Analyzing "Not-a-Virus" Bundled Adware: The Wajam Case

Case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, ransomware, yet very little has been done on adware. Previous studies on "unwanted" applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. We investigate the evolution over nearly six years of a particularly successful and active adware business: Wajam. As of 2016, revealed by the Office of the Privacy Commissioner of Canada, Wajam had "hundreds of millions of installations" and collected 400TB of private information from users. We gather 52 samples of Wajam, released between 2013 to 2018, and analyze the technical evolution from a simple browser add-on to full-fledged obfuscated malware including rootkit, browser process injection, and antivirus evasion capabilities. We uncover its strategy to ensure a low detection rate, which heavily relies on numerous layers of encryption, and more recently on steganography. Furthermore, Wajam leaks the browsing histories of four major browsers, along with the keywords searched by users on highly popular websites. It is also vulnerable to arbitrary content injection on HTTPS webpages, and likely to remote code execution. We show evidence that Wajam is a widespread threat, actively maintained with daily obfuscated samples that are poorly detected by antivirus engines. More worrisome, we found the same evasion techniques in another piece of adware, suggesting that they could be provided by a third-party, and reused in other cases. Finally, we conclude that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity of advanced malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.

[1]  Deepak Kumar,et al.  Tracking Certificate Misissuance in the Wild , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[2]  Zexin Lu,et al.  Survey on malware anti-analysis , 2014, Fifth International Conference on Intelligent Control and Information Processing.

[3]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[4]  Christopher Krügel,et al.  PExy: The Other Side of Exploit Kits , 2014, DIMVA.

[5]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[6]  Herbert Bos,et al.  Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[7]  Leyla Bilge,et al.  Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services , 2016, USENIX Security Symposium.

[8]  Juan Caballero,et al.  Certified PUP: Abuse in Authenticode Code Signing , 2015, CCS.

[9]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[10]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[11]  Paul Black,et al.  Anti-analysis trends in banking malware , 2016, 2016 11th International Conference on Malicious and Unwanted Software (MALWARE).

[12]  jason. jones State of Web Exploit Kits , 2012 .

[13]  Suhaimi Ibrahim,et al.  Camouflage in Malware: from Encryption to Metamorphism , 2012 .

[14]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[15]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[16]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[17]  Chris Sharp,et al.  Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software , 2016, USENIX Security Symposium.

[18]  P. McFedries Technically Speaking: The Spyware Nightmare , 2005, IEEE Spectrum.

[19]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[20]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[21]  Aditya K. Sood,et al.  Covering the global threat landscape PROSECTING THE CITADEL BOTNET – REVEALING THE DOMINANCE OF THE ZEUS DESCENDENT , 2014 .

[22]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.