White Paper | 2006 Page 1

www.mcafee.com

Adware and Spyware:Unraveling the Financial Web

White Paper | August 2006

www.mcafee.com

White Paper | 2006 Page 2

Table of Contents

Key Findings 3

Introduction 3

Rise of Adware and Spyware 3

Users Deceived 4

Sites and Companies Distributing Adware 4

Affiliators and Affiliates 5

Tracking 5

Payment (Conventional Advertising) 6

Payment (Adware Pay-per-Install) 7

Conclusion 8

White Paper | 2006 Page 3

www.mcafee.com

Key Findings

1. The prevalence of adware and spyware is increasing at an exponential rate. Between 2000 and 2002, there were only about forty adware families. Their numbers increased sharply (more than 1000 percent) in the next 3.5 years. By August, 2006, there were nearly 450 adware families with more than 4,000 variants. (P. 3)

2. Internet users remain ignorant of the dangers of

spyware and adware. A recent survey by McAfee’s SiteAdvisor.com found that a staggering 97 percent of Internet users could not differentiate safe from unsafe sites, meaning that the vast majority is just one click away from downloading spyware, adware, or some other kind of potentially unwanted software. (P. 4)

3 The University of Washington found that the most

prolific distributors of adware are actually star/celebrity sites, not the commonly believed adult and pornography websites. (P. 4)

4. The adware business model is a lucrative one. A

botherder’s criminal indictment alleged that affiliate-marketing companies paid him approximately $0.15 per infected computer, corresponding to a cost-per-thousand of $150. (P. 7)

Introduction

Though security companies have recently called attention to the rise of profit-oriented, targeted threats, this trend has actually been underway since 2003, when adware and spyware numbers began growing at an alarming rate. Potentially Unwanted Programs (PUPs) is the collective term given to threats that are not malware, but whose presence on a computer has clear security or privacy implications. They are usually made and marketed by legitimate corporate entities for specific beneficial purposes (to whom they may be beneficial is debatable).

Spyware and adware belong to this category of threats. They install themselves on a user's machine, often as the trade-off for a piece of “free” software, collecting marketing data and distributing targeted advertising. With the emergence of lucrative online affiliate-marketing business models and the widespread ease with which these threats can be spread, adware and spyware are in ascendancy as prominent features in the threat landscape.

Rise of Adware and Spyware

Although the terms “adware” and “spyware” have been around since the late 1980’s, only in 2003 and 2004 did they emerge as a dominant trend in the security environment. Figure 1 shows the rapid growth in both families and variants of adware and spyware since 2000.

Between 2000 and 2002, there were only about forty adware families. Their numbers rose sharply in 2003, increasing by

more than 1000 percent in three and a half years. By August of 2006, there were more than 450 adware families with more than 4,000 variants. Researchers at the University of Washington (UofW) performed a study of the prevalence and composition of adware and spyware in 2005.1 These researchers scanned the Internet directly for suspicious executable files.

Source: McAfee Avert Labs Figure 1: Growth of Adware and Spyware (narrow)2

Families and Variants from 2000 to 2006

In May and again in October, they analyzed about 20 million URLs. Nineteen percent of the sites visited hosted executable code, from which the researchers collected more than 20,000 samples. In October, 5.5 percent of these files (originating from 4.4 percent of the 2,532 domains examined) contained a dubious program.

The UofW study found fewer than 90 different undesirable programs (82 in May, 89 in October). As with viruses, the majority of PUPs were either not seen or found only in small quantities (see Table 1). One possible explanation for this paucity is that most PUPs are aimed at specific targets and therefore discretely deployed.

Program May 2005 Program Oct. 2005

WhenU 364 WhenU 340

180Solutions 236 Marketscore 47

eZula 214 Claria 41

Marketscore 143 BroadCastPC 37

BroadCastPC 67 Aurora 36

Claria 44 FOne 35

VX2 41 Zango 34

Favoriteman 36 eZula 33

Ebates MoneyMaker

31 Web3000 32

NavExcel 24 180Solutions 25

Table 1: UofW Spyware Study Results

1 “A Crawler-based Study of Spyware on the Web,”

http://www.cs.washington.edu/homes/gribble/papers/spycrawler.pdf 2 In its narrow sense, Spyware is a term for Tracking Software deployed without adequate

notice, consent, or control for the user. For more information, see the Anti-Spyware Coalition, http://www.antispywarecoalition.org/documents/GlossaryJune292006.htm

www.mcafee.com

White Paper | 2006 Page 4

Users Deceived

In 2004 and 2005, AOL and the National Cyber Security Alliance (NCSA) surveyed the use of online protection measures.3 Users were questioned before their hard disks were analyzed to study how their perceptions matched reality.

In some categories, the differences between perceptions and reality were considerable. For example, in 2004, only 53 percent of users thought they had PUPs installed on their machines. Subsequent analysis of the hard drives revealed the actual figure was 80 percent. In 2005, 71 percent said they updated their anti-virus software daily or weekly. However, analysis showed that 67 percent of the anti-virus programs had not been updated for a week or more.

A recent survey done by McAfee’s SiteAdvisor.com challenged Web surfers to test their ability to detect which sites in a number of popular categories were free of adware and spyware. A staggering 97 percent of Internet users could not differentiate safe from unsafe sites, meaning that the vast majority are just one click away from infecting their PCs with spyware, adware, or some other kind of unwanted software. In a May 2006 study, McAfee SiteAdvisor.com reported that all major search engines returned risky sites when searching for popular keywords.4 The number of dangerous sites soared to as many as 72 percent of search results for certain risky keywords – such as, free screensavers, kazaa, bearshare, download music, and free games.

3 2004 AOL/NCSA Online Safety Study: http://www.staysafeonline.info/news/

safety_study_v04.pdf 2005 AOL/NCSA Online Safety Study: http://www.staysafeonline.info/pdf/safety_study_2005.pdf

4 The Safety of Internet Search Engines : http://www.siteadvisor.com/studies/search_safety_may2006.html

Sites and Companies Distributing Adware

It is commonly thought that adult and pornographic sites are the most prolific distributors of adware. The UofW study, however, contradicts this conventional wisdom.

Based upon the study results, the most dangerous sites are actually star/celebrity sites (16.3 percent of executable files on these sites are dangerous), followed by screen saver sites (11.5 percent), and then adult sites (11.4 percent). By their nature, game sites contain many executables (60 percent of cases in the UofW study). Of these, the study found only 5.6 percent of them to be dangerous.

The May 2005 study reported that 4.6 percent of executable files available for downloading from a popular portal site contained spyware. The percentage dropped to 0.3 percent by October, due apparently to a new scanning policy at the hosting company.

As noted earlier, most adware and spyware are authored by legitimate companies for advertising and market research purposes. The UofW study ranked adware-distributing sites by the number of infected executables found. The website scenicreflections.com alone contained 1,776 instances of TurboDownload and 1,354 instances of WhenU. To make the statistics more meaningful, these instances have been removed from the study results in Table 2.

Figure 2: McAfee SiteAdvisor Mapping of Affiliations between Sites

www.mcafee.com

White Paper | 2006 Page 5

Many sites are, in fact, undercover operations working directly for the companies listed in the previous section. Some sites regularly change names and are often mutually linked by agreements with varying degrees of secrecy. McAfee’s SiteAdvisor.com5 provides a graphical representation of these connections in Figure 2. Through these connections, legitimate sites (in green) can find themselves tied to known adware distributors (in red), for example, adbureau.net to mediapost.com to 180solutions.com to zangocash.com.

Site May

2005

Site Oct.

2005

screensaver.com 191 gamehouse.com 164 celebrity-wallpaper.com 136 screensavershot.com 137 screensavershot.com 118 screensaver.com 107 download.com 116 hidownload.com 50 gamehouse.com 111 games.aol.com 30 galttech.com 38 appzplanet.com 27 appzplanet.com 37 dailymp3.com 27 megspace.com 36 free-to 27 download-game.com 30 galltech.com 23

Table 2: Adware-Distributing Sites and the Number of Infected Executables

Affiliators and Affiliates

Affiliation is a performance-based marketing structure that connects a merchant site and its partners. The merchant, or affiliator, creates the system and recruits partners, or affiliates, to promote the merchant’s products and services. Payments are based upon the traffic, customers, and transactions that affiliates bring to the merchant. The contract between the affiliator and affiliates includes terms and conditions that specify commission rates, types of payment, and other payment variables such as periodicity and minimum threshold. Payment terms are often set on a pay-per-click (payment made for each visitor) or pay-per-form (payment for each profile) basis. Some affiliators pay a percentage commission on sales. To take part, an affiliate adds a graphical promotional element to its site (text, button, or banner), that tracks and records sales or leads over time. 6 In general, users who visit an affiliate’s site choose whether or not to go to the affiliator’s (merchant’s) site. If a user decides to visit the merchant’s site, a parameter associated with the merchant’s URL identifies the referring affiliate. The user’s computer might also receive a cookie so that the merchant can track the user’s behavior—for example, whether the user makes a purchase or fills out a form.

5 SiteAdvisor's Plug-in for Internet Explorer, SiteAdvisor's Plug-in for Firefox

http://www.siteadvisor.com/preview/ 6 A lead is defined as a click to a referenced merchant

Tracking

There are four primary ways in which affiliates are recognized and thus paid: URLs with parameters, cookies, HTTP referrals, and download and installation counters.

URLs with Parameters

This is the most common technique and can be applied to pay-per-click and adware installation. Consider the promotional site for an online casino in Figure 3.

Figure 3: Casino-Partouche.com URL with Parameter

For the Casino Partouche site, the link in Internet Explorer’s status bar contains an identifying parameter so that the referrer can be paid for a click, in this case “idaffiliation=1121.”

With this technique, programs called AdClickers can be used by unscrupulous affiliates who distribute them with bots, viruses, or e-mails. AdClickers automatically click repeatedly on certain Web pages, thus artificially increasing a referrer’s earnings. A recent example an AdClicker was given by the SANS Institute in May 2006.7

The URL-with-parameters technique can also be used when adware programs are installed. In some cases, the merchant site sends a confirmation code after installation, then waits for an acknowledgement to finalize the transaction and credit the affiliate.

Cookies

Cookie technology is mainly used in pay-per-profile and commission-on-sales programs. When an affiliate brings a visitor to a merchant’s site, the merchant owes the affiliate for advertising delivered during a specified period, typically one month.

In general, cookies employ a “username@sitename” format. The username differentiates between user profiles

7 CLICKbot : http://isc.sans.org/diary.php?storyid=1334

www.mcafee.com

White Paper | 2006 Page 6

on the same machine. The sitename is often the address of the site that deposited the cookie. Other fields include:

1) Cookie name 2) Cookie value 3) Host/path for the web server setting the cookie 4) Flags 5) Expiration date 6) Expiration time 7) Creation date 8) Creation time 9) Record delimiter (*)

In the Casino Partouche example, a single cookie is generated. The affiliate is probably paid a commission based upon whether or not the user spends money on the affiliator’s site. Using a text editor, it is possible to view (and edit) the cookie (see Figure 4).

Figure 4: Text Editor View of a Cookie

The first two pieces of data are the variable name (idaffiliation) and the variable’s alphanumeric value (1121). Another string indicates the issuer and the URL for which the cookie is valid (casino-partouche.com/new/fra). One of the next strings is the expiration date in UNIX8 timestamp format (4032664576 is equivalent to February 22, 2006).

Cookies are generally small in size, and it is rare to find one containing as much information as in Figure 5 from the Gammacash adult site.

Figure 5: Example of a Large Cookie from Gammacash

Cookies allow a computer and user profile to be identified, but not necessarily the actual user. Assuming that a visitor does not provide additional information, anonymity is preserved.

8 Links to UNIX timestamp converters are available on this French language site:

http://www.davidtouvet.com/blog/archives/2005/01/13/php-convertisseur-de-dates-en-format-timestamp/

Most browsers permit users to disable some or all cookies. By doing so, a cookie’s creator cannot track the user, and the user’s activity will not be included when the affiliate’s fee is calculated. However, disabling all cookies may cause some Web sites to lose functionality – such as remembering recent stock quotes. A good compromise, if available in the web browser, is to disable third-party cookies, but allow first-party cookies. This setting will allow a single Web site to store information about the computer, but it will not allow that information to be shared with other sites.

HTTP Referrals

When a browser performs an HTTP query, it manages a parameter known as a “REFERER” that corresponds to the requested page. In practice, the information is contained in the environment variable: $ENV{'HTTP_REFERER'}. The “HTTP_” shows that this environment variable was sent by a browser and not generated by a server. A visited site can retrieve the REFERER parameter using a CGI script,9 thus identifying the affiliate for payment.

Download and Installation Counters

The last technique involves tallying adware installations by counting the number of downloads from a merchant site. The counters work by affiliators providing each affiliate with a unique filename. Payment is then made according to the number of downloads or installations of each filename.

Payment (Conventional Advertising)

The Affiliation-Marketing website10 created by Rémi Calmel (France) is now, unfortunately, unreachable. But, in January 2006, it provided insight into the income that an affiliate might expect to receive from the various affiliate program types.

• Pay-per-display program Affiliates are paid at a cost-per-thousand (CPT) rate, based on users displaying advertisements. The market price ranges from $18 to $25 per thousand.

• Pay-per-click programs Affiliates are paid at a cost-per-act rate. Direct affiliates may make approximately $0.30 per act. With a click rate of 0.50 percent to 1.0 percent, the relative CPT would be between $1.50 and $3.00. Second- and third-rank affiliates may have their income divided by 2 or 3.

• Pay-per-profile program Programs such as these are just a variant of cost-per-act remuneration. Email addresses submitted in a Web form could bring between $0.40 and $0.70 per address. A medium-length form correctly filled-in can be negotiated between $1.20 and $2.00; a larger one between $2.00 and $4.50. Because they require extensive user interaction, the participation yields on

9 CGI (Common Gateway Interface): Technology for running programs on Web servers to

process queries from Internet users and display HTML pages in response. CGI scripts are often written in PERL, C++, or Java. ASP is a competing solution.

10 http://www.affiliation-marketing.com/dossiers/reussir/01.php This URL and domain is now unreachable but the page can be found at : http://web.archive.org/web/20030209233551/http://www.affiliation-marketing.com/reussir/01.htm

www.mcafee.com

White Paper | 2006 Page 7

these programs are very low, resulting in a CPT of less than $1.00.

• Commission-on-sales program In 2000 a large personal computer manufacturer created a commission-on-sales program that paid affiliates between 3 percent and 5 percent sales commission. The low commission rates were due mainly to the low margins in the personal computer business. At the other end of the spectrum – and mainly in the U.S. – on the largest platforms (Commission Junction and BeFree), programs can pay up to 30 percent to 50 percent – or even as high as 75 percent. However, the resulting relative CPT calculated by Remi Calmel is very low, less than $0.70.

Table 3 below summarizes the income an affiliate might expect from the various marketing programs.

PROGRAM CPT (for 1,000 people visiting the

affiliate site)

Pay per display < $25

Pay per click < $3

Pay per profile < $1

On commission < $0.7

Table 3: Summary of Payment Program Costs

Payment (Adware Pay-per-Install)

Adware offers affiliates a potent tool for enhancing their revenues. By designing adware programs to visit affiliator sites repeatedly and automatically, an adware-powered affiliate would be able to increase dramatically the performance metrics upon which pay is calculated.

The case of Jeanson James Ancheta is particularly instructive. Using the pseudonym “BOTZ4SALE,” this 21-year-old hacker created new variants of the "rxbot" robot family.11 He distributed the variants and established several botnets, which he then rented to other computer users. The botnets were used to launch distributed denial of service (DDOS) attacks and to send unsolicited commercial email, or spam.

Even though this business was going well, Ancheta soon realized that it was much more lucrative and less dangerous to distribute an affiliator’s software. With a friend, he affiliated to several merchants and altered their adware so that it could be installed via his botnets. This distribution system was soon working smoothly and payments flowed in regularly between November 2004 and April 2005. Unfortunately for Ancheta, authorities caught wind of his operation and arrested him in November 2005. In May, he pleaded guilty to conspiring to violate the Computer Fraud Abuse Act, conspiring to violate the CAN-SPAM Act, causing damage to computers used by the federal government in national defense, and accessing protected

11Robot: a malicious program used to take control remotely of vulnerable machines in order to

form a hidden attack network (or botnet).

computers without authorization to commit fraud.12 He was sentenced to 57 months in prison for orchestrating his botnets.13

The indictment details the rental cost of his botnets and the commissions paid by Gammacash Entertainment, Inc, of Quebec, Canada, and LOUDcash – now a part of ZangoCash. Figure 6 contains excerpts from pages 46 and 47 of the indictment that show what Ancheta was paid for the use of his botnets.

Figure 6: Gammacash and LOUDcash Payments for Botnet Services

Averaging the payments and numbers of computers infected, we can calculate that Ancheta collected approximately $0.15 per computer, translating into a CPT for adware distribution of about $150, significantly more than any of the legitimate affiliate-marketing programs described earlier.

The figure seems realistic when compared with Zangocash's advertising banner that boasts payments of up to $0.40 per installation (See Figure 7).14

Figure 7: ZangoCA$H Affilitor Offer

Another hacker, who goes by the pseudonym of "0x80" (pronounced X-eighty), recently lifted the veil on his illegal botnet operations. In a Washington Post article15, he said that, like many botmasters, he earns money by clandestine adware distribution. 0x80 claims to control more than 13,000 computers in more than 20 countries, earning him,

12 Computer virus broker arrested for selling armies of infected computers to hackers and

spammers, http://www.usdoj.gov/usao/cac/pr2005/149.html & http://www.usdoj.gov/usao/cac/pr2005/Botnet_Indictment.pdf

13 'Botherder' dealt record prison sentence for selling and spreading malicious computer code : http://www.usdoj.gov/usao/cac/pr2006/051.html

14 http://www.zangocash.com/programs/ 15 Brian Krebs, “Invasion of the Computer Snatchers” Washington Post, 19 February 2006,

Page W10, http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html

www.mcafee.com

White Paper | 2006 Page 8

on average, about $6,800 per month, with one monthly total reaching as high as $10,000.

Majy, a friend of 0x80, also detailed his exploits. He was paid $0.20 per install on computers in the U.S. and $0.05 per install on computers in 16 other countries, including France, Germany and the United Kingdom. Majy received income from a host of affiliate-marketing companies, including TopConverting, Gammacash, and LOUDCash.

Conclusion

The prevalence of adware and spyware is increasing exponentially. Through technically legal means, they can be used to enhance an affiliate-marketing program. But, they are also an ideal tool for online criminals seeking to defraud. In the cases discussed above, Ancheta admitted to collecting more than $107,000 in advertising affiliate proceeds by downloading adware to more than 400,000 computers to which he had gained unauthorized access. By varying the download times and rates of adware installations, as well as by redirecting the compromised computers between various servers, Ancheta evaded the fraud-detection of the advertising affiliate companies who paid him for every install.

The mixing of criminals and legitimate affiliate-marketing activities confuses both merchants and consumers, blurring the boundary between malicious, unwanted programs and friendly software. Further complicating the situation is the fact that much spyware is advertised as “protection software.”

With at least 12 million computers around the world compromised by botnets, significant amounts of money are being fraudulently collected by cyber criminals. The provisioning of such significant financial support will only foster accelerated growth in both the diversity and numbers of threats. Improved fraud detection and accountability for affiliate-marketing companies are certainly viable solutions that should help staunch the flow of money to criminals, but there is no substitute for end-user vigilance to protect confidential information from being taken and to prevent botherders from building up their drone networks.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved.