 Good afternoon everyone. We're ready to start with the last session of NordSec. We will have Hugo presenting. Hugo is a malware researcher with ESET and he will be talking about Wajan. So please join me in welcoming Hugo. So hi everyone, so thank you for coming to my talk even if this is the last one of the day. So today I represent you the story of Wajan. So this is a social search engine developed by a famous Montreal startup which became a massive spread at the world. So what about me? My name is Hugo. I work at the Montreal office of ESET as a malware researcher. Basically my work consists to track different kinds of malicious software and analyze them and essentially in doing reverse engineering. So here is the agenda for this presentation. First, I will present you Wajan as a company as well as their product and the reasons behind this research. Then we will go through the story of Wajan to get a bit of context. The next two sections will be about the analysis of the different versions of the software we collected. And you will see the techniques used by Wajan in their software look a lot like techniques typically used by madwars. And finally I will give you some takeaways of this research. And what this research put in evidence. So let's start with a brief presentation of Wajan, both as a company and as a software. So what is Wajan? Wajan in Internet Technology is a company founded in December 2008 in Montreal by Martin-Luc Archambault. This is a famous entrepreneur in Quebec. He participated at some popular TV shows like The Dragons' Den. And the only product of this company is a social search engine application. So basically it allows searching through the content shared by your relations and social networks like Facebook, LinkedIn, Twitter or even Google Plus, which doesn't exist anymore, unfortunately. And here is an example of what results you could expect in using Wajan. So when you use an online search engine like Google, for example, it will give you the content shared by your friends and social networks related to the keywords you've searched for. And as you can see, there are no ads in this example, but this one comes from Wajan directly. This is an actual example of a Google search with Wajan and you can see the ads and the Facebook, Twitter and contextual menu at the top. So you can see Wajan ads. And maybe you can wonder why we did this research at this kind of software which could be actually useful. And actually, we knew Wajan for several years, but we really started to look at it when Malwarebytes published an article about MacOS Malware, intercepting encrypted traffic for ad injection. And Malwarebytes didn't click it to Wajan, but the domain names used were the same and the injection process of ads was the same. So then one or two months later, we found a Windows version of Wajan based on the kernel driver to intercept traffic. And also as we work in Montreal office, this is a local story for us. So we wanted to fill the gap between the public reporting and the actual behavior of Wajan. So this we started to look deeper at the different samples and as well as the previous one from 2011. So yes, of course, I love studying Wadwares. It's really not. And so before looking at the technical part and the analyze of the software, let's go through the unique story of the company to get a bit of context. So Wajan history starts with a lot of success. The company has been rewarded several times and was acclaimed by many famous magazines like Forbes or different local newspapers. So this was really a success story in Montreal. And even with students, Wajan sponsors a famous Montreal student club, the DCI. So this is in French, sorry for the English and the speaking persons. And but however, the success story is balanced by the important number of user complaints regarding the behavior of the software. And as you can maybe see on the examples, most of the users complain about the unwanted installation of Wajan and their machines and the heavy display of ads. Making the software almost unusable. And one of the other Wajan issues is the collection of personal information. So I will present more about the kind of information that Wajan collects later. But in 2016, the office of the privacy commissioner of Canada initiated a complaint against the company for breaching the personal information protection and electronic documents act. So basically, this is the federal privacy law for private sectors, organizations, and it sets out the ground rules for how businesses must handle personal information in the course of commercial activity. So as you can see on this timeline, the investigation of the OPC started in June 2016 and the final report was published in August 2017. And during the time of the investigation, Wajan transferred all his assets to a Hong Kong company called Iron Mountain Technology Limited or IMTL. Also, one interesting thing you can find by the OPC is the progressive and silent removal of LinkedIn, Google Plus and Facebook of their software between 2012 and 2014. So this means that from 2014, it was only possible to see Twitter results when using Wajan. So here is the company, Wajan funds these assets too. So here is a screenshot of their website to get a bit of context. And this is the answer of Wajan to the report of the OPC in August 2017. And basically, Wajan stated that it was no longer accountable for IMTL's practices. So however, even the OPC had some doubts whether the two organizations where Wajan and IMTL were actually entirely separate entities. And if we go further in the report, it says they observed that IMTL was incorporated in November 2016, while the investigation was ongoing. So, and besides, the director of the company specialized in providing business relocation and corporate services to businesses wishing to establish a presence in Hong Kong, so quite curious. And a few months ago, actually, in October 2018, sorry, this is in French, a local press investigation published and analyzed the report of the OPC and exposed interesting elements regarding the transfer of Wajan to this new company. And basically, if you look at the physical address of IMTL on their website, it matches exactly with the one of another company called Panocean Secretarial Group. So as you can see, so we can wonder some something, this is rather curious. And if we look at the services offered by this company, we can see the specialized in offshore company incorporation. So curious again. And this is actually from their website. They say that they display simply the company name in the reception area and the documents are transferred to the original company. So this is kind of curious. But anyway, now we have some context. Let's move to the technical part. And we begin with the common observation among the different versions of Wajam we observed and how we classify them. So this was not an easy task. We collected an important number of Wajam samples. And so the first step was to classify them by versions and features. So the first observation was to see that Wajam is not the only name used in the software, but there are many others like social to search, search page and search awesome, for example. But hopefully, thanks to the metadata of the samples and mainly windows executables like the PDV pass and the product version, it was possible to classify them. So here is some examples of version numbers and PDV pass we collected over the years. And as you can see, there are some very explicit like Wajam proxy or DLL injection. And it's interesting to observe that from 2017 when the company was sold, the PDV pass started to be random characters. And actually the most recent version in 2018 and 2019 are even more random and seem to follow a specific pattern. So suggesting a possible automatic obfuscation. Also the version numbering suggests there are certain versions, but actually we have only observed the version 1, 2, 3, 9, 11 and 13. So also there is the PE signatures. It was also a good way to recognize Wajam samples. And as the executable has signed with the domain names of Wajam, and maybe you could recognize some of them because they use actually Montreal street name for the domain names. And basically the Quebec Enterprise Register was quite useful to make the link between the domain names and Wajam as a company. So as you can see, there are many different domain names such as iPhone installer, install apps and many others using Montreal street name mostly. So here are the different versions we could identify. So we regrouped them by their features and code base, even if they are distributed with a different name or a different version number. And basically we identified five different versions of Wajam. One browser extension called Priam, three different versions for Windows and one for macOS distributed from 2017. So as you can see, the name of Wajam progressively disappeared and other names like social to search and search or some were used. So regarding the features, each version finally does the same thing and it takes a remote JavaScript code and the users web traffic. But the difference between each version resides in the technique used to perform the traffic interception. So on the software is able to perform the interception. It downloads a list of supported websites. So the list maps a domain name to a specific JavaScript file and for each URL. The Wajam will check if the domain name matches with any domain name in the list. And if it matches, it injects the ads and the tweets corresponding to the user keywords. So here is an example of Wajam list of supported websites. So there are essentially search engines, approximately 100. And the version of the list is identified by hash and it is updated every 50 seconds for example. But the most important field here is the supported sites. Also as you can see, there is also a field to blacklist some processes. So if we look at one example, it looks like this. So there is the rejects pattern to match the website. So here Google for example and the pass of the remote JavaScript file to inject. So this is the JavaScript file for Google for example. So it injects another file and this is the one responsible for the ads injection. So Wajam progressively collected more and more information related to its users. So either during the installation or when the software is running. And basically there are some IDs to identify your particular users. A lot of logs are sent to Wajam servers during the installation process to ensure it is done properly. And the same within the installation. And some information to the setup of the user like the list of the software installed. Or the model of the machine that are also sent to the Wajam servers. So here is an example of network capture during an installation of Wajam on a Windows machine. So you can see a lot of logs and you get some files. Regarding the distribution as I said before a browser extension was initially available from the Wajam official website till 2014. But it is essentially diffused by using the paper install distribution model. And according to the OPC the Office of the Privacy Commissioner of Canada the report they published in 2017. They used more than 50 different PPI providers between 2011 and 2016. So this model was criticized several times for its usage of fake adobe flash player or antivirus installers to deceive the user. And also the heavy presence of adware and even malware in some installers. So for the ones who are not familiar with this model it is based on the revenue sharing and commission. So basically the Kingpin at the top setup a paper install website. It recruits some affiliates which are able to massively spread the installer's bundle by the Kingpin. And they are paid for each success installation. So once the adware is installed on any user machine it generates money for the adware company. And so the adware company will pay again the Kingpin for distributing its adware and etc. So now we have seen the common features. Let's look deeper at the techniques used by Wajam and especially the ones to perform traffic interception. So as I said before the first version was distributed as a browser extension. So it can easily inject JavaScript code in any web page with this manifest file. So it matches any URL HTTP or HTTPS. And an interesting point is that some older versions contain traces of a screen capture plugin. But it seems the full code was never implemented. And also it was those versions were able to send the bookmarks of the user to Wajam servers. And the browser extension was not distributed since 2014. And they basically removed the link to download it from their website. So here is some traces of the screen capture plugin in the code. So it comes as a GLL along the browser extension. And this is one of the JavaScript files of Wajam using the browser extension to the left. This is an old version which links the bookmarks of the user and the right, the latest version. So you can see that they remove this feature. So this is the download link before 2014 and after 2014. So as they were doing ads injection, the browser extension was quickly flagged as adware by security products. So at first we can see that Wajam tried to remove the detection. But actually this quickly changed from 2014. So at the time of the browser extension was not distributed anymore. We found another version of Wajam internally called WGproxy for Windows only. And instead of using a browser extension to intercept traffic, it set up a third-party web proxy called Fiddler. And also we observed that they tried to elevate their privileges using the SCD by Privilege token and install a root certificate to intercept encrypted traffic and avoid security warnings when injecting JavaScript code in web page. So from what we saw, this version was not distributed since 2016. This one is more interesting. So a few months after the proxy variant, we observed another version with different names and different features. And the techniques used by this one are much more aggressive, I would say. So instead of using a proxy, it injects a DLL in web browsers to loop the functions manipulating clear traffic and so inject ads. So different injection techniques can be used. I will present them to you in the next slide. And also in 2016, they add a mini-filter driver, so basically a root kit to hide the software to anti-various products. And finally, they added progressively some anti-analysis mechanisms, like strings and payload encryption, and checks for anti-various keys in the Windows registry. So this is the simple string encryption which is used by the samples of Wajam. This is only one backdoor, not complicated at all. And also they use some encryption algorithm like AES 256 and the LC4 to encrypt other files. So here are the checks of anti-various keys. So as you can see, each registry key is first decrypted. And basically, if one of these keys is found, it just sends the information to the Wajam servers and does nothing with it. So here is a sum up of the architecture of this version. So basically there is a main executable which injects the DLL in web browsers. The DLL is responsible to hook the functions manipulating clear traffic, as I said before, like PR write, PR read, and it can be send, receive, etc. And as I said before, there is a mini-filter, cannot driver, what's proposed is to hide the main executable and the DLL to other processes. So there are different DLL injection techniques that can be used, depending on the parameters given to the main executable. So we observe three main ones. It can use the set-windows hook, X-technique, the create-remote thread, or the usage of a third-party black-bone memory hacking library. So once the DLL is injected, it uses this file to set up the hooks. Well, it can use this file, but not exclusively. And it contains the addresses of the functions for every version of every brother listed here. So as you can see, there are hooks for more than 1,000 different versions of Chrome. And you can maybe observe that there are no hooks for Firefox because the addresses are resolved at execution time. So here is an example for Chrome with the addresses to hook. You can recognize maybe PR write, PR read, PR write, etc. And here is an example for PR write. So basically, one of the functions responsible for sending traffic and basically the function set hook will modify the pointer to the real PR write by the fake one. And this is the fake PR write which performs the injection. If the domain name matches with one of these party lists, then it calls the real PR write. So as I said before, some versions include a mini-filter driver to hide the files of the software. So basically what this driver does is intercept IO input and output operations before they reach the file systems. So it can be used to monitor, accept, reject those operations. And the most known example is maybe antivirus or more generally, security products. And so it hides Wajam files to all processes except to a restricted list. So here is the architecture. So you can see the IO manager responsible to handle the IO operations. So basically you can register a mini-filter to the filter manager. So like an antivirus, the Wajam and filter, it can be activity monitor, for example. And so the IO operations are filtered before reaching the file system driver. The mini-filter driver comes with a configuration file. So they use the name PCW data as you can see in the configuration. And basically the driver has a white list of processes. And so the files of Wajam are hidden to any process except the ones in this list. So they are mostly web browsers, as you can see. So this was for this version of Wajam. And in 2016 we identified another version that goes deeper in the kernel. So more and more persistent. And its main characteristic is the usage of a net-filter driver to intercept web traffic. So this version is still distributed and built in almost every day. Also a lot of techniques have been added for self-protection purposes. We think that they use a commercial fiscator tool. They bypass Windows Defender and they add signatures for the executables with different certificates. So the net-filter driver is based on the net-filter SDK. So this is the framework for filtering the data packets transmitted via network. It can operate at different levels of the TCP, IP, network stack, depending of what you want to do with it. So this is the global architecture of this version. So there is the net-filter driver and the mini-filter driver to hide the different files of Wajam. And it shows that Wajam is much more implemented, much more persistent than before. So here is what the string encryption looks like in this version. And actually maybe it looks easy like that, but it's actually kind of annoying to analyze. Because each decoder function is different depending on the string that is decrypted. So here, for example, it decodes a function name and gets its address with the load library and getPROC address, which is typically used by malware. And this is the decoder chart technique, so it just may perform an arithmetic operation to get a character for the function name. So this is funny because it looks a lot like the Stenix of Viscator. And it uses similar techniques, but we can be sure 100%. So there are also configuration files for the dates. So what you can see on this configuration file, they name the net-filter driver disk bus. This is still the name used. And there is also a field for a defense driver. So this is basically the net-filter driver. And the different names are used, you can see it's official to search, the search is not completely used. They use different names and slightly different from the usual name of Wajam. That's all for this version. And as I said at the beginning of this presentation, we began this research because of a macOS version of Wajam, found by malware bytes a few months ago. But actually, this version was already distributed in 2017. And at that time, it used a Safari plugin, so the web browser for macOS, to intercept traffic. So they switched to a third-party Python proxy called MITM proxy in 2018. And from what we saw, there is no official distribution of this version. And we only saw it in fake macOS application cracks distributed through Torrents file. So here is the info playlist. So basically, this is the manifest file for macOS application bundles of the application with the Safari plugin. And you can probably see the Wajam domain, the lingerie technology. And here is the MITM version with the Wajam domain as well. And so it just does the same thing as the other versions. So now we have seen the techniques you use by Wajam. What can we learn from this and what are the takeaways of this research? So first, Wajam is still very active, even if the company was sold in early 2017. The samples are distributed through paper installs, so massively spread. The DOPC, the Office Privacy Commissioner of Canada, estimate that there are hundreds of millions of installations between 2011 and 2016. They use different names, search terms, search page, etc. And the self-protection and anti-detection techniques are more sophisticated than ever. Also, there is a post effect of the DOPC investigation if you go on the Wajam website with the Canadian IP address or a non-Canadian IP address. And basically, the evolution of the techniques used showed that Wajam was more and more persistent over the years. And they mainly used third-party tools like filler, black-bone, min-hook, MITM proxy, or even net filter. This is actually probably because of the security mechanisms added over the years to prevent the usage of these techniques that are typically used by malware actually. Also, we can observe a change of strategy regarding the detection in 2014 and before they add antivirus for detection removal. And from 2014, we can see they used more aggressive techniques like obfuscation, like checks of antivirus installed on the machine. They used random names and created installers, etc. Regarding the prevention, it's quite simple because even if Wajam used multiple distribution channels due to the pay-per-install distribution model, it's still very visible. And you still can use an installer to uninstall Wajam, which is quite reliable. However, we have seen some silent installers, which did not ask for the user agreement for the installation. So a few points for the conclusion. So the Wajam story, the famous Montreal startup, they progressively deceived their users because of the massive usage of contextual advertising. This is a company sold in some curious circumstances, but this is the context. But the software is still more active than ever. This research shows that Adware and PUA are still a gray area. They use typically malicious techniques as you have seen. They are more protected than most of the malware. This is a reality. But at some point, they are more annoying before their only display ad than harmful to the user. Even if they collect a lot of information, they can help to identify a particular user. And also, to get more context, some Adware are remarkably close to malware. The example of Stantingo is one of them. So you should be aware of the persistence level used by some Adwares. You have seen that they use some techniques directly in the kernel. So actually, those kind of techniques could be hijacked by another malware looking for persistence methods on the system. So at some point, is it really something that you want on your machine? So that's all. Thank you for your attention. Thank you.