How a Montreal-made “social search engine” application has managed to become widely-spread adware, while escaping consequences
Wajam Internet Technologies is a start-up founded in December 2008 by Martin-Luc Archambault (a famous entrepreneur in Quebec) and based in Montreal, Canada. The core product of the company is a social search engine application (i.e. it allows searching through the content shared by your contacts on social networks). Figure 1 illustrates an example of what Wajam displays when performing a Google search.
The software itself is free to install; however, it generates revenues through the display of contextual advertising. Regarding its distribution, a browser extension was initially available from the Wajam official website until 2014 (see Figure 2), but it is now primarily distributed using the Pay-Per-Install (PPI) distribution model. According to the Office of the Privacy Commissioner (OPC) of Canada, Wajam has used more than 50 different PPI providers between 2011 and 2016. This model has been criticized several times for its usage of fake Adobe Flash Player, antivirus, and many other popular software installers to deceive the user, and for the heavy presence of adware and malware in the installers provided.
- The company progressively and silently removed the ability to link Facebook, LinkedIn and Google+ accounts to their software between 2012 and 2014, although its main feature depends on it.
- A lot of users started to complain as of 2012 about the heavy display of ads in the web browser and the difficulty to uninstall Wajam (see Figures 3, 4 and 5). According to D&B Hoovers, the company generated around USD 4.2M of net profits in 2013.
- While the OPC was investigating the company for breaching the Personal Information Protection and Electronic Documents Act (PIPEDA) because of its usage of users’ personal information, the company was sold to a newly-created company headquartered in Hong Kong, called Iron Mountain Technology Limited (IMTL).
The timeline in Figure 6 sums up some remarkable events in the history of the company.
In parallel to the company history, Figure 7 exposes the timeline of the anti-detection and anti-analysis features added to the software.
Multiple versions of Wajam have been developed over the years. Since the developers used internal names and version numbering to distinguish the different variants and builds, it was possible to classify the collection of samples collected. The following table sums up the versions identified; note that the dates are based on the time the samples were observed in the wild and it is possible they were available earlier.
|Internal name(s)||Major version number||Type||Period of distribution|
|Priam||1||Browser extension||Late-2011 to 2014|
|Wajam Internet Enhancer, Wajam Network Enhancer||2||Windows application||2013 to 2016|
|Wajam Web Enhancer, Social2Search||1 and 9||Windows application||2014 to 2017|
|Wajam Browser Enhancer, Social2Search, SearchAwesome||3, 11 and 13||Windows application||2016 to present|
|SearchPage||N/A||macOS application||2017 to present|
Each version of Wajam injects the same payload into the user’s web traffic, so the difference resides in the technique used to make the interception and the injection. However, the techniques they used became more and more similar to techniques typically used by malware developers. Once Wajam is installed on a machine and the web traffic is ready to be intercepted, the software acts as follows:
- Finally, it tries to update the list from the Wajam remote server.
Personal information leaks
Wajam progressively collected more and more information about its users, either during installation or when the software runs:
- Some IDs are used to identify a particular user (see Figure 9);
- A lot of logs are sent to Wajam servers during the installation process to ensure it is done properly (see the network capture in Figure 10);
- Some information specific to the setup of the user – like the list of software installed and the model of the machine – are also sent to the Wajam servers.
Except for the browser extension, all the versions were distributed as NSIS installers by Pay-Per-Install providers. Also, the PDB paths show how the developers gradually obfuscated their software over the years. One can see that the later versions mostly have much longer PDB paths that contain only random characters.
Priam: the browser extension
The older versions of the browser extension contain traces of a screen capture plugin (see Figure 12) in a DLL accompanying the extension. The latter uses either the Netscape Plugin API (for Chrome and Firefox) or a Browser Helper Object (for Internet Explorer).
As their software was detected as adware by various security products, Wajam first tried to have the detections removed by asking the security vendors directly (see Figures 13 and 14).
In 2014, we observed a change in Wajam’s strategy. Their software was no longer available as a browser extension; its download links were removed from their official website (wajam[.]com) and a new version for Windows, using the Fiddler web proxy, was distributed by PPI providers.
Among the features of this new version, the most remarkable ones are:
- It uses the SeDebugPrivilege to start the main executable with administrator access rights.
- It sets up a proxy to intercept all web traffic and the preferences of installed web browsers and the Windows registry is tampered with to use the proxy.
Wajam in the Warhammer fantasy
At the same time WJProxy was observed, another version with DLL injection capabilities was found in the wild. Instead of using a third-party proxy, it injects a DLL into web browsers in order to hook the functions that manipulate non-encrypted traffic. Figure 15 depicts the functional architecture of this version.
Interestingly, this version uses some obfuscation techniques like string encryption (see Figures 16 and 17).
Also, the files containing the list of supported websites and the addresses of the functions to hook (see Figure 18) are both encrypted (AES-256 CFB). One might note that the names of these files (respectively waaaghs and snotlings) might be a reference to the Warhammer fantasy universe. There are also other (sub)strings, such as in the name of the injected DLL, wajam_goblin.dll, and others inside the binaries, suggesting Wajam’s authors were interested in fantasy games or fiction.
Regarding the DLL injection process itself, it can be achieved in different ways depending on the parameter given to the injector. The following table sums up the different options.
Once the DLL is injected, the injector checks if the targeted process is a web browser and if so uses MinHook and the decrypted snotlings file to hook the functions manipulating non-encrypted web traffic such as Firefox’s PR_Write, PR_Read, Win32 APIs send, recv, and so on.
As the techniques described above are usually employed by malicious software, Wajam uses several techniques to protect itself from detection by security products:
- It checks the Windows registry for antivirus keys (see an example listing in Figure 19) and sends any it finds to Wajam servers.
- Depending on the sample, the name of the executable is slightly modified, such as WajWEnhance.exe, WaWEn.exe, WebEnhancer.exe, etc.
- From late 2015, a minifilter driver is included to hide the software’s files on the disk from all processes except whitelisted ones (see Figure 20).
- It regularly modifies itself with patches downloaded from Wajam servers (these are variously RC4- or XOR- encrypted).
Chrome and Firefox have recently blocked third-party code injections in their respective web browsers, so this version of Wajam won’t work anymore if a victim uses the current version of either of these browsers.
Wajam goes deeper in the kernel
To face new security mechanisms, another version of Wajam was released in mid 2016 that added considerable new features, including a NetFilter driver to intercept and inject traffic directly into kernel space.
One of the many other changes with this version is the protection against detection:
- It uses heavy code and data obfuscation (see Figures 22 and 23); some techniques look like the Stunnix C/C++ obfuscator.
- Adds exclusions to Windows Defender (-command Add-MpPreference -ExclusionPath in the command line);
- Sets registry entries DontReportInfectionInformation and DontOfferThroughWUAU to 1 that disable the infection report to Microsoft and MSRT (Malicious Software Removal Tool) updates, respectively.
- The executables are signed by certificates whose names are domain names belonging to Wajam and change very regularly (see Figures 24 and 25).
Those domain names are trademarks of Wajam according to the Quebec Enterprise Register (see Figure 26). Also, some of the domain names (more examples in the IoCs section) are related to Montreal street names (like “Adrien Provencher”, “Bernard”, “Mont-Royal”, etc.).
SearchPage: Apple-flavored Wajam
Starting in 2017, new Wajam-authored adware called SearchPage and targeting macOS systems was detected. Analysis shows that it used some domain names also used in the latest Windows versions (see Figure 24).
It is distributed as a macOS application bundle called spiinstall.app, which installs a Safari plugin and a certificate in the keychain (the root certificate placeholder on macOS). This plugin injects traffic in a similar way to the Windows versions.
Another version found in mid 2018 uses mitmproxy (a web proxy written in Python) instead of the Safari extension to intercept web traffic. Figure 28 shows how the proxy is used as well as the presence of the Wajam-registered URL hardcoded in the script.
As this malware has already been documented by MalwareBytes, further details can be found in their analysis.
This research reveals that despite the transfer of ownership to a Hong Kong company, Wajam is still very active and under multiple names, such as SearchAwesome, Social2Search, SearchPage, etc. We suppose this is used to cover their tracks and expand their presence with the help of PPI distribution.
Our analysis shows that the techniques used by Wajam to inject traffic became more and more devious and persistent as newer versions were released. They started with a simple browser extension (2011), switched to a proxy method in late-2013, then from 2014 they directly injected code into the web browsers to hook network communications functions, and are now using a driver to intercept traffic directly in kernel space. These multiple changes have largely been in response to enhancements in the security protections built into browsers or the OS through the years.
Using these kinds of techniques implies there are chances to be detected by security products, and this has happened to Wajam. Even if the history of the company shows they first tried to ask for detection removal (2012-2013), they quickly changed their strategy (2014) to preferring the use of obfuscation, code protection and anti-detection techniques that hide the true behavior of their software.
The Wajam case reminds us there is still a grey area when speaking about adware and PUAs (Potentially Unwanted Applications). Indeed, even if they use techniques to hide their behavior from users and security products, displaying advertisements is still more annoying than harmful to the user. However, one should be aware of the persistence level used by some of this software.
IP addresses ranges
Domain names (partial list)
|Persistence||T1179||Hooking||Use MinHook to hook web browser functions and intercept web traffic.|
|Privilege Escalation||T1134||Access Token Manipulation||Obtain user token to execute itself with API call CreateProcessAsUserA under user’s context.|
|Defense Evasion||T1014||Rootkit||Use minifilter and NetFilter drivers to respectively hide its files and intercept web traffic.|
|T1116||Code Signing||Some samples are signed with different digital certificates.|
|T1089||Disabling Security Tools||Add exclusions in Windows Defender and disable MRT updates.|
|T1130||Install Root Certificate||Install a root certificate to aid in man-in-the-middle actions.|
|T1027||Obfuscated Files or Information||Most of the strings are encrypted with an XOR-based algorithm and some payloads are encrypted with AES-256 or RC4.|
|T1055||Process Injection||Inject a DLL in web browsers (CreateRemoteThread, SetWindowsHookEx or BlackBone library) to intercept web traffic.|
|Discovery||T1063||Security Software Discovery||Attempt to detect several antivirus products.|