OpenCandy
OpenCandy is an "Adware" module designed to install on a personal computer during software installation. Produced by SweetLabs, it consists of a Microsoft Windows library incorporated in a Windows Installer. When a user installs an application that has bundled the OpenCandy library, an option appears to install software it recommends based on a scan of the user's system and geolocation. Both the option and offers it generates are selected by default if the user simply clicks [Next] through the installation.[1][2]
OpenCandy's various undesirable side-effects include changing your homepage, desktop background or search provider, and inserting unwanted toolbars or plug-in/extension add-ons in your browser. It also collects and transmits various information about the user and his surfing habits to third parties without notification or consent.
It has been reported that a number of anti-virus vendors flag OpenCandy as malware.[3]
Development
The software was originally developed for the DivX installation, by CEO Darrius Thompson. When installing DivX, the user was prompted to optionally install the Yahoo! Toolbar. DivX received $15.7 million during the first nine months of 2008 from Yahoo and other software developers, after 250 million downloads.[2]
Chester Ng, the former DivX business development director, is chief business officer and Mark Chweh, former DivX engineering director, is chief technology officer.[2]
Windows components
Components of the program may have differing but similar names based on version.
Files dropped
Note that files dropped by this program usually have the 'hidden' and 'system' attributes set. In order to see or search for them, folder settings for "hide operating system files" will need to be unchecked, and "show hidden files and folders" will need to be checked.
- OCSetupHlp.dll
Processes
Note: additional processes associated with any accepted offers may also run.
- spidentifier.exe
- rundll32.exe
Registry keys
Registry keys have varying names, so that a search of the registry for "*opencandy*" will need to be done to find and delete them.
DNS and HTTP queries
- tracking.opencandy.com.s3.amazonaws.com
- media.opencandy.com
- cdn.opencandy.com
- tracking.opencandy.com
- api.opencandy.com
- www.arcadefrontier.com
Counter measures
- select "Custom installation (advanced)" and uncheck all options boxes[4]
- run software installer offline, or from command line with option /NOCANDY[5]
- block OpenCandy IP addresses in Windows HOSTS file with entries like: 0.0.0.0 api.opencandy.com[6]
- run anti-malware such as Malwarebytes after software installation to clean system[7]
- use an active anti-virus to detect and block adware/malware on-the-fly
Software download sites known to host OpenCandy infected software
In addition to individual company/vendor sites distributing their own freeware/shareware, commercial depository type download sites also host OpenCandy infected software.
- Brothersoft
- CNET
- FileHippo
- Softpedia
- SourceForge
- Softonic
- μTorrent
Applications known to use or have used OpenCandy
- aMSN
- Any Video Converter
- AOL Instant Messenger
- ApexDC++
- Auslogics Disk Defrag[8]
- AxCrypt (Except Portable Edition)
- BitTorrent
- BurnAware CD-DVD burning software
- CDBurnerXP (depending on version)(Confirmed on Web Site,alternate download available without OpenCandy. Confirmed 10-24-2015) [9]
- CDex
- Cheat Engine (depending on version)
- Citrio
- ClipGrab (depending on version)
- Connectify
- CrystalDiskInfo (Except Portable Edition or Shizuku edition. Confirmed 10-24-2015. Dropped 10 Feb 2016.) [10]
- CutePDF
- Daemon Tools
- Darkwave Studio
- Dexpot
- DoNotSpy10
- doubleTwist
- DVDStyler (1.8.4.2 & dropped since 2.9.2)
- DVDVideoSoft
- EaseUS Partition Master Free 10.1[11]
- Format Factory
- Frostwire (doesn't affect on Linux version)
- Foxit Reader (6.1.4 – 6.2.1)[12]
- FL Studio
- FreeFileSync[13]
- Freemake Audio Converter (1.1.0.63, 1.1.7, confirmed via in-program update popup)
- Freemake Video Converter
- Freemake Video Downloader(confirmed 10/24/15 direct download from Freemake website)
- Free Video Dub
- Free Video To Flash Converter (5.0.6.221, according to terms of use)
- GameHouse
- GOM Player
- IE7Pro
- ImgBurn (from version 2.5.8.0,)[14]
- JDownloader
- KMPlayer
- Launchy (when not downloaded from SourceForge)
- MediaCoder
- Magical Jelly Bean (confirmed 11/12/2015 direct download from https://www.magicaljellybean.com/keyfinder/ )
- MediaInfo(confirmed 1/12/15 direct download from mediainfo and sourforge websites)
- MP3 Rocket[15]
- mIRC[16]
- Miro
- MyPhoneExplorer (dropped March 2015[17])
- Nero Burning ROM
- Novaroma
- Orbit Downloader(Confirmed 10-24-2015) [18]
- PDFCreator[19]
- PeaZip (5.2.2 & older Except "PeaZip Plain" & dropped with version 5.3 & newer)
- PhotoScape(Except 3.7 version)
- PrimoPDF[16]
- RealArcade
- RIOT (doesn't effect portable version)[20]
- Soldat
- StepMania
- SMPlayer(When download from sourceforge.net)
- Veoh Web Player
- Sigil (dropped with version 0.5.0 and later)[21]
- SUPER
- Trillian[16] (dropped 5 May 2011)
- Unlocker
- uTorrent (version 3.x.x and above)
- Winamp (not version 2.x. version 5.2 and newer & dropped with version 5.66)
- WinSCP (through August 2012)[22]
- Xfire
References
- ↑ Needleman, Rafe (11 November 2008), OpenCandy brings ad market to software installs. What?, CNET news, retrieved 2009-08-18
- 1 2 3 Marshall, Matt (10 November 2008), OpenCandy inserts recommendations when you install software, retrieved 2009-08-18
- ↑ Van der Sar, Ernesto (21 July 2015). "uTorrent Flagged As 'Harmful' by Anti-Virus Companies and Google". TorrentFreak. Retrieved 19 August 2015.
The anti-virus scans associate the uTorrent.exe file with Trojan.Win32.Generic!BT and the controversial OpenCandy bundling software. While this isn’t the first time that uTorrent has been flagged in this manner, we haven’t seen it being reported by this many independent tests before. [followed by an image showing open candy being flagged in utorrent on virus total]
- ↑ "Safely install ImgBurn without OpenCandy malware". www.jdhodges.com. Retrieved 2016-01-06.
- ↑ "To those who are unhappy about 2.5.8.0 being bundled with OpenCandy - ImgBurn General". ImgBurn Support Forum. Retrieved 2016-01-06.
- ↑ "Blocking Unwanted Connections with a Hosts File". winhelp2002.mvps.org. Retrieved 2016-01-06.
- ↑ "Free Anti-Malware & Internet Security Software". Malwarebytes. Retrieved 2016-01-06.
- ↑
- ↑ (Click More download options)
- ↑ Multiple Packages available
- ↑ End User License Agreement, retrieved September 2014
- ↑ Foxit Forum
- ↑ FreeFileSync FAQ
- ↑ "Change log". ImgBurn. LIGHTNING UK!. 2013-06-16. Archived from the original on 2014-08-08. Retrieved 2014-08-30.
Changed: No longer bundling/offering the Ask.com toolbar in the setup program, OpenCandy now handles product offerings during installation.
- ↑ http://www.herdprotect.com/signer-mp3-support-146c2e323177663b9df87fff1b9c31d8.aspx
- 1 2 3 gizmo, richards (2014-02-08). "Controversial Advertising Program Now Being Embedded in More Software". Gizmo's Freeware. Archived from the original on 2014-08-07. Retrieved 2014-08-30.
OpenCandy (OC) is a relatively new advertising product that more and more software developers are bundling with their programs. It can now be found in the installers of dozens of popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more.
- ↑ http://www.fjsoft.at/en/news.php
- ↑ On the Help/Facts page
- ↑ Discussions on pdfforge Forums
- ↑ http://alternativeto.net/software/riot---radical-image-optimization-tool/comments/
- ↑ Schember, John (21 January 2012). "Sigil 0.5.0 Released". Retrieved 2012-03-17.
- ↑ "WinSCP - OpenCandy". Retrieved 2014-04-03.