Tests and Scans
P2P Programs: Popular and Perilous
It's time for a confession. Many of us have peer-to-peer (P2P) file-sharing software on our home PCs. Teenagers most often use P2P to search for and download the latest songs from their favorite artists and adults can find the songs of their youth. PC Pitstop research has shown that many of us have P2P programs such as Kazaa, Grokster, and Morpheus.
It's not the P2P software that's are worrisome as much as the adware that often tags along in the installation. Both teenagers and adults know that programs like Kazaa, WinMX, LimeWire, and BitTorrent can get them the videos and music they want to see and hear. What isn't as well-known is the potential danger of downloading and installing this P2P software. P2P products are one of the most common ways that adware can infiltrate your computer and ruin your computing experience. The adware they distribute can bombard you with advertisements and pop-ups, hijack your Web browser, and even slow your computer to a grinding halt.
To help you understand the extent of the problem, we've crunched the numbers from our research to determine just what P2P applications are most prevalent, and then ran scans to determine exactly what kind of undesirable adware the most popular of these apps install. If you know that some products are more thoroughly infested than others, you can make a smarter decision about what you might safely install on your PC.
Peer to Peer Everywhere
Most home PC users are probably familiar with peer-to-peer software, especially if they have both a broadband connection and teenagers in the household. But the most popular packages seem to change all the time as Internet consumers move to the service with the greatest reach and thus the best selection of downloads. The Recording Industry Association of America (RIAA) has contributed to the churn; as it files lawsuits against high-profile companies like Sharman Networks, the parent company for Kazaa, these companies often begin filtering out copyrighted materials, leading users to look for alternatives that will satisfy their yearning for free content. As users move between packages, they may be unknowingly installing a new batch of adware on their PCs.
In examining the data from system scans, we found more than 30 different peer-to-peer packages installed on home computers. Kazaa, the most popular package, showed up on more than one in ten home computers. Assuming our results are representative of the population at large and extrapolating to the number of households with computers across the United States, that means more than five million households have computers with Kazaa installed. And since Kazaa includes a veritable bounty of adware--as we'll see more clearly in a moment--that similarly means that more than five million home PCs nationwide are host to all kinds of undesirable parasites from installing Kazaa alone.
Fortunately, we found a better picture on business computers. A smaller percentage of business computers we scanned had peer-to-peer software, for example, less than 4% had Kazaa installed. These lower numbers stem from demographic differences (teenagers typically aren't yet in the white-collar workforce), the focus of most P2P packages on entertainment rather than business, and the increasing effort of business IT managers on filtering and locking out just these kinds of applications.
One big takeaway from this data is just how many P2P packages are out there. As we mentioned, our stats show home computers running more than 30 different kinds of P2P software. With so many peer to peer software packages out there in the market and more being added all the time, some consumers may actually have three or more peer-to-peer packages and of course, the sum of all the adware the packages contain.
P2P Software: Adware Inside
Let's take a closer look at just what happens when some of the more popular peer-to-peer software products are installed. In May 2005, we used PC Tools' Spyware Doctor to scan a system with each P2P package installed and got these results.
The most popular package of all, Kazaa, does contain a formidable amount of adware. It's a software concoction that will detract noticeably from your surfing experience. Yet Kazaa's home page proclaims "No Spyware." So what's the story? A brief detour into Alice in Wonderland might help illustrate. When Alice encounters Humpty Dumpty, you may recall, he says, "When I use a word...it means just what I choose it to mean--neither more nor less." Following Humpty Dumpty's strategy, Kazaa (and many other P2P vendors) use a selective and self-serving definition of "spyware", such that whatever extras their software may contain, it simply isn't anything that falls under their definition of the term. Of course, if you actually install their products, you'll likely to see your computer transformed in a way that makes Alice's psychedelic experiences seem almost mundane.
Other vendors attempt similar sleight-of-hand. Some prominently declare on their home page that their products contain no adware, but they're referring to the paid product, not the free one that you're likely to download. We don't believe these companies care if your computer is compromised--in fact, they benefit when it is. You can usually find the first clues about adware within the End User License Agreement (EULA) that software displays during installation, but most people don't read these. And companies often take great pains to make them long and complex with the adware provisions hidden in an avalanche of legal fine print.
No popups, spyware, or trojans? That's a matter of interpretation.
In the end, our research exposed that about half of the popular P2P software packages contained adware. Among the most popular, Kazaa, iMesh, and Morpheus had some of the most aggressive combinations. (Grokster, even though it's no longer among the most popular products, also packages a slew of undesirable software that will quickly turn using your PC into a painful experience.) Be wary when reading something like iMesh's site, which boldly claims "100% clean, no popups, no spyware, and no Trojans" -- and then proceeds to install an entire slew of adware should you take it at its word. Since these adware-infested products account for a large percent of the P2P packages we found in our system scans, you can see that the impact on PC users at large is enormous.
Our advice: If you're going to install one of these P2P packages--tempting because of the reach and large selection they offer--at least steer clear of their free versions. Remember as well that paying for your P2P client does not mean the music or videos you get are any more legal. Much of the content on P2P networks is not sanctioned by the copyright holder; the music and movie industries have been stepping up their lawsuits against file sharers.
No Adware--But Use Caution
Even if you're committed to free P2P services, you do have another option. Some products, like WinMX, LimeWire, and BitTorrent, didn't trigger any alarms from Spyware Doctor, so you should be able to install them without worrying as much about inviting adware onto your system. But the situation isn't as simple as it might first seem. Scam P2P sites can claim to have these adware-free packages but actually install a bundle containing adware -- and you won't know until it's too late. Additionally, you still need to watch out for advertisements, such as those on the WinMX Web site, as they may lead you to other downloads full of spyware. Even if the particular version of software we tested didnít have adware, there are many other downloads with closely related names that might. Furthermore, there's no guarantee that products that are free of adware today will still be clean tomorrow.
Then there is the issue of whether the files you download on a P2P network are free of adware, spyware and viruses. Distributors for several major spyware and adware applications have been planting files in P2P networks that are actually stolen videos or pirated software. To get the content, though, you must run some sort of installer, license key generator, or patcher. That program proceeds to fill your system with spyware in addition to providing the content it originally promised. Adult-oriented content is a favorite target for these scams.
What's the safest bet? Going to a music site that's not really P2P at all. Both Apple iTunes and the new Napster offer music for sale. These sites provide legitimate, adware-free services for those willing to pay for their entertainment.
Of course, P2P software isn't the only place you'll find adware. ActiveX controls, games, screen savers, weather monitors, and emoticon packages often contain a plethora of adware as well.
As we've said before, the best way to deal with spyware is to avoid it in the first place -- so please do read our "Safe Surfing" to learn the behaviors that can prevent future infections stemming from P2P software, ActiveX controls, and other downloads.
Robert P. Lipschutz is president of Thing 7, a firm specializing in technology and communication. John Clyman is president of technology consulting firm Narrative Logic, LLC, and a leading expert on anti-spyware software.