White Paper | August 2006 White Paper | 2006 Page 1
Adware and Spyware: Unraveling the Financial Web
www.mcafee.com
White Paper | 2006 Page 2
Table of Contents Key Findings 3 Introduction 3 Rise of Adware and Spyware 3 Users Deceived 4 Sites and Companies Distributing Adware 4 Affiliators and Affiliates 5 Tracking 5 Payment (Conventional Advertising) 6 Payment (Adware Pay-per-Install) 7 Conclusion 8
www.mcafee.com
White Paper | 2006 Page 3
Key Findings more than 1000 percent in three and a half years. By August of 2006, there were more than 450 adware families with more than 4,000 variants. 1. The prevalence of adware and spyware is increasing at an exponential rate. Between 2000 and 2002, there Researchers at the University of Washington (UofW) were only about forty adware families. Their numbers performed a study of the prevalence and composition of increased sharply (more than 1000 percent) in the next adware and spyware in 2005.1 These researchers scanned 3.5 years. By August, 2006, there were nearly 450 the Internet directly for suspicious executable files. adware families with more than 4,000 variants. (P. 3)
2. Internet users remain ignorant of the dangers of spyware and adware. A recent survey by McAfee’s SiteAdvisor.com found that a staggering 97 percent of Internet users could not differentiate safe from unsafe sites, meaning that the vast majority is just one click away from downloading spyware, adware, or some other kind of potentially unwanted software. (P. 4)
3 The University of Washington found that the most prolific distributors of adware are actually star/celebrity sites, not the commonly believed adult and pornography websites. (P. 4)
4. The adware business model is a lucrative one. A Source: McAfee Avert Labs botherder’s criminal indictment alleged that affiliate- Figure 1: Growth of Adware and Spyware (narrow)2 marketing companies paid him approximately $0.15 Families and Variants from 2000 to 2006 per infected computer, corresponding to a cost-per- thousand of $150. (P. 7) In May and again in October, they analyzed about 20 million URLs. Nineteen percent of the sites visited hosted executable code, from which the researchers collected Introduction more than 20,000 samples. In October, 5.5 percent of these files (originating from 4.4 percent of the 2,532 domains Though security companies have recently called attention examined) contained a dubious program. to the rise of profit-oriented, targeted threats, this trend has actually been underway since 2003, when adware and The UofW study found fewer than 90 different undesirable spyware numbers began growing at an alarming rate. programs (82 in May, 89 in October). As with viruses, the Potentially Unwanted Programs (PUPs) is the collective majority of PUPs were either not seen or found only in term given to threats that are not malware, but whose small quantities (see Table 1). One possible explanation for presence on a computer has clear security or privacy this paucity is that most PUPs are aimed at specific targets implications. They are usually made and marketed by and therefore discretely deployed. legitimate corporate entities for specific beneficial purposes (to whom they may be beneficial is debatable). Program May 2005 Program Oct. 2005 Spyware and adware belong to this category of threats. WhenU 364 WhenU 340 They install themselves on a user's machine, often as the 180Solutions 236 Marketscore 47 trade-off for a piece of “free” software, collecting marketing eZula 214 Claria 41 data and distributing targeted advertising. With the emergence of lucrative online affiliate-marketing business Marketscore 143 BroadCastPC 37 models and the widespread ease with which these threats BroadCastPC 67 Aurora 36 can be spread, adware and spyware are in ascendancy as Claria 44 FOne 35 prominent features in the threat landscape. VX2 41 Zango 34 Favoriteman 36 eZula 33 Rise of Adware and Spyware Ebates 31 Web3000 32 Although the terms “adware” and “spyware” have been MoneyMaker around since the late 1980’s, only in 2003 and 2004 did they NavExcel 24 180Solutions 25 emerge as a dominant trend in the security environment. Table 1: UofW Spyware Study Results Figure 1 shows the rapid growth in both families and variants of adware and spyware since 2000. 1 “A Crawler-based Study of Spyware on the Web,” http://www.cs.washington.edu/homes/gribble/papers/spycrawler.pdf Between 2000 and 2002, there were only about forty adware 2 In its narrow sense, Spyware is a term for Tracking Software deployed without adequate families. Their numbers rose sharply in 2003, increasing by notice, consent, or control for the user. For more information, see the Anti-Spyware Coalition, http://www.antispywarecoalition.org/documents/GlossaryJune292006.htm www.mcafee.com
White Paper | 2006 Page 4
Users Deceived Sites and Companies Distributing Adware In 2004 and 2005, AOL and the National Cyber Security It is commonly thought that adult and pornographic sites Alliance (NCSA) surveyed the use of online protection are the most prolific distributors of adware. The UofW measures.3 Users were questioned before their hard disks study, however, contradicts this conventional wisdom. were analyzed to study how their perceptions matched reality. Based upon the study results, the most dangerous sites are actually star/celebrity sites (16.3 percent of executable files In some categories, the differences between perceptions on these sites are dangerous), followed by screen saver sites and reality were considerable. For example, in 2004, only 53 (11.5 percent), and then adult sites (11.4 percent). By their percent of users thought they had PUPs installed on their nature, game sites contain many executables (60 percent of machines. Subsequent analysis of the hard drives revealed cases in the UofW study). Of these, the study found only 5.6 the actual figure was 80 percent. In 2005, 71 percent said percent of them to be dangerous. they updated their anti-virus software daily or weekly. However, analysis showed that 67 percent of the anti-virus The May 2005 study reported that 4.6 percent of executable programs had not been updated for a week or more. files available for downloading from a popular portal site contained spyware. The percentage dropped to 0.3 percent A recent survey done by McAfee’s SiteAdvisor.com by October, due apparently to a new scanning policy at the challenged Web surfers to test their ability to detect which hosting company. sites in a number of popular categories were free of adware and spyware. A staggering 97 percent of Internet users As noted earlier, most adware and spyware are authored by could not differentiate safe from unsafe sites, meaning that legitimate companies for advertising and market research the vast majority are just one click away from infecting their purposes. The UofW study ranked adware-distributing PCs with spyware, adware, or some other kind of unwanted sites by the number of infected executables found. The software. website scenicreflections.com alone contained 1,776 instances of TurboDownload and 1,354 instances of In a May 2006 study, McAfee SiteAdvisor.com reported that WhenU. To make the statistics more meaningful, these all major search engines returned risky sites when instances have been removed from the study results in searching for popular keywords.4 The number of dangerous Table 2. sites soared to as many as 72 percent of search results for certain risky keywords – such as, free screensavers, kazaa, bearshare, download music, and free games.
Figure 2: McAfee SiteAdvisor Mapping of Affiliations between Sites
3 2004 AOL/NCSA Online Safety Study: http://www.staysafeonline.info/news/ safety_study_v04.pdf 2005 AOL/NCSA Online Safety Study: http://www.staysafeonline.info/pdf/safety_study_2005.pdf 4 The Safety of Internet Search Engines : http://www.siteadvisor.com/studies/search_safety_may2006.html
www.mcafee.com
White Paper | 2006 Page 5
Tracking Many sites are, in fact, undercover operations working directly for the companies listed in the previous section. There are four primary ways in which affiliates are Some sites regularly change names and are often mutually recognized and thus paid: URLs with parameters, cookies, linked by agreements with varying degrees of secrecy. HTTP referrals, and download and installation counters. McAfee’s SiteAdvisor.com5 provides a graphical representation of these connections in Figure 2. Through URLs with Parameters these connections, legitimate sites (in green) can find This is the most common technique and can be applied to themselves tied to known adware distributors (in red), for pay-per-click and adware installation. Consider the example, adbureau.net to mediapost.com to promotional site for an online casino in Figure 3. 180solutions.com to zangocash.com.
Site May Site Oct. 2005 2005 screensaver.com 191 gamehouse.com 164 celebrity-wallpaper.com 136 screensavershot.com 137 screensavershot.com 118 screensaver.com 107 download.com 116 hidownload.com 50 gamehouse.com 111 games.aol.com 30 galttech.com 38 appzplanet.com 27 appzplanet.com 37 dailymp3.com 27 megspace.com 36 free-to 27 download-game.com 30 galltech.com 23 Table 2: Adware-Distributing Sites and the Number of Infected Executables
Figure 3: Casino-Partouche.com URL with Parameter Affiliators and Affiliates For the Casino Partouche site, the link in Internet Affiliation is a performance-based marketing structure that Explorer’s status bar contains an identifying parameter so connects a merchant site and its partners. The merchant, or that the referrer can be paid for a click, in this case affiliator, creates the system and recruits partners, or “idaffiliation=1121.” affiliates, to promote the merchant’s products and services. Payments are based upon the traffic, customers, and With this technique, programs called AdClickers can be transactions that affiliates bring to the merchant. used by unscrupulous affiliates who distribute them with bots, viruses, or e-mails. AdClickers automatically click The contract between the affiliator and affiliates includes repeatedly on certain Web pages, thus artificially increasing a referrer’s earnings. A recent example an AdClicker was terms and conditions that specify commission rates, types 7 of payment, and other payment variables such as given by the SANS Institute in May 2006. periodicity and minimum threshold. Payment terms are The URL-with-parameters technique can also be used often set on a pay-per-click (payment made for each visitor) when adware programs are installed. In some cases, the or pay-per-form (payment for each profile) basis. Some merchant site sends a confirmation code after installation, affiliators pay a percentage commission on sales. To take then waits for an acknowledgement to finalize the part, an affiliate adds a graphical promotional element to transaction and credit the affiliate. its site (text, button, or banner), that tracks and records sales or leads over time. 6 Cookies
Cookie technology is mainly used in pay-per-profile and In general, users who visit an affiliate’s site choose whether commission-on-sales programs. When an affiliate brings a or not to go to the affiliator’s (merchant’s) site. If a user visitor to a merchant’s site, the merchant owes the affiliate decides to visit the merchant’s site, a parameter associated for advertising delivered during a specified period, typically with the merchant’s URL identifies the referring affiliate. one month. The user’s computer might also receive a cookie so that the merchant can track the user’s behavior—for example, In general, cookies employ a “username@sitename” whether the user makes a purchase or fills out a form. format. The username differentiates between user profiles
5 SiteAdvisor's Plug-in for Internet Explorer, SiteAdvisor's Plug-in for Firefox http://www.siteadvisor.com/preview/ 6 A lead is defined as a click to a referenced merchant 7 CLICKbot : http://isc.sans.org/diary.php?storyid=1334
www.mcafee.com
White Paper | 2006 Page 6
on the same machine. The sitename is often the address of Most browsers permit users to disable some or all cookies. the site that deposited the cookie. Other fields include: By doing so, a cookie’s creator cannot track the user, and 1) Cookie name the user’s activity will not be included when the affiliate’s 2) Cookie value fee is calculated. However, disabling all cookies may cause 3) Host/path for the web server setting the cookie some Web sites to lose functionality – such as remembering 4) Flags recent stock quotes. A good compromise, if available in the 5) Expiration date web browser, is to disable third-party cookies, but allow 6) Expiration time first-party cookies. This setting will allow a single Web site 7) Creation date to store information about the computer, but it will not 8) Creation time allow that information to be shared with other sites. 9) Record delimiter (*) HTTP Referrals In the Casino Partouche example, a single cookie is generated. The affiliate is probably paid a commission When a browser performs an HTTP query, it manages a based upon whether or not the user spends money on the parameter known as a “REFERER” that corresponds to the affiliator’s site. Using a text editor, it is possible to view (and requested page. In practice, the information is contained in edit) the cookie (see Figure 4). the environment variable: $ENV{'HTTP_REFERER'}. The “HTTP_” shows that this environment variable was sent by a browser and not generated by a server. A visited site can retrieve the REFERER parameter using a CGI script,9 thus identifying the affiliate for payment. Figure 4: Text Editor View of a Cookie Download and Installation Counters The first two pieces of data are the variable name The last technique involves tallying adware installations by (idaffiliation) and the variable’s alphanumeric value (1121). counting the number of downloads from a merchant site. Another string indicates the issuer and the URL for which The counters work by affiliators providing each affiliate the cookie is valid (casino-partouche.com/new/fra). One of with a unique filename. Payment is then made according to the next strings is the expiration date in UNIX8 timestamp the number of downloads or installations of each filename. format (4032664576 is equivalent to February 22, 2006). Cookies are generally small in size, and it is rare to find one Payment (Conventional Advertising) containing as much information as in Figure 5 from the The Affiliation-Marketing website10 created by Rémi Calmel Gammacash adult site. (France) is now, unfortunately, unreachable. But, in January 2006, it provided insight into the income that an affiliate might expect to receive from the various affiliate program types. • Pay-per-display program Affiliates are paid at a cost-per-thousand (CPT) rate, based on users displaying advertisements. The market price ranges from $18 to $25 per thousand. • Pay-per-click programs Affiliates are paid at a cost-per-act rate. Direct affiliates may make approximately $0.30 per act. With a click rate of 0.50 percent to 1.0 percent, the relative CPT would be between $1.50 and $3.00. Second- and third- rank affiliates may have their income divided by 2 or 3. • Pay-per-profile program Programs such as these are just a variant of cost-per- act remuneration. Email addresses submitted in a Web form could bring between $0.40 and $0.70 per address. A medium-length form correctly filled-in can be Figure 5: Example of a Large Cookie from Gammacash negotiated between $1.20 and $2.00; a larger one Cookies allow a computer and user profile to be identified, between $2.00 and $4.50. Because they require but not necessarily the actual user. Assuming that a visitor extensive user interaction, the participation yields on does not provide additional information, anonymity is preserved.
9 CGI (Common Gateway Interface): Technology for running programs on Web servers to process queries from Internet users and display HTML pages in response. CGI scripts are often written in PERL, C++, or Java. ASP is a competing solution. 10 http://www.affiliation-marketing.com/dossiers/reussir/01.php 8 Links to UNIX timestamp converters are available on this French language site: This URL and domain is now unreachable but the page can be found at : http://www.davidtouvet.com/blog/archives/2005/01/13/php-convertisseur-de-dates-en- http://web.archive.org/web/20030209233551/http://www.affiliation- format-timestamp/ marketing.com/reussir/01.htm
www.mcafee.com
White Paper | 2006 Page 7
these programs are very low, resulting in a CPT of less computers without authorization to commit fraud.12 He was than $1.00. sentenced to 57 months in prison for orchestrating his 13 • Commission-on-sales program botnets. In 2000 a large personal computer manufacturer The indictment details the rental cost of his botnets and the created a commission-on-sales program that paid commissions paid by Gammacash Entertainment, Inc, of affiliates between 3 percent and 5 percent sales Quebec, Canada, and LOUDcash – now a part of commission. The low commission rates were due ZangoCash. Figure 6 contains excerpts from pages 46 and mainly to the low margins in the personal computer 47 of the indictment that show what Ancheta was paid for business. At the other end of the spectrum – and the use of his botnets. mainly in the U.S. – on the largest platforms (Commission Junction and BeFree), programs can pay up to 30 percent to 50 percent – or even as high as 75 percent. However, the resulting relative CPT calculated by Remi Calmel is very low, less than $0.70. Table 3 below summarizes the income an affiliate might expect from the various marketing programs.
CPT (for 1,000 people visiting the PROGRAM affiliate site) Pay per display < $25 Pay per click < $3 Pay per profile < $1 On commission < $0.7 Figure 6: Gammacash and LOUDcash Payments for Table 3: Summary of Payment Program Costs Botnet Services
Payment (Adware Pay-per-Install) Averaging the payments and numbers of computers infected, we can calculate that Ancheta collected Adware offers affiliates a potent tool for enhancing their approximately $0.15 per computer, translating into a CPT revenues. By designing adware programs to visit affiliator for adware distribution of about $150, significantly more sites repeatedly and automatically, an adware-powered than any of the legitimate affiliate-marketing programs affiliate would be able to increase dramatically the described earlier. performance metrics upon which pay is calculated. The figure seems realistic when compared with The case of Jeanson James Ancheta is particularly Zangocash's advertising banner that boasts payments of up instructive. Using the pseudonym “BOTZ4SALE,” this 21- to $0.40 per installation (See Figure 7).14 year-old hacker created new variants of the "rxbot" robot family.11 He distributed the variants and established several botnets, which he then rented to other computer users. The botnets were used to launch distributed denial of service (DDOS) attacks and to send unsolicited commercial email, or spam. Even though this business was going well, Ancheta soon realized that it was much more lucrative and less dangerous Figure 7: ZangoCA$H Affilitor Offer to distribute an affiliator’s software. With a friend, he affiliated to several merchants and altered their adware so Another hacker, who goes by the pseudonym of "0x80" that it could be installed via his botnets. This distribution (pronounced X-eighty), recently lifted the veil on his illegal system was soon working smoothly and payments flowed botnet operations. In a Washington Post article15, he said in regularly between November 2004 and April 2005. that, like many botmasters, he earns money by clandestine Unfortunately for Ancheta, authorities caught wind of his adware distribution. 0x80 claims to control more than operation and arrested him in November 2005. In May, he 13,000 computers in more than 20 countries, earning him, pleaded guilty to conspiring to violate the Computer Fraud Abuse Act, conspiring to violate the CAN-SPAM Act, causing damage to computers used by the federal 12 Computer virus broker arrested for selling armies of infected computers to hackers and spammers, http://www.usdoj.gov/usao/cac/pr2005/149.html & government in national defense, and accessing protected http://www.usdoj.gov/usao/cac/pr2005/Botnet_Indictment.pdf 13 'Botherder' dealt record prison sentence for selling and spreading malicious computer code : http://www.usdoj.gov/usao/cac/pr2006/051.html 14 http://www.zangocash.com/programs/ 15 Brian Krebs, “Invasion of the Computer Snatchers” Washington Post, 19 February 2006, 11Robot: a malicious program used to take control remotely of vulnerable machines in order to Page W10, http://www.washingtonpost.com/wp- form a hidden attack network (or botnet). dyn/content/article/2006/02/14/AR2006021401342.html
www.mcafee.com
White Paper | 2006 Page 8
on average, about $6,800 per month, with one monthly total reaching as high as $10,000. Majy, a friend of 0x80, also detailed his exploits. He was paid $0.20 per install on computers in the U.S. and $0.05 per install on computers in 16 other countries, including France, Germany and the United Kingdom. Majy received income from a host of affiliate-marketing companies, including TopConverting, Gammacash, and LOUDCash.
Conclusion The prevalence of adware and spyware is increasing exponentially. Through technically legal means, they can be used to enhance an affiliate-marketing program. But, they are also an ideal tool for online criminals seeking to defraud. In the cases discussed above, Ancheta admitted to collecting more than $107,000 in advertising affiliate proceeds by downloading adware to more than 400,000 computers to which he had gained unauthorized access. By varying the download times and rates of adware installations, as well as by redirecting the compromised computers between various servers, Ancheta evaded the fraud-detection of the advertising affiliate companies who paid him for every install. The mixing of criminals and legitimate affiliate-marketing activities confuses both merchants and consumers, blurring the boundary between malicious, unwanted programs and friendly software. Further complicating the situation is the fact that much spyware is advertised as “protection software.” With at least 12 million computers around the world compromised by botnets, significant amounts of money are being fraudulently collected by cyber criminals. The provisioning of such significant financial support will only foster accelerated growth in both the diversity and numbers of threats. Improved fraud detection and accountability for affiliate-marketing companies are certainly viable solutions that should help staunch the flow of money to criminals, but there is no substitute for end-user vigilance to protect confidential information from being taken and to prevent botherders from building up their drone networks.
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com
McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rightswww.mcafee.com reserved.