Users are often guided to install special installers from the site to download the desired applications, but these downloaders do also transfer the confidential information to the communication servers.
It’s easy to find that you have fallen to the victim of advertising partner program, it installs some new apps, ads popups when you open the browser, redirects to different landing pages and so on.
Security researchers from Kaspersky published a report on numbers of users targeted to install advertising partner programs around the globe, most of the attempts (65%) happen in Russia.
Advertising Partner Program
Advertising Partner Program plays an intermediary role between the application developers, vendors who distribute it and the site that hosting the application.
So if a user wants’ to download application these sites, they ask to install their downloader first to download the required file. The site owner receives money for making the user’s to install the partner apps and the Advertising Partner Program earns from the advertisers.
File Distribution and Communication
To illustrate the process researchers downloaded a plugin that downloads a game, with their attempt to download the games it redirects to page directed by the file-sharing site administrator and the page offers to download file’s in various formats and provided guides for installation.
Once the application installed to the computer it passes information about the downloaded installer and as well as the user’s confidential information: username, PC domain name, MAC address, machine SID, hard drive serial number, lists of running processes and installed programs without user’s consent.
After receiving the information the C&C server responds with following fields
adverts – a list that checks for the conditions of software installation
content – that has the file name and link that user to download
Icon – Links for the icon that are to be downloaded later.
If the adverts conditions are fulfilled it adds the id of the advert is added to the adverts_done list. Also, it checks the registry for certain antivirus installations on the computer.
The URL field in contains the link of the advert and the key for installing the software without the user consent. These additional programs will get installed to the computer along with the downloaded file.
“By analyzing the loader process, we managed to get some links to various programs that can be installed secretly. In particular, around 5% of the files were legitimate browser installers. About 20% of the files are detected as malicious (Trojan, Trojan-Downloader, etc.).” researchers said.