Adware generally doesn’t fall into the same category as malicious software. However, a recent research conducted by researchers at Concordia University in Montreal, Canada, reveals that adware is in fact very similar to malicious code and its techniques.
To prove that, researchers Xavier de Carné de Carnavalet and Mohammad Mannan analyzed a well-known player in the adware business known as Wajam.
The researchers investigated the evolution of Wajam in the course of nearly six years. As of 2016, revealed by the Office of the Privacy Commissioner of Canada, Wajam had “hundreds of millions of installations” and collected 400TB of private information from users, the report said.
Wajam has been around since 2013. In the past, it was advertised as a social search browser add-on that allows users to find what information has been searched online or shared by their friends on social platforms like Twitter and Facebook. As this is an ad-supported browser plug-in, Wajam is known to display various advertisements that some users find quite annoying. What turns Wajam into a potentially unwanted application is the risk of various infections involved with the pop-up, banner and in-text ads, which may lead the user to unverified and unsafe webpages.
In other words, Wajam has been known to inject ads into browser traffic, using techniques that malware operators use, such as man-in-the-browser (browser process injection) attacks seen inZeus operations. Other examples include anti-analysis and evasion techniques, security policy downgrading and data leakage.
248 Domain Names Associated with Wajam
During their investigation, the researchers tracked 248 domain names used by Wajam, as found in code signing certificates, hardcoded URLs in samples, ad injection rules, other domains that were hosted simultaneously from the same IP address, and those declared in legal documents of the company.
It is highly important to note that:
Across generations, Wajam increasingly makes use of several anti-analysis and evasion techniques including: a) nested installers, b) steganography, c) string and library call obfuscation, d) encrypted strings and files, e) deep and diversified dead code, f) polymorphic resources, g) valid digital signatures, h) randomized filenames and root certificate Common Names, i) encrypted updates, and j) daily release of polymorphic variants.
Wajam is also designed to implement anti-detection features ranging from disabling Windows Malicious Software Removal Tool (MRT), self-excluding its installation paths from Windows Defender, and in other cases deploying rootkit capabilities to hide its installation folder from users.
Top that off, the experts unveiled a separate piece of adware, identified as OtherSearch, that reuses the same model and some of the same techniques as Wajam, sometimes in a more advanced manner. This “coincidence” most likely means a common third party that provides an obfuscation framework to both adware companies, and there may be others as well.
The report also talks about a range of security flaws the researchers discovered, that have exposed millions of users for the last four years to potential arbitrary content injection, man-in-the-middle (MITM) attacks, and remote code execution (RCE):
As the third generation of Wajam leverages browser process injection, the injected content is present in the webpage without its HTTPS certificate being changed, preventing even a mindful user from detecting the tampering. In addition, Wajam systematically downgrades the security of a number of websites by removing their Content Security Policy (CSP), e.g., facebook.com, and other securityrelated HTTP headers from the server’s response.
Ad injectors, in particular, are part of long-running PPI (pay-per-install) campaigns, as revealed by another report dedicated to the distribution of unwanted software which was published in 2016. For the purpose of the report, researchers from Google, New York University, and the International Computer Science Institute focused on four PPI affiliates (Amonetize, InstallMonetizer, OpenCandy, and Outbrowse) and regularly downloaded software packages for analysis.
Ad injectors modify a user’s browsing experience to replace or insert additional advertisements that otherwise would not appear on a website. Every PPI network the researchers monitored for the report participated in the distribution of ad injectors.
Symantec researchers have previously dubbed the pay-per-install business model “the new malware distribution network“, stressing on the fact that in the foreseeable past malware (like worms) was self-propagating with the help of server-side vulnerabilities.
More about Wajam
Wajam Internet Technologies Inc. was originally headquartered in Montreal, Canada. Their product aimed at enhancing the search results of a number of websites (e.g., Google, Yahoo, Ask.com, Expedia, Wikipedia, Youtube) with content extracted from a user’s social media connections (e.g., Twitter, Facebook, Google+, LinkedIn). Wajam was first released in October 2011, rebranded as Social2Search in May 2016, then as SearchAwesome in August 2017. The report uses the name Wajam interchangeably throughout the paper to refer to the company or the software they developed. To gain revenue, Wajam injects ads into browser traffic. The company progressively lost its connection with social media and became purely adware in 2017, the report revealed.