Avatar

Adware has been around for a while now. In principle, displaying advertising in order to finance your software is not necessarily something bad. Users are used to seeing advertising everywhere: newspapers, magazines, and websites. When advertising was introduced to software, users had a surprisingly high tolerance for it. Later, adware applications became more aggressive. Publishers started bundling more applications and taking advantage of the License Agreements to install anything they wanted. Until today, users and companies tolerated these type of applications. Only in rare cases is there a plan in place to remove this software from the user’s computers.

In our previous blog, Bad Browser Plug-ins Gone Wild: Malvertising, Data Exfiltration, and Malware, Oh my!, we covered more details about how the ad-injectors work. In this blog we will focus on their network traffic and what information is being leaked.

Figure 1: Advertising-supported software displays advertising in order to generate revenue for its authors. Users are used to tolerate the advertising and companies do not usually have a remediation plan for this type of software. The real risk that Adware poses to the users is not widely known.
Figure 1: Advertising-supported software displays advertising in order to generate revenue for its authors. Users are used to tolerate the advertising and companies do not usually have a remediation plan for this type of software. The real risk that Adware poses to the users is not widely known.

The adware landscape has changed in the last decade. Adware plays on user’s ignorance and blind trust of software manufactures. Adware is now installing additional software without a user’s knowledge, or consent. According to the 2016 Cisco Annual Security Report, more than 70% of organisations surveyed are affected by adware infections every month. By studying the network traffic associated with these type of applications, we discovered the most common risk is the information leakage they cause.

In this blog we expose the type of information usually leaked by these applications and how privacy is being compromised. We will focus on just one group of malicious ad-injector servers tied to more than 700 ad-injector browser extensions and adware applications.

Ad-Injectors, Browser Hijackers, Utilities & More!

In a recent study of commercial Pay-Per-Install (PPI Explained ecosystem, [Thomas, Kurt, et al] present an excellent classification of adware families. The main categories presented are:

  • Ad-Injectors: the most prolific of all, ad-injectors modify the content of the browser in order to display advertising that otherwise would be absent in the visited website (see Figure 2). The majority of the ad-injectors are browser-based infections in the form of malicious browser extensions.
  • Browser Hijackers: this type of adware makes more modifications to the system than traditional ad-injectors, highlighting words, changing the default search engine, showing pop-ups outside the browser.
  • Utilities: using social engineering, these applications trick the user to believe they are offering a benign service. They show problems on the system, such as an infection or poor system performance, and lure users to subscribe to their service to fix nonexistent problems. Utilities applications include system optimizers and software removal tools.
Figure 2: Ad-injectors, browser hijackers and utilities change system settings on the affected computed, leading to insecure configurations. Whether is in-browser ad-injection, pop-ups, word highlights or offering some fake service, all of them try to redirect users’ traffic to their own websites for profit.
Figure 2: Ad-injectors, browser hijackers and utilities change system settings on the affected computed, leading to insecure configurations. Whether is in-browser ad-injection, pop-ups, word highlights or offering some fake service, all of them try to redirect users’ traffic to their own websites for profit.

Most of these adware families, from ad-injectors to utilities, are distributed through software bundles. PPI Affiliate Networks are in charge of selecting which software install, via fingerprinting of the compromised system and also the level of user consent required on the installations [Thomas, Kurt, et al.]. As exemplified in Figure 3, when the end user installs a seemingly legitimate application such as Merge MP3, other applications will be additionally installed, in this case a FlashBeat Browser Add-On. In many cases, the user cannot refuse installation.

Figure 3: Example of a bundle install, which installs additional software without opt-out option for end users. (Source: https://www.pcrisk.com/removal-guides/8644-ads-by-flashbeat)
Figure 3: Example of a bundle install, which installs additional software without opt-out option for end users. (Source: https://www.pcrisk.com/removal-guides/8644-ads-by-flashbeat)

There are hundreds -even thousands- of variants of ad-injectors. Grouping or classifying them is truly challenging. In our approach, we focus on the network traffic these ad-injectors generate. We discovered that different families often share the communication mechanism and the ad-injector servers that are used for retrieving the final advertising that is displayed to the user. At Cognitive Threat Analytics, we detect, track and study these groups of similar ad-injector servers. In the next section we will explore one specific group, its network activity and how it may not only collect but also disclose, private information from the infected users.

The ‘AMZ’ injection servers

As we mentioned previously, once an ad-injector is installed on the system it will start injecting code in the visited web sites which will load and display the desired advertising. The advertising that is displayed will depend on the economics of the ad-injection server. The behavior associated with the ‘AMZ’ family is shown in Figure 4.

Figure 4 (A) : Structure of the main network traffic components of the 'AMZ' ad-injector servers. Both URL strings ('/amz/a' and '/affs?addonname') are unique for these group of ad-injector servers.
Figure 4 (A) : Structure of the main network traffic components of the ‘AMZ’ ad-injector servers. Both URL strings (‘/amz/a’ and ‘/affs?addonname’) are unique for these group of ad-injector servers.
Figure 4 (B) : Information sent by both main network traffic components of the 'AMZ' ad-injector servers. The first one is obtained by decoding the Base64 string of the URL.
Figure 4 (B) : Information sent by both main network traffic components of the ‘AMZ’ ad-injector servers. The first one is obtained by decoding the Base64 string of the URL.

In both URLs shown above (Figure 4 (B)), information is sent to the ad-injector servers: affiliate and sub-affiliate IDs, add-on name and HTTP referrer among others. In the last 20 months of data we studied, we identified 700 unique add-ons using these ad-injector servers, the most popular among them are Plus-HD, Cinema-Plus, PassShow and IntelliTerm.

Figure 5: Evolution of one add-on over the last 20 months, from version 1.1 to version 23.08 or version 6. While the versioning is a bit unclear, it shows us that the development is quite active.
Figure 5: Evolution of one add-on over the last 20 months, from version 1.1 to version 23.08 or version 6. While the versioning is a bit unclear, it shows us that the development is quite active.

Your digital presence exposed, multiple times, to… everyone

The other piece of information being exfiltrated is the HTTP referrer, which turns to be the most critical one. The logic of ad-injectors is very simple. They will try to inject advertising into every page you open in your browser, making no distinction between external websites, internal websites, local files opened via browser or even browser settings pages. These malicious browser extensions will monitor every page you visit, even HTTPS sites. Additionally, these applications will inject not one but many pieces of advertising in every visited page. Often every piece of injected code will generate one of these HTTP requests to a different server. These leads to a complicated situation, where information is leaked to different servers every time.

A simple field like the ‘HTTP referer’ may leak critical information about the user, such as visited news sites, intranet sites of an organisation, user name, activities, personal preferences, location, political ideology and more. This type of information is usually collected when doing reconnaissance before an attack. In the image below we show some redacted examples of URLs exfiltrated on this ‘referer’ field to illustrate the importance of this field.

Figure 6: Examples of HTTP referrer’s exfiltrated by these ad-injector applications. Ad-Injectors do not distinguish between internal sites, files, error pages or external sites. They will attempt to inject advertising at any level and they see all the sites we visit through our browser.
Figure 6: Examples of HTTP referrer’s exfiltrated by these ad-injector applications. Ad-Injectors do not distinguish between internal sites, files, error pages or external sites. They will attempt to inject advertising at any level and they see all the sites we visit through our browser.

There are three key problems with such leaked information:

  • Redundancy: multiple ad-injection servers are storing this information simultaneously, right now. When private data is stored in multiple malicious locations (even geographically), it increases the opportunity for misuse by malicious actors.
  • No encryption: the information leaked is sent through plain HTTP to the ad-injector servers, not only exposing your information to them but to anyone that is watching your traffic.
  • Historical visibility: as adware infections are not remediated, these servers are able to store your leaked browsing information for long periods of time, allowing them to build a pretty accurate profile of your online behavior.

Massive Scale

This ‘AMZ’ group of ad-injector servers is quite small in size. In Figure 7, you can see the amount of active servers and domains for the past 20 months, which consist of a couple dozen active servers and no more than one hundred active hosts at a given time. While this doesn’t sound alarming, the practice described here is common for other adware families as well. Our research team is tracking more than 80 different groups of ad-injector servers. All present the same behavior: leaking immense quantities of personal information every day.

Figure 7: Mapping of the infrastructure behind the 'AMZ' ad-injector servers. While is quite small in size, the same problems described here are used by many other adware families. At CTA we are tracking more than 80 families of ad-injectors.
Figure 7: Mapping of the infrastructure behind the ‘AMZ’ ad-injector servers. While is quite small in size, the same problems described here are used by many other adware families. At CTA we are tracking more than 80 families of ad-injectors.

Conclusion

While ad-injector adware seems to be only about injecting advertising, it is much more than that. Ad-injectors can leak tremendous amount of information about our online behavior, our every day activities, about our organisations and personal preferences. In many cases, third parties can abuse this information and endanger your personal security, or the security of your organisation.

There are three main problems associated with this information leakage that makes it even more critical:

  1. Redundancy of the exfiltrated information
  2. Lack of encryption makes the leaked information available to everyone with access to your traffic
  3. Historical visibility as the adware infections are usually long lived due lack of remediation practices

While having an ad-blocker or script blocker will prevent the advertising to load and will protect users from the risks of the injected advertising, it will not solve the problem. Not being able to see if there is a malicious advertising injected on a page will make the detection of these infections difficult.

We recommend, in addition to having these solutions, you pay attention when you visit sites that you know are trusted and that they do not have advertisements. If you visit an internal site and you see advertising, there is a good chance you have an adware infection. These are not to be underestimated. Educate users to report them and include them in your Incident Response plans. While the risks of these individual infections may seem trivial compared to an information stealing Trojan, adware infections may leak more information than them. Stay safe.

Where to go next

To request a free evaluation that will uncover adware, as well as command and control communications lurking in your environment visit: https://cognitive.cisco.com/

Read more about CTA threat detection in action:

Watch more about CTA as part of Cisco Security solutions:



Authors

Veronica Valeros

Lead Threat Researcher

Cognitive Threat Analytics