Are advertisements showing up in your browser (no matter whether you use Internet Explorer, Firefox or Chrome) on sites that you've never seen ads on before; or, do the ads seem different from what you've seen before?

Your system might be affected by adware that injects advertisements into sites as you browse, such as Adware:Win32/InfoAtoms and Adware:Win32/Addlyrics.

One of the biggest questions we get about these programs (besides how to get rid of them), is how did it get installed in the first place? One way we've noticed is via another piece of potentially unwanted software: software bundlers. These programs install adware alongside programs you can get for free.

The way it works is similar to the low-ball technique described by Methusela Cebrian Ferrer in her blog Fake apps: Behind the effective social strategy of fraudulent paid-archives. The producers of the software bundlers pay for ads to appear when you search for certain software. These ads lead you to download a software bundler, which may not even install the actual software that you searched for, but you still get adware. So while you're thinking all you're getting is some neat free software, what you're actually getting is a whole lot of ad injection.

As an example, I went searching for a popular building game. One of the results took me to a site where I could download the game; this site was not the game's official site. The site offered up a link to download the game, and it didn't specify that it was going to install anything else (see Figure 1).

Screenshot of game download

Figure 1: Game download.   

However, once I'd downloaded and started to install what I thought was only the game, instead I was informed that the download would be "run by" some other company that isn't related to the game (see Figure 2).

Screenshot of InfoAtoms installer

Figure 2: Installer.   

The installer then proceeded to invite me to install a whole bunch of adware, including Adware:Win32/InfoAtoms and Adware:Win32/AddLyrics (see Figure 3 and Figure 4).

Screenshot of installing InfoAtoms

Figure 3: Installing Adware:Win32/InfoAtoms.    

Screenshot of installing AddLyrics

Figure 4: Installing Adware:Win32/AddLyrics.    

The reason why is that these adware programs insert additional ads into search engine result pages (and sometimes even replace the actual ads that support the search engine). Search engines make some of their money from ads. If you click on these extra, injected ads instead of the official ones, the search engine doesn't get revenue. Instead, the money goes to the person controlling the adware. And neither the search engine nor the customer benefits from this.

Figure 5 is an example of what the injected AddLyrics ads look like on the Google homepage.    

Screenshot of ad injection on the Google homepage

Figure 5: Ad injection on the Google homepage.

Figure 6 shows how injected ads from InfoAtoms appear on the Bing homepage.

Screenshot of ad injection on the Bing homepage

Figure 6: Ad injection on the Bing homepage.

For more examples, see our descriptions for adware on the Malware Protection Center website.

So, these adware and software bundler producers are paying for ad space to lure users into downloading their software bundlers, which then contain adware that injects ads into the search engine.

Essentially, they're paying for advertisements in search engines in order to steal money from those same search engines.

In addition to replacing ads with their own and taking money away from search engines, the adware will also pop-up with even more questionable offers, such as a request to install an "update" for Adobe Flash. All this for something that the customer could have downloaded for free from the proper distribution site. None of the revenue goes to the developer of the free software; in fact their reputation has probably been damaged. The search engine does get money from the original click, but after the installation, the search engine's ads are replaced, depriving them of further revenue.

So, what can you do to protect and prevent adware from being installed on your computer? Microsoft security products consider adware something that the user should be informed about, and given the choice of whether to remove. In many cases, you can also use the add-on manager in your browser to remove the plugin. You can even use the uninstaller provided with the Adware; in the files I tested at least, the uninstaller really did work.

For prevention, download your software from the official site. Read what the site says, and the screens that the installer shows you. Don't be fooled by downloading packages that promise to install the software you want, in addition to a whole bunch of other software that you don't need. And most importantly, keep your security software up to date.

Chris Stubbs

MMPC