Madware - Malicious Adware

15 September 2023 - Jacob Anderson

Click Here To Win!

Adware - Defined | Malware - Defined | Rich (Interactive) Media - Defined

Adware can be the innocent delivery of content to make you aware of products or services. When combined with malicious intent, it becomes Madware.

The Internet is connecting advertisers and marketers to customers from Boston to Bali with text, interactive graphics, video and audio. If you're thinking about advertising on the Internet, remember that many of the same rules that apply to other forms of advertising apply to electronic marketing.

Note, this passage is best read in the voice of the star actor from Wolf of Wall Street. I can't mention his name here, but you know who he is. His voice pairs well with this passage. Enjoy

Everyone sees online advertising, every day, on every web site they visit, and sometimes even in the desktop applications they use (Quickbooks, for instance). Advertising is everywhere and creates a pipeline of reachability to nearly every internet user on every platform they use. There is nothing on the internet that has a broader reach to an individual, of any age, than digital advertising.

The very first instance of Madware was the evil pop-under attack. By the late 90s the pop-under was a common javascript "attack" vector for getting an ad in front of a user. Most of us had already learned to ignore banners by this time so advertising started to get creative. Using javascript to open a window was the easiest way to (1) get eyeballs, and (2) track the eyeballs. With the pop-under you can load a page that records the hit on a server. Impression tracking was easy.

The pop-under attack happens when the pop-under ad also has JS that spawns another one. This happened first as a bug in someone's landing page that pop-under loaded, but quickly a bored kid thought it was funny to run the attack on his friends, and thus was born the evil pop-under attack. I remember this happening around 1998, but this actually happened earlier in a non-web venue (hypercard) where a recursive card spawned itself. Bazoing! Your mac was taken to its knees. I remember that fun stack around 92/93.

The attack is very simple. The JS is just window.location = self_url and you hook this up to the page.load event and now you have the recursive pop-up attack. You make it pop-under by moving the focus back to the main window. This was an easy drive-by attack placed on a watering-hole site, often found in the 90s on warez sites.

Big deal, right? Sure, but this was a proof of concept for doing rich media ads. It was Double Click who fielded the first rich media ad network. In their network you could send out an ad that had Flash (Shockwave). If you don't know how nefarious Flash was, then look at the history of CVEs from SW-Flash (Flash 4) and read up on why Flash was banned by most IT departments and finally killed-off by Adobe. Flash was a native container scripting engine that gave ads access to everything. If someone wanted to drop an exe onto your desktop then it was just a simple flash sideload using the web connect api. There was no sandboxing in Flash, so it could do anything that the browser could do.

Flash wasn't the only game in town, though. Very early in the mid-90s Microsoft was pushing ActiveX for the web and rich media embedding. That meant you could add an ActiveX control on your page that would load an ActiveX component from the local desktop when a user landed on the page. The page was now running native code on-demand and it had access to any ActiveX components. If you don't get it, know that everything in Windows was accessible via ActiveX. This is the component technology that came out of Bill Gates' very publicized rant at his developers (there's video on youtube of it, I am sure). AX was a great component technology, a brilliant architecture from Bill but abused on the web quite extensively.

After AX there was Java and Applets. Those fun little beasts were sold as sandboxed apps, but nobody paid attention to the sandbox permissions, so they allowed the applets to do anything, just like ActiveX. In fact, Microsoft implemented their Java plugin for exploder as an AX component. land mine

Who cares, right? Wrong. With ActiveX, Java, and Flash (which was just an AX plugin), advertisers had a vector for rich media, Nielsen-level tracking, and a way to persist the experience at the consumer's desktop. Nothing was more dangerous on the web at the time than rich media and the advertisers were hungry to buy it from the media networks.

Javascript didn't become stable as a consumer technology until about 2008. Up until then it was a glitchy, crash-prone scripting engine that was barely more sophisticated than the original creation from Netscape in the 90s. What happened? Advertising. Like porn to VHS, advertising made Javascript mainstream. IT departments were starting to block Flash and nobody allowed ActiveX anymore, so the advertisers needed another carriage for their warez. Nobody wanted to run a rich media JS ad if it crashed the browsers, so the JS working groups got to work on cleaning up the engines, and Google got serious about it because of AdWords.

Today, Javascript is actually ECMAScript, which is stable and sandboxed largely due to Google and Microsoft who were the punching bags for JS exploits in the past. In 2008 you could get access to the file system with JS and the user never knew it. We could pull anything from the file system, side load every kind of DLL you can think of, and all of it under the protection of the browser's user context. Oh and don't forget that Internet Explorer was/is just an ActiveX component that you could embed in itself. Recursive madness that made exploits so much easier. It was Windows 7 that retired the ActiveX fiasco and then Windows 11 has put it mostly to bed.

How is Javascript used in Madware today? It's done with careful attention to sandbox boundaries and exploiting buffer overflows and permission errors in the sandbox. The nefarious hacker studies the public source code of the JS engines and then finds an execution path that can be exploited to gain either file system access or core memory access to the host computer. Once there, it's only a matter of bytes to side load an executable payload and start farming bytes from a target.

Prognosticating

The future is happening now! With the advent of Webasm you can expect to see even more attack vectors for rich media madware. You won't be able to inspect the JS code for the madware now, though. With webasm there is only the byte codes that run in the virtual machine that runs in the JS virtual machine. How many virtual machines do we need? It's likely that the advertisers will be sandboxed in their own webasm container for the ads, but that will likely make the browsers even slower. If you want to bring back Flash then we can provide a C# version of the flash container thanks to the Cocos2D-Flash project that we worked on around 2013. Imagine running ActionScript through a virtual machine that is executing on a virtual machine that is also being hosted by the JS virtual machine in your browser, which is probably on a virtual machine hosted remotely. So many layers to attack.

Prologue

How do I know all of this? Because I was there, from the start, at the road show where the Nature Conservancy was being showcased on MSN by Microsoft, espousing the power and flexibility of ActiveX for rich media. I was there for Netscape day-one. I was there when Java was JDK 1.0a on SunOS 4.1.4, before any of you even knew about Java. I know the secret about Netscrape and its close relationship with Emacs. I used Castanet and Marimba, and saw it being exploited by Hacker Nefarios who took advantage of the trust of developers who were excited about Java and its ease of deployability. I was at Java One, and I heard Gosling talk about Wizard and the origins of Java. I even interviewed an executive from Double Click when I was at a startup in the 90s. My software has been on your desktop more times than you should ever know. My origin story goes way back to a special group of people who protect your interests every day, a group of people who were there before it was cool to be there.