Let adware be treated as malware, Canuck boffins declare after breaking open Wajam ad injector

If it walks like a duck and quacks like a duck then...

Analysis The technology industry has numerous terms for sneaky software, including malware, adware, spyware, ransomware, and the ever adorable PUPs – potentially unwanted programs. But there isn't always a clear difference between malware and less threatening descriptors.

In a research paper distributed this month through pre-print server ArXiv, a pair of researchers from Concordia University in Montreal, Canada – Xavier de Carné de Carnavalet and Mohammad Mannan – show that in the case of software known as Wajam, these categorical distinctions obscure how adware relies on the same untrustworthy techniques as malicious code.

"Adware applications are generally not considered as much of a threat as malware," the researchers say, pointing to anti-virus applications that label the code as not-a-virus, riskware, unwanted program or PUP. "After all, displaying ads is not considered a malicious activity. Consequently, adware has received less scrutiny from the malware research community."

The Canadian boffins argue that needs to change because Wajam, which injects ads into browser traffic, uses techniques employed by malware: browser process injection attacks (man-in-the-browser) seen in the Zeus banking Trojan, anti-analysis and evasion techniques, anti-detection features seen in rootkits, security policy downgrading and data leakage.

Also, over the past four years, the code has contained flaws that expose people using it to arbitrary content injection, man-in-the-middle (MITM) attacks, and remote code execution (RCE). Yet security companies remain reticent to apply the term malware too liberally because companies making dubious software have a history of suing. Recall in 2005 how spyware biz Zango, now defunct, sued Zone Labs for calling its software what it was.

"The line between adware and malware is a gray area," said de Carné de Carnavalet, a doctoral candidate in information and systems engineering at Concordia University in an email to The Register on Friday.

"Actually, the terminology has evolved in the past 15 years. Invasive adware was also considered as spyware, because of all the personal and sensitive data they collect. This was not the taste of adware vendors who filed lawsuits against antivirus companies. Those companies now simply use the terms 'adware' or 'potentially unwanted application.'"

"As a result, both antivirus companies and researchers rank the adware problem as a lower priority than, let's say, ransomware, and even tend to leave it out. We hope to bring back the focus on this issue. It is still there, and it now has even more impact than before."

He adds that his paper also touches on vulnerabilities in adware. "It can have serious vulnerabilities, and nobody has incentives to report or fix them," he said.

Waja doin' with that sample?

Working with professor Mohammad Mannan, de Carné de Carnavalet collected 52 samples of the ad injector Wajam – which has gone by different names over the years – spanning from 2013 through 2018 in order to study its chronological evolution. The samples contain more sophisticated anti-analysis and rootkit-like features than would be typically found in the most advanced malware.

Wajam, created by Montreal-based Wajam Internet Technologies, was first released in October 2011, the paper explains, and was rebranded as Social2Search in May 2016, then renamed SearchAwesome in August 2017.

In 2016 and 2017, the Office of the Privacy Commissioner (OPC) of Canada investigated the company and its software and found multiple violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). It made a series of recommendations to remediate violations, only to have the company sell its assets to Hong Kong-based Iron Mountain Technology Limited.

In a statement emailed to The Register, a spokesperson for Canada's OPC said the agency is aware of the Wajam research paper and its analysis of the software.

"Our investigation looked at the matter through a more narrow privacy lens," the OPC spokesperson said. "During our investigation, we found the functionality had more to do with adware than enabling social media searching. In other words, the intent of the software was to serve ads to the user which is not, in itself, contrary to PIPEDA provided it is done in accordance with certain legal principles."

"On the other hand, we generally view malware as malicious software that can be harmful to computer users and their devices," the OPC spokesperson added. "It can include various types of program which may install computer viruses, spyware, ransomware, can recruit computers into botnets or lead to crypto-currency mining (to name a few examples)."

The OPC spokesperson said several of Wajam's privacy practices contravene PIPEDA, such as the company's failure to obtain meaningful consent to the installation of the software, which resulted in the collection and use of personal information. The OPC also found the company prevented users from withdrawing their consent by making the software difficult to uninstall and by failing to take measures to safeguard users' personal information.

It's not going away

Despite these findings, eight years on, Wajam lives on, under an assumed name and a different legal jurisdiction. The Register emailed Iron Mountain Technology in the hope of discussing the software but we've not heard back.

"Advertising is not inherently bad, nor malicious," said de Carné de Carnavalet. "The ads displayed by Wajam are not known to be malicious either. However, Wajam could be considered as malicious due to the personal data it collects, insecurely, from users, including their browsing and download histories, and all search queries that the user makes."

He notes that it's doubtful users of Wajam, Social2Search or SearchAwesome would allow the software to operate as it does if they understood how it works and how it collects information.


Just Android things: 150m phones, gadgets installed 'adware-ridden' mobe simulator games


In a phone interview with The Register, Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation, said some of his colleagues have been arguing that sneaky software, now commonly employed by governments in addition to the marketers and cyber criminals, should be looked for common behavior rather than separated by prefixes like adware or ransomware.

"If you install software against the users wishes or without the users' knowledge, that's the behavior of malware," he said, pointing to the Computer Fraud and Abuse Act, the Wiretap Act, and the Electronic Communications Privacy Act as potential avenues for legal challenges.

There have been a few high-profile cases involving adware, most recently Lenovo's $7.3m settlement last year that it distributed Superfish adware on its PCs. But law enforcement authorities don't go after browser history thieves with the same passion as credit card thieves or raiders of government databases.

To mitigate the threat posed by adware, de Carné de Carnavalet argues more effort should be made to warn people attempting to install adware and that desktop platforms should adopt some of the same permission disclosures presented to mobile device users.

"You can't stop someone from writing an 'unwanted program,'" he said. "But such programs can be more seriously considered and better detected." ®

Similar topics

Other stories you might like

  • UK science suffers as lawmakers continue to dither over Brexit negotiations

    Horizons Europe carrot dangled amid protocol wrangling

    A report from the UK House of Commons' European Scrutiny Committee has blamed delays in Brussels for choking off revenue streams to British institutions and businesses.

    The UK departed the European Union following a 2016 referendum. One of the results was that UK businesses were no longer able to tender for lucrative contracts within the bloc.

    The Brexit Divorce Bill uncomfortably laid out the facts back in 2018. The satellite navigation system Galileo was one victim despite substantial involvement from the UK in its development. Another was the Copernicus Earth monitoring programme; the UK was infamously snubbed when the European Space Agency (ESA) handed out six juicy contracts to institutions from the Continent.

    Continue reading
  • Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

    PAX Technology devices allegedly infected with malware

    US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.

    PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.

    Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.

    Continue reading
  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading

Biting the hand that feeds IT © 1998–2021