Typhoid adware

Typhoid adware is a type of computer security threat that uses a Man-in-the-middle attack to inject advertising into web pages a user visits when using a public network, like a Wi-Fi hotspot. Researchers from the University of Calgary identified the issue, which does not require the affected computer to have adware installed in order to display advertisements on this computer. The researchers said that the threat was not yet observed, but described its mechanism and potential countermeasures.

Description
The environment for the threat to work is an area of non-encrypted wireless connection, such as a wireless internet cafe or other Wi-Fi hotspots. Typhoid adware would trick a laptop to recognize it as the wireless provider and inserts itself into the route of the wireless connection between the computer and the actual provider. After that the adware may insert various advertisements into the data stream to appear on the computer during the browsing session. In this way even a video stream, e.g., from YouTube may be modified. What is more, the adware may run from an infested computer whose owner would not see any manifestations, yet will affect neighboring ones. For the latter peculiarity it was named in an analogy with Typhoid Mary (Mary Mallon), the first identified person who never experienced any symptoms yet spread infection. At the same time running antivirus software on the affected computer is useless, since it has no adware installed.

The implemented proof of concept was described in an article written in March 2010, by Daniel Medeiros Nunes de Castro, Eric Lin, John Aycock, and Mea Wang.

While typhoid adware is a variant of the well-known man-in-the-middle attack, the researchers point out a number of new important issues, such as protection of video content and growing availability of public wireless internet access which are not well-monitored.

Researchers say that annoying advertisements are only one threat of many. A serious danger may come from, e.g., promotions of rogue antivirus software seemingly coming from a trusted source.

Defenses
Suggested countermeasures include:
 * Various approaches to detection of ARP spoofing, rogue DHCP servers and other "man-in-the-middle" tricks in the network by network administrators
 * Detection of content modification
 * Detection of timing anomalies
 * Using encrypted connections, such as using HTTPS for Web browsing. Encryption prevents MITM attacks from succeeding; common Web browsers would display a security warning if the adware on the infected computer would have modified the encrypted traffic while in transit to the uninfected victim. Websites are increasingly upgrading to HTTPS, and as of 2019, there are new methods for encrypting other kind of Internet traffic, such as recursive DNS.

All these approaches have been investigated earlier in other contexts.