Anatomy of an Adware

Multi platform, scalable, obtrusive

Unexpected Intruders

Deploying my event logger to detect XSS intrusion brought unexpected results. A large amount of the logged activity came from browser based software, most likely installed with browser extensions. One of the popular ones is described here.


The following analysis is sketchy at best. There are a lot of things missing. The things I did find out are however quite interesting.

Unfortunately I have no idea how the initial software enters the browser. If it is present it adds a script tag for the loader to the header. The url for the loader has GET parameters, the most remarkable being a city name. The source of this is most likely some form of user registration. The software appears in Firefox, MSIE and Chrome browsers.

As a first step the script removes its script tag. It also parses its URL parameters. Next a domain specific script is loaded. We will take a closer look at an example later. The loader then loads google analytics with the ID UA-18311301-3 and sets it up for cross domain user tracking. The last step, which is only executed for browsers which are from the US, loads a script from Without the right parameters this just removes itself and I do not know the right parameters yet.

The behavior of the software is parametrized by its URL parameters. The domain specific script has five digit hexadecimal feature codes identifying its actions. Execution of the individual action is controlled by the country (the cid parameter) and has a delay relative to the installation date (the aoi parameter).

Domain Code


The facebook code does several things that need further analyzing. The somewhat scary part at the end is a click on all fields named grant_clicked for a windows 7 mobile phone app (app_id 139379662760106).


The google domain code puts a result obtained from at the top of the result list.

Where Do I find this Software?

The software is hosted at The individual components can be retrieved at


where pid is a number. There are at least the pids 5, 16 and 1010.

The loader


where x is the first letter of the domain name, see below for examples

The domain specific code



Google code


where feature is a switch. The features db354 and 86ae5 enable this

Code that modifies google search results

They are currently compressed but not not obfuscated and can be made readable with JSBeautifier.

Look at Yourself

Since this page seems to attract the infected I have added the possibility to look at the js events generated by your client browser.