Analyzing "Not-a-Virus" Bundled Adware: The Wajam Case

Case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, ransomware, yet very little has been done on adware. Previous studies on "unwanted" applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. We investigate the evolution over nearly six years of a particularly successful and active adware business: Wajam. As of 2016, revealed by the Office of the Privacy Commissioner of Canada, Wajam had "hundreds of millions of installations" and collected 400TB of private information from users. We gather 52 samples of Wajam, released between 2013 to 2018, and analyze the technical evolution from a simple browser add-on to full-fledged obfuscated malware including rootkit, browser process injection, and antivirus evasion capabilities. We uncover its strategy to ensure a low detection rate, which heavily relies on numerous layers of encryption, and more recently on steganography. Furthermore, Wajam leaks the browsing histories of four major browsers, along with the keywords searched by users on highly popular websites. It is also vulnerable to arbitrary content injection on HTTPS webpages, and likely to remote code execution. We show evidence that Wajam is a widespread threat, actively maintained with daily obfuscated samples that are poorly detected by antivirus engines. More worrisome, we found the same evasion techniques in another piece of adware, suggesting that they could be provided by a third-party, and reused in other cases. Finally, we conclude that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity of advanced malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.

READ FULL TEXT
research
05/13/2019

Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case

Comprehensive case studies on malicious code mostly focus on botnets and...
research
01/29/2019

Malicious cryptocurrency miners: Status and Outlook

In this study, we examine the behavior and profitability of modern malwa...
research
12/21/2021

Longitudinal Study of the Prevalence of Malware Evasive Techniques

By their very nature, malware samples employ a variety of techniques to ...
research
05/06/2023

Bypassing antivirus detection: old-school malware, new tricks

Being on a mushrooming spree since at least 2013, malware can take a lar...
research
03/03/2022

Difficult for Thee, But Not for Me: Measuring the Difficulty and User Experience of Remediating Persistent IoT Malware

Consumer IoT devices may suffer malware attacks, and be recruited into b...
research
04/04/2021

Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown

The malware and botnet phenomenon is among the most significant threats ...
research
08/10/2023

Analysis of the LockBit 3.0 and its infiltration into Advanced's infrastructure crippling NHS services

The LockBit 3.0 ransomware variant is arguably the most threatening of m...

Please sign up or login with your details

Forgot password? Click here to reset