Anatomy of an Adware

Multi platform, scalable, obtrusive

Unexpected Intruders

Deploying my event logger to detect XSS intrusion brought unexpected results. A large amount of the logged activity came from browser based software, most likely installed with browser extensions. One of the popular ones is described here.

Overview

The following analysis is sketchy at best. There are a lot of things missing. The things I did find out are however quite interesting.

Unfortunately I have no idea how the initial software enters the browser. If it is present it adds a script tag for the loader to the header. The url for the loader has GET parameters, the most remarkable being a city name. The source of this is most likely some form of user registration. The software appears in Firefox, MSIE and Chrome browsers.

As a first step the script removes its script tag. It also parses its URL parameters. Next a domain specific script is loaded. We will take a closer look at an example later. The loader then loads google analytics with the ID UA-18311301-3 and sets it up for cross domain user tracking. The last step, which is only executed for browsers which are from the US, loads a script from http://inlink.interesting.cc/cc.php. Without the right parameters this just removes itself and I do not know the right parameters yet.

The behavior of the software is parametrized by its URL parameters. The domain specific script has five digit hexadecimal feature codes identifying its actions. Execution of the individual action is controlled by the country (the cid parameter) and has a delay relative to the installation date (the aoi parameter).

Domain Code

Facebook

The facebook code does several things that need further analyzing. The somewhat scary part at the end is a click on all fields named grant_clicked for a windows 7 mobile phone app (app_id 139379662760106).

Google

The google domain code puts a result obtained from http://www.interesting.cc/ at the top of the result list.

Where Do I find this Software?

The software is hosted at http://d3lvr7yuk4uaui.cloudfront.net/. The individual components can be retrieved at

`/items/loaders/loader_<pid>.js`	where `pid` is a number. There are at least the `pids` 5, 16 and 1010.	The loader
`/items/domains/x/xdomain.js`	where x is the first letter of the domain name, see below for examples	The domain specific code
`/items/domains/g/google.com.js`		Google code
`/items/<feature>/js/ig.js`	where `feature` is a switch. The features db354 and 86ae5 enable this	Code that modifies google search results

They are currently compressed but not not obfuscated and can be made readable with JSBeautifier.

Look at Yourself

Since this page seems to attract the infected I have added the possibility to look at the js events generated by your client browser.

Reload