Anatomy of an Adware
Multi platform, scalable, obtrusive
Deploying my event logger to detect XSS intrusion brought unexpected results. A large amount of the logged activity came from browser based software, most likely installed with browser extensions. One of the popular ones is described here.
The following analysis is sketchy at best. There are a lot of things missing. The things I did find out are however quite interesting.
Unfortunately I have no idea how the initial software enters the browser. If it is present it adds a script tag for the loader to the header. The url for the loader has GET parameters, the most remarkable being a city name. The source of this is most likely some form of user registration. The software appears in Firefox, MSIE and Chrome browsers.
As a first step the script removes its script tag. It also parses
its URL parameters. Next a domain specific script is loaded. We will
take a closer look at an example later. The loader then loads google
analytics with the ID
sets it up for cross domain user tracking. The last step, which is
only executed for browsers which are from the US, loads a script from
Without the right parameters this just removes itself and I do not
know the right parameters yet.
The behavior of the software is parametrized by its URL parameters. The domain specific script has five digit hexadecimal feature codes identifying its actions. Execution of the individual action is controlled by the country (the cid parameter) and has a delay relative to the installation date (the aoi parameter).
The facebook code does several things that need further analyzing.
The somewhat scary part at the end is a click on all fields named
grant_clicked for a windows 7 mobile phone app (
The google domain code puts a result obtained from
http://www.interesting.cc/ at the top of
the result list.
Where Do I find this Software?
The software is hosted at
The individual components can be retrieved at
where x is the first letter of the domain name, see below for examples
The domain specific code
Code that modifies google search results
They are currently compressed but not not obfuscated and can be made readable with JSBeautifier.
Look at Yourself
Since this page seems to attract the infected I have added the possibility to look at the js events generated by your client browser.Reload