iPensatori- Anatomy of an Ad Injector Workflow (brilliant investigation)
Original post found here: http://ipensatori.com/?p=945
Ad injectors turn a profit primarily by presenting a user with advertisements. Sometimes the advertisements are served on a CPM model (Cost Per Mille or Cost Per Impression), this is where the ad injector organization is paid every time an ad is seen by a user. Other times it’s CPC (Cost Per Click), in this model the ad injector folks are paid every time a user clicks on an ad that was presented to them. Another money making model involves CPA (Cost Per Action, also referred to as Pay Per Action) which is integral to affiliate marketing. .
Ad injectors leverage off of the hard work of other publishers by literally injecting foreign content (advertisements) into their sites. In almost every single case involving an ad injector that I have looked at, the ad injectors do not have the permission of the publisher to modify the site in question. From a number of previous posts, we have seen ad injectors push foreign content into sites like Wikipedia (intended to always be free from ads!), Amazon, Google, Facebook and Bing. Note that a fairly consistent workflow has been adopted by the ad injector community:
- Install the ad injector software on a user’s machine
- Monitor the sites browsed over time
- Inject an ad upon detecting a suitable site
Let’s go through each of these steps in a little more detail using the PlayBryte ad injector as an example.
It appears that PlayBryte gets their software installed on a machine via the PPI (Pay Per Install) model. So PlayBryte sets themselves up as an advertiser who will pay publishers for each unique install that they can get onto a user’s machine. The publisher that they are deploying their software through uses a binary that has been digitally signed by Click Run Software, which is deployed from todownload.com. This organization convinces users to download and execute the binary using online advertising. In this scenario, they are advertisers offering Firefox and Chrome as a download.
Search for “download chrome” or “download firefox” on Google.com:
Clicking on the highlighted ad (URL for Firefox and for Chrome) will take you through to mozilla-firefox.todownload.com and google-chrome.todownload.com (for Firefox and Chrome respectively). The destination URL in both cases is offering downloads of these browsers.
Needless to say, these sites are not the official sources for the free software in question. From my experience, advertisers that use these kinds of tactics are, more often than not, deploying malware.
So Click Run Software/todownload.com is an advertiser on Google.com. A user comes along wanting to download Chrome or Firefox. They mistake the first ad for the first organic link and click through on the ad. They click on “download now”, download the binary (Virustotal report here — 10/41 alerts), execute and then click through the installation screens presented .
One of the install screens presents PlayBryte:
If the user doesn’t alter the default settings then (1) PlayBryte will be installed (2) Click Run Software/todownload.com gets paid and (3) the ad injection workflow moves on to Monitoring. Of interest in this scenario is that the PlayBryte installer does eventually hand off to the Google Chrome installer. If Google Chrome has a PPI program, it is likely that the folks behind Click Run Software/todownload.com are signed up to it.
The gist behind monitoring is to determine when the time is right to inject into a site. In general, for every visit the user makes to a site, the ad injection software will:
- Initiate a call back to home base, informing them of which site the user is browsing to
Injection can be in a number of forms:
- The ad injector may remove existing advertisements and replace them with its own
- It may add more advertisements onto the page
- It will take original content on the page and overload it with ads.
PlayBryte serves as a great example when it comes to modifying original content. From this video:
- 00:06 start up Internet Explorer
- 00:10 load Amazon.com
- 00:21 search for “kindle”
- 00:23 hover over first link returned (Kindle, Wi-Fi, 6″ E Ink Display ….)
- 00:27 click first link
- 00:28 SHOCK: A popup appears. It dominates the screen real esate and it’s an ad! Sample packet trace available here.
Note that the ad injector has overloaded original content on Amazon’s DOM. There was no indication that clicking on the first link returned when searching for “kindle” would result in a popup for a visitor survey (and the opportunity to win a $1000 Walmart Gift card).
PlayBryte is up to the same nonsense on Wikipedia’s site:
PlayBryte may argue that they have the user’s permission to do this, so what is the problem? Some may say that having the user’s permission is inconsequential, for it is the publisher’s permission that matters.