The term ‘parasite’ was coined by DOXdesk as a catch-all term to cover the range of unwelcome software targetted by the detection script when it was released in 2001.

It is shorthand for ‘unsolicited commercial software’; to meet the criteria for this category, a program must be:

  • Commercial: that is, the purpose of the software getting installed is to make money somehow for a third-party company. (This excludes viruses, generally created out of simple malice; hacker trojans, which are more targetted attempts to break in to a system, profit not always the motive; and surveillance utilities installed by an attacker with physical access to the target computer.
  • Unsolicited: that is, it is for the most part being installed without the affected users having specifically asked for it. This covers:

    • Bundling: software that gets installed in the background when some other software is loaded, without the user deliberately requesting the bundled software.

      Opt-in bundles that require user intervention to install are generally considered acceptable. Bundles that occur without the user being able to veto it are generally not; a licence agreement (EULA) that tells the user they are accepting other software in the small print is not enough.

      Opt-out bundles that are optional but happen by default during an installation are a somewhat grey area. They are judged partly on the clarity and transparency of the interface they present during installation, but primarily on whether there are lots of people complaining that they don’t know where the software came from.

    • Drive-by downloads: software that tries to install from an unrelated web page, often triggered by the adverts on it, if the page takes ads from a third-party advertising network. Users that simply click ‘Yes’, believing this to be required to load the page, will end up with unsolicited software. (It is believed there is also a bug in some older versions of Internet Explorer that may load software automatically without asking even when the security settings are not set that way.)

      Aggressive drive-by downloads use coercion tactics to try to get the user to click ‘Yes’, such as repeatedly opening error windows when the download is refused.

    • Exploits: web pages or e-mails that contain malformed data, crafted in such a way that a web browser with ‘security hole’ bugs might automatically execute code from it without asking the user. This tactic is generally considered more clearly illegal than most other installation methods used by parasites, but it is now widespread even in mainstream advertising networks.


Unsolicited commercial software that shows advertising materials to its user.

(Often this means pop-up adverts appearing during web browsing that were not opened by the site being browsed, or pop-ups during general desktop use, but there are other models of adding advertising to the web and desktop.)

Adware may also be used by some people to cover any software that shows ads, including programs like the free version of Opera, that have advertising built into their interfaces. DOXdesk does not cover this kind of ‘adware’ and does not consider it harmful, as it is not ‘unsolicited’, and does not run independently of its host program.


Unsolicited commercial software that silently leaks information to a third party, that, when collated, might constitute an invasion of privacy.

(This includes parasites which sends the URL of pages viewed to its controlling server along with a unique ID of some sort which allows a person's web usage patterns to be tracked, but not parasites that just send URLs without tracking ID/cookies to tie together browsing sessions.)

Spyware, however, has as many meanings are there are people who use the term. The above is DOXdesk’s long-standing definition. But for some it refers to keypress-logging tools and usage monitors installed by employers; for some it is any software that sends information to a third party. Many people use it as a pejorative catch-all term for any kind of undesirable software; meanwhile companies that distribute parasites tend to craft their own meaning for the term to explicitly exclude their own software from the definition.

For this reason, I prefer to avoid using the word ‘spyware’.

Browser hijackers

Unsolicited commercial software that changes browser settings to point users unexpectedly to a different site.

Typically such sites are low-rent search portals full of pay-per-click advertising and often no actual search results at all.

Homepage hijackers change the page that appears when the browser starts up.

Search hijackers change the search engine used when search queries typed in at the address bar and/or the search sidebar.

Hosts file hijackers write to the computer’s fixed domain-name lookup tables, so that when a targetted domain name is used, requests will be redirected to a completely different server.

Browser hijackers can work on a one-shot basis, sneaking in to change the settings once and then disappearing. But persistent hijackers, which repeatedly change the settings, not allowing the user to put their own preferences back in place, are now more common.

Affiliate-fee grabbers

Unsolicited commercial software that tricks affiliate schemes into paying undeserved commission.

Affiliate-fee grabbers wait until you visit a web site with an affiliate scheme (for example Amazon or Dell), then pass their own affiliate codes to the site so that it looks like you were referred there by the author company—even if you just typed the address in yourself. If you then make a purchase the author company will receive a commission from the sale.

An possessive affiliate-fee grabber will rewrite the affiliate codes even if you were referred from another affiliate site; in this case the author company receives the affiliate fee at the expensive of the real affiliate that prompted the sale.

Some plain adware programs may also affect affiliate schemes as a side-effect, by popping up adverts that set affiliate-network cookies.


Unsolicited commercial software that makes outgoing phone calls to premium-rate numbers.

Generally the dialler (or ‘dialer’, in US English) is ‘providing access’ to commercial content, typically porn. A modem (analogue or ISDN) must be connected to the computer for this to work; cable or DSL connections cannot, on their own, make outgoing calls.

A stealth dialler makes its calls without any prompting from the user, and typically turns the modem speakers off so the calls are not audible. The charges for the calls arrive after the fact on the victim’s phone bill, which may go unnoticed.

A hijacking dialler changes the default internet dial-up connection to its own, or alters the phone number of the existing default internet dial-up connection, so that all future internet connections are routed through its expensive numbers.

As well as traditional country-specific premium-rate numbers, diallers often use high-priced international and satellite telephony numbers, whose operator companies allow high-priced calls to act as payment channels. Another scam involves calls to a normal number followed by an invoice in the post.

Dialler provider companies insist that diallers are a legitimate way of accepting payments on the internet. However from anecdotal reports the vast majority of dialler use is fraudulent.


Unsolicited commercial software that can cause other untrusted software to be installed.

Many programs have self-update features, connecting to the internet to check for newer versions of themselves. This can be a significant problem if the update mechanism is silent—that is, it performs the update without any prompting or consent from the user.

This sort of feature can generally download arbitrary code—that is, it can do anything at all. Maybe the original software was trusted, but if the company changes policies or owners this trust may be abused in the future. Additionally if the updates are unsigned—not using code-signing or SSL—then an attacker with network-level access could compromise the software updates (for example through man-in-the-middle, DNS poisoning or domain-grabbing attacks).

More seriously, many parasites use this mechanism to install other companies’ parasites, effectively selling access to compromised machines to other parasite vendors. Who may then have their own bundling arrangements, leading to a chain reaction of parasites loading parasites that can eventually paralyse a computer.

Another trick used by backdoors is to lower the system’ security settings, allowing other parasites to install much more easily, for example by lowering Internet Explorer security options so that it runs all code without asking, or adding attackers to a list of sites or software publishers intrinsically trusted by the system. This kind of sabotage often goes unnoticed.

A state-storage mechanism built into web browsers. They are not really anything to do with unsolicited commercial software and are not covered at this site.

However, many of the anti-parasite programs also detect and remove cookies from certain advertising networks, as ‘tracking cookies’ or even ‘spyware cookies’.

There are reasons to be concerned about the ‘third-party cookies’ used by advertising networks: by identifying the viewer at every site that uses a network, they can assemble long-term web usage patterns that, with accidental or deliberate leakage of information from their member sites could also become personally identifiable.

Nonetheless, having cookies from ad networks is not a sign that a computer has been compromised, and isn’t really anything to get too worried about in itself. The problems related to cookies can be avoided by altering the built-in cookie settings available in all modern web browsers.

Parasite home...