Instruction:

Why is Adware Dangerous and How you should avoid it


Why is Adware Dangerous

Adware is not so harmless as it was before. Nowadays, anno 2017 Adware is a serious threat for your computer and the personal information we all share on the internet.

In the “good” times of Adware, the term “adware” was related to legitimate software that uses embedded advertisements to cover the cost of development of their software. These advertisements were shown during installation or in the software itself.

Generally, you could remove any embedded advertisements by purchasing the full or premium version of the software, and the advertisements were gone. This method of promoting advertisements is what should be known as Adware.

Adware is changed, and let me explain to you why and how

The term Adware is frequently used to describe a form of malware (malicious software).

As stated earlier in this article, adware is not harmless anymore as I refer to the “good times”. This is because there is serious money involved in this advertisement business. Advertisement networks try to collect as much Personal Identifiable Information (PII) and technical Browser information and use it for all kinds of purposes.

But the main purpose for the collection of our Personal Identifiable Information, internet behavior and technical Browser and system information is money.

Types of Adware

Adware is just as malware an umbrella term. Anything that has to do with unwanted advertisements is often known or called as Adware.

However, there are different method’s to display intrusive unwanted advertisements to computer users.

Browser Hijackers

Browser Hijackers are known to take over the default installed Browser and replace the default homepage and search engine without notice of the computer user.
The main purpose of hijacking a browser is to generate traffic to the promoted website for a higher ranking in Search Engines and make revenue from in-text advertisements or sponsored internet search results.

When a Browser Hijacker infected your Browser you might experience any of the following problems with your computer.

  • Your search engine is getting redirected to unknown websites.
  • Your homepage or search engine is changed without your permission.
  • Web pages load slowly or display advertisements unknown to you.
  • You experience toolbars on your web browser which you did not install.
  • You experience multiple pop-up alerts.

We think that Browser Hijackers are underestimated. As they are very annoying, they also tend use “malware” like tactics to hide their presence and thereby to remain installed on your computer and keep taking over your Browser.

Browser Hijackers are known to infect the most common browsers. The Google Chrome browser seems to be target a bit more than Internet Explorer, Firefox or Microsoft Edge which is notable. Our guess would be, it is used a lot of course, but also that it’s not that complex to create a Browser Extensions for Google Chrome as there are many API’s available.

Let’s look at two examples of common Browser Hijackers and why they are dangerous.

Example: Trovi Browser Hijacker

Trovi.com is a well known and very active Browser Hijacker. Trovi (by Client Connect LTD) uses a “Search Protect” tool. This Search Protect tool keeps Trovi.com installed as long as you do not change it thru their tool or uninstall Search Protect from Windows.

If you are unaware of this deceptive technique, it’s impossible (or not easy) to remove Trovi from your computer and restore your browser to their default settings. The removal of Trovi thru Search Protect is not mentioned on their Uninstall Page.

Example: Youndoo Browser Hijacker

The Youndoo Browser Hijacker uses a DLL file named wtsapi32.dll to load specific functions specified in the malicious version of the wtsapi32.dll file dropped by Youndoo. Normally the wtsapi32.dll is located in c:\windows\system32\wtsapi32.dll.

But the Youndoo.com installer places a wtsapi32.dll file in the Google Chrome and Mozilla Firefox default directories in order to load that wtsapi32.dll version. The malicious wtsapi32.dll in the Google Chrome and Firefox directory reads the default homepage from a registry entry created by Youndoo, which is different than the registry key where the default homepage(s) are stored.

This means that resetting or restore your Browsers homepage to default settings would not work.

Again, an example of how these Browser Hijackers use “malware” like techniques to hide their presence and remain your default homepage and search engine.

Adware Programs

Adware programs are today’s problem if you experience many advertisements within Windows and in your Browser. This Adware software is only build to hide its presence on your computer and display advertisements, which often pop-up out of the blue.

You might experience any of the following problems with your computer if an Adware program is installed.

  • Your Browser may open unexpectedly and use a redirection domain to display a website you do not intend to visit.
  • Your computer may open a Support Scam (example) to deceive you into calling a dangerous and expensive telephone number for a problem that doesn’t even exist on your computer.
  • Your computer might be locked and Ransomware might be installed and encrypts your files (yes, adware can be responsible for Ransomware).
  • A new browser window might pop-up with a message “Your Flash Player is out of date”, or “Update Media Player to Continue” scams.
  • Potentially unwanted programs might be installed without your approval.
  • When you visit a website, keywords might turn into blue or green. When you hover over the keywords it might show a pop-up ad with a link and a small text “Ads by …”, “Powered by …”, “Brought by …”

Example: RunBooster adware

RunBooster by Skynet Corporation is a typical Adware program that does nothing more than opening pop-up window(s) within your Browser and displays advertisements as “Ads by Not Set”, “Ad by Advertise”.

RunBooster itself has an embedded description string in their executable, with the text “Shows unique selling propositions while surfing the web“. Yeah, whatever!

RunBooster has the capability to determine if Microsoft Windows runs on an x86 (32 bit) or x64 (64 bit) version.
RunBooster is installed in C:\Program Files\RunBooster with a RunBooster64.exe, WinDivert.dll, RunBoosterUpdateTask64.exe, Uninstall.exe and msvcr110.dll. RunBooster installs a driver at C:\Windows\system32\Drivers\WinDivert64.sys.

Another “malware” like technique many Adware programs use is by creating a Windows Task on Reboot. RunBooster does this in C:\Windows\System32\Tasks with a Task name “RunBoosterUpdateTask” pointing to the RunBoosterUpdateTask64.exe.

So after each reboot, RunBoosterUpdateTask is called and the program is started, which leads to many redirects in your browser. These redirects are build using a redirection domain, which we explain in the next chapter.

Redirection domains

At the moment of writing this article, we see a huge growth in redirects within the browser, redirecting your browser to unknown and even malicious websites. Here are a few example(s) of advertisement networks, related to redirecting your browser to questionable websites.

adnetworkperformance.com, onclkds.com, popads.net, nanoadexchange.com, popcash.net, tradeadexchange.com, venturead.com, predictivadvertising.com, yieldtraffic.com, maxonclick.com, pulseadnetwork.com, superadexchange.com, totaladperformance.com, onclicktop.com, openadserving.com, liveadexchanger.com, pureadexchange.com, onclickpredictiv.com, brightonclick.com

These redirects generate lot’s of traffic, to give you an insight on the domain adnetworkperformance.com.

This particular redirect domain generated (especially in 2016, it dropping now …) so much traffic that adnetworkperformance.com received about 1,009,500 unique visitors and 2,533,845 (2.51 per visitor) page views per day. Which should adnetworkperformance.com earn about $ 8,076.00 a day from advertising revenue. Estimated site value is $ 4,081,344.31. According to Alexa Traffic Rank, adnetworkperformance.com has ranked number 413 in the world and 0.2019% of global Internet users visit it.

The reputation of adnetworkperformance.com is really bad, as it is obviously related to malware domains users do not intend to visit but are being forced to (redirected) caused by Adware.

If you visit their domain adnetworkperformance.com it shows nothing a “403 error”. For being redirected you need a referrer id, which is a random number generated by the adware that tells the adnetworkperformance.com website to redirect your browser thru the adnetworkperformance.com network to eventually show websites they want you to see.

These websites they want you to see are based on keywords found in the content and meta description of the website you were visiting at the moment the redirection occurred.

We took the source-code of how these redirects technically work. 

function inIframe() {
    try {
        return (window.self !== window.top) ? 1 : 0;
    }
    catch (e) {
        return 1;
    }
}
function ReopenUrlBuilder(baseUrl) 
{
//they get the complete url
    this.baseUrl = baseUrl;

//Get value of content attribute of meta tag with name attribute = name

    this._getMetaContent = function (name) {
        try {
            var meta = window.top.document.getElementsByTagName('meta');
            for (var i = 0; i < meta.length; i++) {
                if (meta[i].hasAttribute('name') && meta[i].getAttribute('name').toLowerCase() === name) {
                    var info = meta[i].getAttribute('content');
                    var indexToCut = Math.max(info.indexOf(' ', 256), info.indexOf(',', 256));
                    if (indexToCut > 384 || indexToCut < 20) {
                        indexToCut = 256;
                    }
                    return info.substring(0, indexToCut);
                }
            }
        } catch (e) {
        }

        return '';
    };
//get width
    this._getWidth = function () {
        return window.innerWidth || document.documentElement.clientWidth || document.body.clientWidth;
    };
//get height
    this._getHeight = function () {
        return window.innerHeight || document.documentElement.clientHeight || document.body.clientHeight;
    };

//get title (important for keywords)
    this._getTitle = function () {
        var title = document.title;

        if (inIframe()) {
            try {
                title = window.top.document.title;
            }
            catch (e) {
                title = '';
            }
        }

        return title;
    };
//They are getting the URL you visit thru your browser and rebuild it with arguments.
    this.build = function () 
{
        return this.baseUrl

//get Url and rebuild using arguments
            + '&cbrandom=' + Math.random()
            + '&cbtitle=' + encodeURIComponent(this._getTitle()) //title is important it provides keywords.
            + '&cbiframe=' + inIframe() //is it a iframe 
            + '&cbWidth=' + this._getWidth() //used the determine the ads to implement or website to visit.
            + '&cbHeight=' + this._getHeight() //used to determine the ads to implements or website to visit.
            + '&cbdescription=' + encodeURIComponent(this._getMetaContent('description')) //get meta description from the website, and remove some chars like slashes for example. Using encodeURIComponent
            + '&cbkeywords=' + encodeURIComponent(this._getMetaContent('keywords')) //get meta description from the website, and remove some chars like slashes for example. Using encodeURIComponent
    };
}
//Setup a var to check for the Browser used.
var browser = (function (n) 
{
    // var n = 'Dalvik/1.6.0 (Linux; U; Android 4.3; GT-I9300 Build/JSS15J)'.toLowerCase();
    //Replace some text.
    n = n.replace('OPR', 'opera').toLowerCase();
    
//setup a variable to determine the Browser.
var b = 
{
        webkit: /webkit/.test(n),
        chrome: /chrome|crios/.test(n),
        safari: (/safari/.test(n) && !(/chrome/.test(n)) && !(/opios/.test(n))),
        mozilla: (/mozilla/.test(n)) && (!/(compatible|webkit)/.test(n)),
        firefox: /firefox/.test(n),
        msie: (/msie/.test(n)) && (!/opera/.test(n)),
        msedge: (/edge/.test(n)),
        ms_mobile: /iemobile/.test(n),
        opera: /opera/.test(n),
        // opios is Opera Mini in iOS
        opera_mini: (/opera mini/.test(n) || /opios/.test(n)),
        android: /android/.test(n),
        mac: /macintosh/.test(n),
        blackberry: /blackberry/.test(n),
        ios: /ipad|ipod|iphone/.test(n),
        // FaceBook userAgent
        fb: /fban\/fbios|fbav|fbios|fb_iab\/fb4a/.test(n),
        presto: /presto/.test(n),
        ieQuirksMode: (typeof document.compatMode !== 'undefined') ? document.compatMode !== 'CSS1Compat' && (/msie/.test(n)) && (!/opera/.test(n)) : false,
        ucbrowser: /UCBrowser|UCWEB/.test(n) //UCBrowser is known as a Chromium based Browser but used in Adware campaigns

    };
//Browser User-Agent is determined here
    b.user_agent = n;

    // Check for the flash support
    b.flash_support = false;
    try {
        b.flash_support = navigator.mimeTypes['application/x-shockwave-flash'];
    }
    catch (e) {
    }

   //Safari maybe?
    b.version = (b.safari) ? (n.match(/.+(?:ri)[\/: ]([\d.]+)/) || [])[1] : (n.match(/.+(?:ox|me|ra|ie)[\/: ]([\d.]+)/) || [])[1];

    b.touchable = 'ontouchstart' in document.documentElement;

    // Get the major browser version, like Chrome 41 or Firefox 38, from the full version
    b.major_version = parseInt(b.version);

    // Detect if the current browser is a mobile browser or not. 
    b.is_mobile = b.android || b.ios || b.blackberry || b.ms_mobile || b.opera_mini || b.ucbrowser;

    return b;
}
)

(navigator.userAgent);
var builder = new ReopenUrlBuilder("http:\/\/www.adnetworkperformance.com\/a\/display.php?r={refferid}&treqn={number-dont-know}&runauction=1&crr={some unknown encoding}&rtid={unknown id number}");

//they created the redirect url here
var url = builder.build();

//lets output the code to HTML using javascript - document.write
    document.write('<iframe width="468" height="60" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" allowfullscreen="true" style="border: medium none; padding: 0; margin: 0;" sandbox="allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-pointer-lock allow-same-origin" id="{unknown id number for us}"  frameborder="0" src="'+ url +'" scrolling="no"></iframe>');
//they use a nifty trick to create a pop-up allowing to execute javascript using "sandbox" function

   if ((browser.chrome && browser.major_version < 17) || browser.opera_mini) 
{
//if Browser is Chrome < 17 or Opera Mini remove attribute sandbox
        document.getElementById('{refers to id in the document.write fucntion}').removeAttribute('sandbox'); 
    }

//FixYourBrowser.com

Distribution of Adware and Potentially Unwanted Programs and how to avoid them

Distribution

Adware is mostly packed or bundled with free software you download off the internet. Free software is packed with what is called a “loader” a “bundler” a “download manager”, “download clients” or “installers” something like that. There are many different names used by Adware distribution companies for their Adware contained installation software.

By using a bundler they provide a GUI (Graphical User Interface) which looks like a real installation program but has a few options to accept or decline third party software. The problem persists in the thin line between a normal installation program or a bundle.

How do you recognize an Adware contained bundle? Part 1

Let me give you a full example or a bundle and tell you how to recognize the options you should look for if you install software or get an installation “Setup Wizard” window presented.

This is one example of many, but what we are trying to show you is how these bundles trying to deceive the user into clicking as fast as possible thru the installation software. By clicking fast thru the installation process without reading what you actually install, you might get infected with Adware or a Potentially Unwanted Program.

Whats important here is the Graphical User interface and the text in the Graphical User Interface.
Notice how they try to trick you into clicking the Next button in the second line of their file description. Also Notice the “Free download manager” text and the BIG Next button.
You can’t miss it right, thats where they aim for, you trying to click it without reading the text.

The first offer, “Yes, install” is already checked. See the statement “By clicking Accept you agree to install …”. You should have selected “No, thanks” and the Decline button.

Another offer, You should have selected Decline here. Again step 2 out of 4, this should have been step 3 right? …

Another offer, You should have selected Decline here. Again step 2 out of 4, this should have been step 4 right? …

Finally! Our software we want in the first case is downloading, and completed 100%.
Still Step 3 out of 4! … The Finish button will get us finished with the installation, right?

Another offer, and this after the Finish button. You should have selected Decline here.

Again, our software we intended to download is Finished, Step 3 out of 4!?

Now we are done, the button Open will display the executable of the real installer of the software we intended to download.
Read the red text in the image, what we have trying to do here.

How do you recognize an Adware contained bundle? Part 2

The InstallPath adware bundler is a bit more difficult, we’ll explain in the pictures below. This InstallPath adware bundler is more deceptive and malicious than any other adware bundler out there (as far as we know). First of all the items to uncheck or decline are very small (you can hardly see them, as you don’t know where to look for).

And when you want to uncheck an item and do so, it displays a message to continue installation click OK to abort click Cancel. Most people click by default on OK.

The InstallPath adware bundler also uses the following methods to avoid detection or debugging. The InstallPath uses these techniques to avoid multiple installations on the same machine or virtual machine(s). InstallPath is a Pay Per Install monetization bundle, which means the developer gets paid for every install.

By using anti-debug or VM installations, they try to avoid installation by the developer itself and make money with fake installs.

  • VM (Virtual Machine) Detection; if the InstallPath adware bundler is started in a Virtual Machine environment InstallPath bundler just exits, with a message “Your software is installed” which is not.
  • VPN Detection; when the InstallPath adware bundler is started it queries your IP-address. If you are using a VPN IP-address they know, the installer exits.
  • Queries the internet cache settings:  this is used to hide footprints in index.dat or internet cache to prevent debugging.
  • a Page_Guard attribute: Used to avoid memory dumping and debugging.

Here is what the InstallPath Adware bundles look like at this time or writing.

Look carefully at the picture, everything is left default to show you how it works in this first picture. Express Install (recommended) is checked by default. If you should have selected the “Next >>” button in green, you would have agreed with a bunch of adware programs.

You should have always selected the “Custom Install (Expert)” checkbox. Notice the scroll down bar at the right, there is more to uncheck. See next picture.

When you uncheck a item (right click on it). The InstallPath bundler displays a message “… Abort” select Cancel, if you select OK you agreed to keep the software offered.

Uncheck all items, but notice the red arrow and the text “Additional Offers:”, they want you to install more. It’s safe now to select the Next button.

Know that the offers we got might be different then the ones you might get.
If there is a Decline button, select it. See the next picture, it has a different GUI.

As you can see, the big grey Decline button is gone. Well it’s there but its very small, see the green arrow. So if you do not need a offer look for the decline button, even if it’s very small. It’s there (hopefully!).

Same as the picture above, the Decline “button” is very small and barely visible. If you would have selected the Next button you would have agreed (in this example) to a malicious Browser Hijacker.

Distribution – Bottom line – Conclusion

We hope we made it clear for you using two “install managers” that you should look carefully before installing software. Never, ever click any Next, Quick install, Recommended install button. By doing so you end up with adware on your computer or worse.

There is also software that uncheck’s adware, offers, potentially unwanted programs from installation software. This GREAT software is named “Unchecky”. We think its a must have if you download lots of software from the internet.

Visit their website at unchecky.com, and see a demonstration in the video:

Demonstrating Unchecky