June 5, 2019

Wajam: How a seemingly harmless browser extension morphed into unwanted adware

By Luke Christou

Wajam, a seemingly harmless browser extension created by Canadian technology entrepreneur Martin-Luc Archambault – now CEO of AmpMe and star of the Canadian Dragon’s Den television series – turned out to be anything but.

Since launching in 2008, Wajam has transitioned from a hardy search extension tool into a notoriously persistent adware that does its all to evade capture while filling its users’ computer with unwanted adverts.

Internet security provider ESET has profiled the journey of Wajam, looking into how it has transformed over the years.

Wajam: A social search browser extension

Wajam started out as a free browser plugin designed to make it easier to see what your friends and colleagues were sharing around a certain topic.

The user would search for terms on a search engine, and Wajam would populate the listings with content that has previously been shared by those that the user had connected with on social media networks such as Facebook, LinkedIn and Google+.

The plugin was monetised using contextual advertising displayed alongside Wajam content, allowing the developer to offer free access to the software.

The company picked up a string of awards and endorsements during its early years. Wajam and Archambault received awards from Deloitte, Ernst & Young and PwC, while the Canadian Innovation Exchange, part of the Canadian Securities Exchange, selected Wajam as one of Canada’s 20 most innovative companies.

Wajam: An enticing adware

Despite the software’s promise, Wajam began its transition into an adware in 2012, when the company began removing the ability to link Facebook, LinkedIn and Google+ accounts with Wajam. This rendered the software’s core feature largely unusable.

However, while this was ongoing, Wajam continued to display a heavy number of ads in its users’ browsers, which generated the company $4.2m of profit in 2013, ESET reports.

In 2014, Wajam stop offering the software as a free download via its website. However, it soon began appearing as a download elsewhere using a Pay-Per-Install (PPI) model. This involves the software’s creator outsourcing the distribution of the software to a third-party, who is paid each time the software is installed. As ESET notes, this model is notoriously used by those wishing to spread malware and frequently comes in the form of fake driver files and anti-virus software.

A report by the Office of the Privacy Commissioner of Canada (OPC) found that Wajam had been distributed by more than 50 PPI providers between 2011 and 2016.

During that time, the way in which Wajam injects information into a user’s web traffic also began to mimic the techniques used by malware developers, ESET claims. Once installed, Wajam intercepts web traffic, checks whether it is one of it supported websites (e.g. Google), injects its adverts and supporting tweets into the webpage, then performs an update from its remote server.

Collecting unnecessary data

The OPC began investigating Wajam in 2016 believing that the company had breached the Personal Information Protection and Electronic Documents Act (PIPEDA) due to the way it was collecting and using the personal information of its users.

The commission’s main concern was the difficult that users faced in removing the software from their computers, and the lack of ability to withdraw consent for the developer to collect data.

One internet user who had accidentally installed Wajam while attempting to download an ebook reported that despite uninstalling the program, “every time I open a browser or alt-tab back to my browser I get a pop up ad/website in a new tab”.

“I tried reinstalling my browsers, did not have any effect, and using ADWcleaner, which I believed got rid of the virus entirely, but next time I started my PC the ads came back,” they claimed.

However, the difficulty in removing Wajam isn’t the only concern. ESET also found that the software had been collecting seemingly unnecessary data from its users since its early days. Traces of a screen capture plugin were found that could potentially be used to capture images on a users’ device. Likewise, code was also present that notified Wajam of any bookmarks saved to the user’s browser.

Evading anti-virus detection

Back in 2012, Wajam, then still viewed as a legitimate software company, asked anti-virus vendors to mark its application as safe after it was detected as adware by numerous security solutions by the likes of McAfee and Adaware.

However, in 2014 Wajam began using a different approach to escape detection. Newer versions of the software use the SeDebugPrivilege command, which allows control of another user’s processes, to launch Wajam with administrative access rights.

The software also adds a certificate to the user’s root certificate list. This allows the application to intercept traffic and avoid security warnings from displaying on the system when it injects code into a webpage.

Likewise, it also edits the Windows registry to set up a proxy server to intercept all web use on the infected device.

In 2016, Wajam released another new version designed to circumvent new security mechanisms.

The software began using heavy code and data obfuscation techniques to further avoid detection. Wajam began altering Windows Defender commands to stop the infection being reported to Microsoft and stop warning messages from appearing.

Wajam also began installing a driver that intercepts traffic in kernel space, the core of an operating system where processes and services are initially executed.

Where are they now?

Wajam as a company appears to have gone quiet. The company’s Twitter account, for example, has not been updated since late 2015, and it is still impossible to download the adware through Wajam’s own website.

Shortly after the OPC opened its investigation, Wajam was sold to a newly-created company based in Hong Kong, named Iron Mountain Technology Limited.

It is unclear whether Archambault has any connection to this company, but his LinkedIn profile still lists him as the chairman of Wajam.

Regardless of who owns it or where it is operated from, Wajam is still very much active, and ESET found evidence that it is continuing its attempts to infiltrate systems. Regularly changed verification certificates (seemingly another attempt to avoid detection) used by the software are signed by domain names that belong to Wajam, some of which reference names of streets in Montreal.

Read more: Fancy Bear improves weapon in its hacking arsenal