyone has a fundamental right to a malware free existence,” and we mean to uphold it.