Ad-injecting malware is one of the most reliable scams on the web. Once a computer's infected, the virus will drop new ads into any site it visits, sending ad revenue back to the scammers who control it. Users may even know the name of the program, but they're powerless to remove it. According to new research from Google and UC Berkley, the scam is still going strong, despite more than a decade of work to stamp it out.
Released today, the study looked at computers visiting Google sites from June to October of 2014, replaying network requests to see if bogus ads were being injected locally. Over those five months, the system detected 5,339,913 different IP addresses infected with adware, roughly 5.5 percent the total requests. It's a staggering number, but if anything it's likely to be an underestimate, since adware programs often decline to tamper with large company sites so as to avoid detection.
An e-commerce ad injector at work
The research also found that the infamous Superfish adware is alive and well. Superfish was the most popular ad injector detected by the study, impacting more than 3.7 million pageviews. The program became notorious after it was discovered pre-installed on certain Lenovo laptops, breaking SSL protections for any computer running it. Despite the bad press, Superfish appears to still be doing good business, either through other unreported installation deals or software bundles that trick hapless users into installing Superfish onto their own machines. Shopping programs like Jollywallet were also popular, as well as affiliate bundlers like Crossrider and Netcrawl, all of which operate as legitimate businesses.
Who ultimately controls the information presented to users?
Google has taken a number of steps to fight that ecosystem in recent months. Just last month, the company stopped accepting AdWords ads for free desktop software like WinZip, VLC and web browsers. That's important because adware has typically traveled by bundling with free software. If you clicked on a sponsored ad for a free Firefox download in 2014, odds are it would direct you to a bundle: one free copy of Firefox with a dozen different adware programs like Superfish that would help the advertiser make back their money. Cutting off those ads means those adware vendors will be effectively cut out of Google Search, a change anti-adware advocates like Harvard Business School's Ben Edelman have long been pushing for. "It's a step in the right direction," Edelman said when notified of the change. "They could have done this a long time ago, but better late than never."
More broadly, the study suggests a renewed effort against the adware ecosystem, with Google leading the charge alongside academic researchers. For many of the researchers involved in the study, programs like Superfish cut against the basic values of computing. "Ad injection undermines the integrity of user interactions," said Vern Paxson, a professor at UC Berkeley who worked on the research. "In broader terms, the question of just who ultimately controls the information presented to users is of great and increasing importance. It's one of the most vital issues the digital world faces."