E-Threats

Adware Shifts Focus from Advertising to Data Harvesting

Adware – the annoying software most people know to irritate them with distracting ads – is increasingly taken on a more invasive form and often bundled with spyware as creators seek to tap the potential riches of the data harvesting business, according to Bitdefender research.

Just like web advertising boosted the amount of user-generated content in the dot-com era, so has it done with software applications. The integration of advertising and pay-per install programs in freeware applications as a means of monetization has been just like a breath of fresh air for small software developers around the world. However, greed and the desire to get most money with the least of effort have given adware an ugly and dangerous turn. This report is a summary of the most prominent, most dangerous adware components that can impact on the user, their computers or both.

Malicious adware distribution for Q2, 2012:

Gen:Variant.Adware.Solimba is a generic detection that flags potentially unwanted installation of third-party software along with the product the user is trying to install. Representative for Adware.Solimba is an executable file written in C# and acts as a downloader. It tries to fetch executable files from the ad network, depending on campaigns. This adware has potentially malicious behavior, as it collects user-data. Adware.Solimba affects Windows running system ranging from Windows 2000 to Windows 7.

Gen:Variant.Adware.Hotbar has been among the top ranking e-threats in Germany in 2011. Although fairly old, Adware.Hotbar is still significantly active. It can install a browser toolbar to force commercial pop-up messages on PC screens. Adware.Hotbar was also found monitoring users’ online activities to create profiles based on search habits and country of origin to redirect searches towards a German virtual store. It has been seen spiking around national holidays as well.

Gen:Variant.Adware.Graftor poses as a legitimate software application. Variant.Graftor is a generic detection for multiple families of mostly Trojans amongst which the notorious Vundo malware family. This Vundo Trojan, for instance, is a persistent family of adware that advertises Rogue Antivirus products, but are also responsible for more complex attacks, including distributed denial of service and even holding the victim’s data at ransom.

Other complex threats were also found to enable adware-type malware installation.  Trojan.Sirefef, for example, hijacks the results of web searches to sites with adware. To stay hidden, it deploys a rootkit component, and creates a new thread with its malicious code every time the user opens an application. Sirefef is highly versatile: it’s a multi-component e-threat that allows its masters to launch a wide range of attacks, from installing rogue AV software on the infected PC to generating pay-per-click advertising revenue for its owners.

If in most case adware applications are annoying but harmless, they become dangerous and privacy invasive when someone integrates spying modules in their code. Not all freeware and shareware come bundled with spyware or that all products collecting data from the users use it illegally or for the wrong reasons.

Rogue adware applications rigged with spyware components collect all sorts of information about users, their systems and online habits under the protective umbrella of a EULA or privacy policies agreed upon by users. Few people read the terms and conditions before agreeing.

If read, some of these privacy policies stipulate the terms and conditions under which their authors can create a system profile that may be shared with third parties as long as the identity of the user is not added to that system profile. Dissociating the information from the owners is supposed to give the user the comfort of privacy. Some EULAs also announce that it can be amended without informing the user. Can we really know for sure what will become of our data?

So, collecting and fairly handling this kind of data, including names, e-mail addresses and other private data is way more difficult than simply forcing a commercial pop-up on a user.

Spyware-rigged ads may also be placed into a software installer window with opt-in check boxes for changing the start page (hijacking it), changing the search engine, installing toolbars  and the acceptance of the license agreement and/or privacy policy statement to redirect user towards certain products or services.

As a rule adware generates revenue for its authors either by determining the user to buy a certain product via ad placement or by putting together a unique profile of a system through monitoring user’s local and online activities. Locally they look for hardware components or software choices, and online for browsing or online shopping habits. And the latter can evolve into a malicious and intrusive practice.

As spyware, apart from stealing data, the malware eats up system resources such as RAM or bandwidth when it siphons info to its command and control center via the victim’s Internet connection. They may even download other pieces of malware, monitor other locally installed applications, sniff instant messaging or read cookies.

Who would have something to win over this practice? Many – it would be rogue companies, rogue online shops, rogue affiliate marketers and rogue programmers who develop these adware applications to sell them. Developers have their investment returned including development, maintaining and upgrade on the one hand; producers or sellers of the promoted services and goods with lesser advertising fees, on the other. Data harvesters who might choose to sell the collected data to third parties.

How big is this business? Advertising is a highly profitable business. After all, it’s advertising that contributed to the explosive growth of the Internet, and it’s also suitable for software application. Aggressive and unscrupulous advertising builds up more revenue in shorter timeframes. This is why adware takes up a significant part of the worldwide malware top, with Adware.Solimba ranking as the 22nd most prominent threat in the world.

About the author

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

5 Comments

Click here to post a comment