Wajam Internet Technologies was a start-up founded in 2009 in Montreal. Their eponym product was a "social search engine" solution. Its promise was to get Internet search results based on your relations on social networks. Wajam was free to install. To start monetizing the software, they started adding ads to search results. Gradually, Wajam began acting more and more like adware: they used pay-per-install platforms to distribute the application, obfuscation and even kernel drivers (rootkit) to hide their malicious behavior from users and security products. According to D&B Hoovers, the net benefits made by the company were estimated to $CAD 4.2M in 2013.
After being investigated, the Privacy Commissioner of Canada reported in 2017 that Wajam Internet Technologies breaches the Personal Information Protection and Electronic Documents Act (PIPEDA). This did not stop their activities: they quickly sold all assets to a virtual company based in Hong Kong to avoid Canadian authorities. In late-2018, new samples targeting both Windows and macOS emerged and were quickly linked to Wajam.
This talk will detail the technical findings of these recent variants and how they are related to the previous techniques used by Wajam. The technical evolution of the samples collected over the years will be mapped with the unique history of the company. From this timeline, it will be highlighted that behaviours that could be considered as malicious are much older than one may realize, and the self-protection methods used by the software are increasing in complexity and sophistication.