Ad injection

Ben Edelman, reputable anti-spyware expert, has conducted a research on how Vonage, one of the leading providers of broadband phone service, funds spyware. This research has been posted yesterday, and is available on the official web site of Ben Edelman. It is a very interesting read providing a lot of unarguable facts and examples. Nothing very unusual here, except for detailed descriptions of new adware programs that do not display pop-ups, but inject advertisements into third-party sites instead. This is called the ad injection.

So how does the ad injection work? It’s quite simple. An adware program such as Fullcontext, Searchingbooth or DollarRevenue, runs in background monitoring user activity and waiting for any web site to be opened. When the user accesses a site, the parasite inserts own advertisement above it, or replaces original banners placed by the site with its own ads.

How does it look? Ben Edelman provides several screenshots. Visiting Google, eBay or any other site gives you the same genuine pages. However, there are a few third-party advertisements injected into them. The most interesting thing is that it is quite difficult to determine whether the ads on the page are genuine or injected by adware.

Parasites injecting ads may look harmless. But actually they are not. Imagine a user visiting a fully legitimate web site containing some relevant advertisements. He sometimes clicks on a banner or two. Usually, they lead to similar legitimate resources. However, if the user’s system is infected with ad injectors, clicking on a banner on a safe site will open a malicious resource, run an exploit or even install a trojan!

Ad injection has a potential. Considering that ad injectors are more stealthy than typical adware (do not display pop-ups, etc.), we might see the rate of completely different infections increasing rapidly.