Another ex-adware person here, from the download valley itself.
AFAIK, the key roles in the adware ecosystem are:
a. Distribution
Done mainly through "Pey Per Install" companies such as IronSource, InstallMontizer (actually funded by YC: https://news.ycombinator.com/item?id=5092711), InstallRex, etc. These folks bundle legitimate programs with adware in their installers. They use dark patterns (http://www.hanselman.com/blog/DownloadWrappersAndUnwantedSof...) in order to deceive users to install the offered "product". Some of them make it intentionally hard (practically impossible for the non-techie user) to uninstall the adware, or downloading additional adware without user consent (drive-by). Other shady practices include the use of malvertising (e.g. ad that mimic flash, acrobat or OS update) and the most extreme one, which is rare but exists, is exploit kits.
b. Monetization
Done mainly with advertising and information harvesting. Common practices (aka "revenue models"): ad injection (banners, pop-up\under, etc), affiliate fraud ("price comparison widgets", or just forcefully redirect user through affiliate link) , lead generation (e.g. scraping insurance details), social networks spam (Selling views, likes, followers, etc - works because google\fb\etc eliminates fake bot account fairly efficiently, but adware just impersonate real authenticated sessions) and selling cheap traffic.
I can't edit the original comment for some reason. Sorry for the n00bism, its my first comment here on HN.
I want to add this:
The profit of an adware company is the difference between its user acquisition cost and the revenue from the monetization phase.
As the monetization phase gets shortened by AV detection and removal, the lower the revenue gets. This cause adware vendor to adapt new methods that transitionally were associated with "more evil" malware (banking trojans): they use crypters and vulnerabilities in AVs in order to evade detection, randomly generated domain names (for the C&C, inject and publishing domains), etc.
Matt, if you want to learn more about practices and players of Download Valley, you can simply talk to the local Google sales/marketing representatives, who are working VERY closely with these companies. I believe they are definitely aware of all the practices and the dark patterns.
Adwarekiller gave a good answer, and I'll add some of my own notes.
* Distribution is mostly consolidating. A lot of adware companies used to both buy their own distribution through either pay per install or revenue share agreements and then monetize those users themselves. Now, the ecosystem is fracturing into companies that actually perform the distribution and companies that monetize those users.
Both Yahoo and Google are in bed with the adware companies via search reset deals and white labeled SERP pages.
There are a lot more companies in the ecosystem. It's massive. A good rule of thumb right now is that if a company advertisers they have cut a deal with an adware company (either directly or indirectly). As you can see from the above list, there is also A LOT of VC money in the ecosystem. The reach extends further when you consider companies that get benefit, like CPXi (http://www.cpxi.com/), AppNexus (http://www.appnexus.com/), OpenX (http://openx.com), or even Amazon Web Services, Google Apps, etc. since these services usually power the business, too.
Great answer. I can confirm that the market is indeed specializing through separation of the distribution and monetization operations.
More interesting bytes:
* Ad injection mentioned in the last ANA&WhiteOps fraud report (http://www.ana.net/content/show/id/botfraud), they found that over 500K ads were injected every day to one publisher.
d. There is also companies like rgnets (http://rgnets.com/), amobee (http://www.amobee.com/) and FrontPorch (http://www.frontporch.com/), which offers network appliance that performs the HTTP interception and tampering. In this method there is no need to install anything on the user, all you need him to do is connect your network. Large public networks (hotles, events, airports, etc) are using it as well as some ISPs.
AFAIK, the key roles in the adware ecosystem are:
a. Distribution
Done mainly through "Pey Per Install" companies such as IronSource, InstallMontizer (actually funded by YC: https://news.ycombinator.com/item?id=5092711), InstallRex, etc. These folks bundle legitimate programs with adware in their installers. They use dark patterns (http://www.hanselman.com/blog/DownloadWrappersAndUnwantedSof...) in order to deceive users to install the offered "product". Some of them make it intentionally hard (practically impossible for the non-techie user) to uninstall the adware, or downloading additional adware without user consent (drive-by). Other shady practices include the use of malvertising (e.g. ad that mimic flash, acrobat or OS update) and the most extreme one, which is rare but exists, is exploit kits.
b. Monetization
Done mainly with advertising and information harvesting. Common practices (aka "revenue models"): ad injection (banners, pop-up\under, etc), affiliate fraud ("price comparison widgets", or just forcefully redirect user through affiliate link) , lead generation (e.g. scraping insurance details), social networks spam (Selling views, likes, followers, etc - works because google\fb\etc eliminates fake bot account fairly efficiently, but adware just impersonate real authenticated sessions) and selling cheap traffic.