Adware is one of the most common threats online. It is very much liked by the malware developers since it is relatively easy to create, gives a guaranteed return and the legal aspect of it is very vague. It is better than the traditional viruses or ransomware. It does not pay as much but it is much safer option. There are lots of companies who develop adware and stay out of problems for years since in most cases the users install adware “willingly” (though, not knowingly in most cases).
Adware is a form of software which is placed on user’s computer and displays various advertisements, affiliate links, redirects the user to sponsored websites and uses other ways to make money from his activity. Sometimes it also collects personal data and uses it for marketing purposes. Most adware does not let the user know that it is present on the system and tries to stay in the background and avoid removal for as long as possible.
One of the most common adware forms nowadays is browser hijackers. They usually infiltrate the computer, change the default homepage and search engine and display it every time a user launches the browser.
So how does the distribution of such software work? Let’s look at the process step by step.
Creating the adware
The first goal for a browser hijacker owner is to create a website which would receive traffic from infected browsers and convert it into profit.
Most creators simply choose a “search homepage” format. It has a search field and imitates default browser “new tab” page. In most cases such websites are poorly designed and can be told apart from legitimate search engines. However, they still receive traffic since the infected users cannot remove hijacked homepages. Therefore, the creators usually focus on stuffing such websites with advertisements and affiliate links rather than creating an attractive design.
Some, however, go an extra mile and make the websites look good. They implement background wallpapers, responsiveness and polish the looks. Others even make the websites adapt to different browsers and copy their speed dial pages making it virtually impossible to distinguish them from real browser components judging only by the looks.
Most hijackers have one dedicated website but some try to diversify and create dozens of different domains based on different campaigns. This allows to track their users, avoid detection and downtime.
Creating the background program
The next step is to create a background program (or a set of programs and browser addons) which would make sure the homepage is automatically inserted into all browsers and cannot be changed by the user. This is an important aspect as otherwise the users would easily remove the adware and the creators would not receive any profit.
There are several methods of doing so. One of the most popular ones is to create a Windows application which would launch itself in the background every time the PC is booted. It would then check if the browser settings are still unchanged and modify them if needed. Background programs often modify browser shortcuts as well. Sometimes such programs can be found in the Programs and Features list and sometimes they are hidden deeply in the system (e.g. in the %APPDATA% folder). Adware can also install unwanted browser addons which would also act as a backup, modify browser settings and add various toolbars.
Currently a new approach called fileless injection is also getting traction. This method uses Windows Management Instrumentation and does not leave any files on the system making it harder for adware cleaners to detect their activity.
Choosing monetization methods
There are several most common monetization methods that browser hijackers use. Some of them show advertisements from legitimate sources as the advertisement providers do not know about the source of traffic. Others involve questionable or illegal methods.
One of the most common monetization methods is to have a custom search. The adware displays a fake search field and redirects all user queries to custom Google, Yahoo, Bing or any other smaller search network. The networks then pay creators a percentage of their profits from advertisements. This is a profitable strategy since many users utilize the search fields in their browsers without actually going to Google homepage. This can be taken one step further if the hijacker manages to change the default search engine settings as well and starts receiving the search traffic from address bar as well.
Another method is to simply display banners and popups. Google Adsense usually detects and bans such websites so the creators have to turn to less reliable providers. Therefore, adware banners, popups and redirects may lead to untrusted sources.
A popular illegal method which pays well is cookie stuffing. An invisible affiliate code from big websites like eBay, Amazon or AliExpress is placed and automatically records every hijacked user as referred by the adware creator. When such user actually makes a purchase the creators get credited as well.
Browser hijackers also tend to automatically redirect to various links and offers to install other software or browser addons. This might result in more adware and other serious infections.
Finally, some adware collects personal data and browsing history and can use it for marketing purposes or sell it to third parties.
Choosing distribution methods
The final step is to find a way which would allow the creator to infect as many computers for as little cost as possible. Usually hijackers utilize pay per install (PPI) networks and pay publishers a certain amount of money for every install. PPI files are usually distributed using various deceptive and blackhat methods.
Another way to spread adware is to bundle it with other, legitimate software. When users install programs from free download sites and skip through the steps quickly they often click “Agree” on various additional software suggestions and end up littering their computer without knowing.
Both methods described above require some business calculations and a starting investment in order to spread the adware. However, there are other ways like bundling it with illegal cracks, torrents and other files which are used as well.