Every time you go shopping on Amazon.com does your browser look like this?

Look closely, you will note a separate ad box for a similar product hosted on ebay. Whats going on here? Why would amazon host ads for similar products on a competitor's site? Its like I walked into McDonalds and I saw a big ad at the counter for a Burger King hamburger. Turns out this computer is infected with a type of malware that injects ads directly into the webpage you are viewing.

Malware that delivers unwanted ads is nothing new. These types of programs have been trying to sneak their way onto your computer since the dawn of the internet. Often times, they are bundled with other software's install wizard and you probably agreed to install it by mistake because you were clicking through too fast.

This particular malware I found on my wife's computer seemed more invasive than usual. You see, there are laws that require software to be easily uninstalled if the user decides they want to remove it.1 2 So most of the time you can uninstall malware by using the Windows uninstall menu. But when I went to look in the uninstall menu, there was no suspicious 'Wajam' app. Ok, sometimes these things are installed as browser extensions. Nope not there either. I looked in Firefox, IE, and Chrome. No Wajam extension. But wait, there was something else funny going on: those Wajam ads were showing in all the browsers! Usually, it's only one browser (cough IE) that is infected with shitty search toolbars. Furthermore, accessing the same website from another computer in the house did not show the wajam ads. So it seemed that some Wajam malware was still on this computer.

Turns out these ads were embedded into the HTML source itself. They got there because Wajam had installed an internet proxy on my local computer that re-routes all internet traffic through their servers first. The Wajam servers fetch the page I am requesting and then modify the original html source to insert their advertisements before sending it back to my computer. Don't believe me? Well its all spelled out in kookie friendly looking font right there in Wajam's privacy policy.

Wajam uses a proxy or DLL to re-route internet searches through its servers in order to append social search results and to display advertising.3

By the way, I encourage you to read the Wajam Privacy Policy for yourself. Don't let all their soft language fool you: their policy is to collect as much of your personal browsing habits as possible and pump your browser full of targeted ads.

Wajam installs a root certificate!!!! Ahhhhh!!!

It gets worse. Next I discovered that Wajam had installed a root certificate on the computer. This root certificate allows Wajam to see traffic passing through SSL connections so that it is able to inject ads even into encrypted connections.

Think about that for a second: all of your internet traffic is being re-routed though Wajam servers. Even the stuff you thought was secured and protected with SSL encryption. Every time you logon to any of your online accounts, you are sending your unencrypted username and password to Wajam first. This is some next level shit. To be able to pull this off requires some serious server horsepower on their end which I'm sure costs them a fortune. But it must all be worth it to serve you those sweet sweet advertisements.4

So if you see those Wajam ads on your computer, for fuck sake, use these guides to clean it up.

  1. California state law 22947.2.D

  2. Indiana state law 24-4.8-2-2-E

  3. Wajam privacy policy http://www.wajam.com/privacy

  4. http://googleonlinesecurity.blogspot.de/2015/05/new-research-ad-injection-economy.html

Paul Soucy

Read more posts by this author.