[NetSec] Opensource Adware – Avoiding Search Engine Scanning

–Legal: The writing and comments in this post are mine alone and not representative of my current or former employers or their subsidiaries. (Microsoft or SpaceX)

The next time you’re downloading an Open Source project you used to use years ago.. It might be filled with adware despite being on the front page of every search engine .

Case Study:

A lesson in full-reproduction/emulation & taking all reports seriously.

Camstudio.org a website which provides free desktop screen recording software.

This website is so widely known to contain Adware that the second search result for “camstudio” (SourceForge.com) even has a warning about CamStudio.org containing malware.

How did this website avoid detection for that long?

The simple answer is Browser Referral & IP detection, and a few interesting additional pieces in there as well. Which has allowed it to stay on the front page of every search engine.

Now let’s see how it avoids detection! Testing time.

Dictionary of Terms:
Referral Path – What website refers you to a certain page.
(Example. When you click a link, your browser informs the destination website where you came from.)
IP Addr – Ip Address is an address for your device on the internet. (think of it like a house address)

First the Basics:
Tested with my Apartment’s Ip Address.

After discovering this, I reported the Adware site. However, upon a manual scanning request the adware wasn’t downloaded by the scanner… Which required some more research and further testing from a Datacenter/Server IP address.

This seemed simple, you can just scan the site on a Residential IP Address. However, that didn’t work either when I tested with Cookies/Cache disabled it still fingerprinted the user to avoid detection. Delivering safe software if you happen to visit the website direct initially. I tested various IP addresses in several different classes of Address Space.

This is when it starts to get interesting, depending on how the scanning occurs (order of the steps). Or if a manual search visit is performed AND the browser is similar to the initial visitor’s browser who went directly they would still get the Safe download instead of Adware.

Finally, shown above is another way the website avoids scans by only delivering Adware to common Fingerprints.

Reminder: Fingerprinting, is a way to identify you by detecting unique information about your device. It can be anything from the browser version, seeing how the information is sent (in what order) and analysis of other features unique to you. (https://amiunique.org/ to see your fingerprint if intrested)

How to Resolve:

  • Utilize Publicly known fingerprints for scanning, if you’re fully unique they will give you a Safe Download.
  • Never use a Data center IP and try and stick to residential proxies.
  • Fully Emulate the user experience & put an extra focus on referrals.
    Follow Up:

    I have reached out to the CamStudio parent company/team for comment, but no response as of yet. The website seems to have not been updated since the 2013~ era. (4/21/2017)

    Note (4/21/2017): After the Camstudio.org website was removed from Bing, there seems to be a change of the Adware host/techniques and if reproduced your results may differ from this post which was originally drafted before removal.
    I have sent an email to Google as well about this issue, awaiting a reply.

    And to sum it up, I spent my weekend investigating Adware and found some very interesting techniques to avoid detection. Which I hope people will take into consideration when making website scanners.

    (4/24/17) : Someone sent me a forum thread about CamStudio delivering adware & trojans all the way back in 2015. https://sourceforge.net/p/camstudio/discussion/447910/thread/3aa44d33/