Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case

Comprehensive case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, and ransomware. However, adware seldom receives such attention. Previous studies on "unwanted" Windows applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. In this paper, we demonstrate the capabilities, privacy and security risks, and prevalence of a particularly successful and active adware business: Wajam, by tracking its evolution over nearly six years. We first study its multi-layer antivirus evasion capabilities, a combination of known and newly adapted techniques, that ensure low detection rates of its daily variants, along with prominent features, e.g., traffic interception and browser process injection. Then, we look at the privacy and security implications for infected users, including plaintext leaks of browser histories and keyword searches on highly popular websites, along with arbitrary content injection on HTTPS webpages and remote code execution vulnerabilities. Finally, we study Wajam's prevalence through the popularity of its domains. Once considered as seriously as spyware, adware is now merely called "not-a-virus", "optional" or "unwanted" although its negative impact is growing. We emphasize that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity and impact of regular malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.

[1]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[2]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[3]  Aditya K. Sood,et al.  Covering the global threat landscape PROSECTING THE CITADEL BOTNET – REVEALING THE DOMINANCE OF THE ZEUS DESCENDENT , 2014 .

[4]  Herbert Bos,et al.  Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[5]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[6]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[7]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.

[8]  P. McFedries Technically Speaking: The Spyware Nightmare , 2005, IEEE Spectrum.

[9]  Leyla Bilge,et al.  Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services , 2016, USENIX Security Symposium.

[10]  jason. jones State of Web Exploit Kits , 2012 .

[11]  Chris Sharp,et al.  Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software , 2016, USENIX Security Symposium.

[12]  Suhaimi Ibrahim,et al.  Camouflage in Malware: from Encryption to Metamorphism , 2012 .

[13]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[14]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[15]  Deepak Kumar,et al.  Tracking Certificate Misissuance in the Wild , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[16]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[17]  Christopher Krügel,et al.  PExy: The Other Side of Exploit Kits , 2014, DIMVA.

[18]  Paul Black,et al.  Anti-analysis trends in banking malware , 2016, 2016 11th International Conference on Malicious and Unwanted Software (MALWARE).

[19]  Zexin Lu,et al.  Survey on malware anti-analysis , 2014, Fifth International Conference on Intelligent Control and Information Processing.

[20]  Juan Caballero,et al.  Certified PUP: Abuse in Authenticode Code Signing , 2015, CCS.

[21]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[22]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.