Ad network uses advanced malware technique to conceal CPU-draining mining ads


The rise of drive-by cryptocurrency mining on a growing number of websites has led to a renewed demand for ad-blocking software. Web users are seeking new ways to ward off hidden code that saddles computers with resource-draining coin mining. Now some miners are employing a trick first popularized by botnet software that bypasses ad blocking.

Domain-name algorithms are a software-derived means for creating a nearly unlimited number of unique domain names on a regular basis. DGAs, as they’re usually called, came to light in 2008 following the release of the highly viral Conficker worm. To prevent whitehats from seizing the domain names Conficker used to receive command and control instructions, the malware generated hundreds of new, unique domains each day that infected computers would check for updates. In the event that old domains were sinkholed, Conficker needed to reach only one of the new addresses for it to remain under its creator’s control. The burden of registering more than 90,000 new domain names every year has proved so great to whitehats that Conficker continues to operate even now.

Researchers at China-based Netlab 360 reported over the weekend that an advertising network is using DGAs to conceal the in-browser currency-mining code it runs on websites. Normally, the ad network will redirect visitor browsers to serve.popad.net, which hosts ads that load coinhive.min.js. That’s the JavaScript code that bogs down visitor computers by making them participate in a giant mining pool hosted by coinhive.com, which keeps 30 percent of the proceeds and gives the remainder to the advertiser or website that provided the referral. In most cases, all of this happens behind the scenes with no visible sign of what’s happening, with the exception of over-revving fans and decreasing computer performance.

Raising the bar

Computers that run an ad blocker that prevents visiting browsers from accessing the popad.net page, however, will instead be redirected to a seemingly random domain such as “zylokfmgrtzv.com,” “zymaevtin.bid,” or “zzevmjynoljz.bid.” The decoy page then loads JavaScript that has been heavily obfuscated to conceal the mining.

“As early as mid 2017, this ad network provider has been using domain DGA technology to generate seemingly random domains to bypass adblock to ensure that the ads it serves can reach the end users,” Netlab 360 researcher Zhang Zaifeng wrote in a blog post published Saturday, referring to a Chrome browser blocking extension called AdBlock. “Starting [in December], the bar got raised again, and we began to see these DGA.popad domains participating in cryptojacking without end-users acknowledgement.”

The researcher went on to say that the number of people being redirected to the algorithmically generated domains appeared to be significant. One domain, arfttojxv.com, was 1,999 in the Alexa website ranking, while vimenhhpqnb.com was 2,011 and ftymjfywuyv.com was 2,071. The websites Netlab 360 found running the DGA-enabled ads were mostly purveyors of porn and other content that’s often used as bait in scams.

Strangely, a screenshot provided in the post shows that the algorithmically generated domain eventually calls coin-hive.com. That suggests the DGA technique described works only against ad blockers that don’t block that domain. A growing number of ad blockers and anti-malware programs block Coinhive domains.

“To me, this isn’t about bypassing Coinhive detection but rather bypassing ad networks by using quickly changing domains,” Jérôme Segura, lead malware analyst for Malwarebytes, told Ars. “For Malwarebytes users it doesn’t matter because we can block either the ad network or the coinhive call.”

Zaifeng said it’s not clear how much money the ads have generated to date. Generally, the returns from in-browser mining are small. This post from September reported the results when one very small site experimented with mining as a potential alternative to traditional ads. With roughly 1,000 visits per day and a 55-second average session, the site made 36 cents per day, which was four to five times less than it made running regular ads.

It’s likely that Coinhive may be one of the few players profiting from the rash of highly unethical—if not unlawful in-browser currency mining—sites on the Internet. That point seems to be lost on adpop.net, which is coming up with new ways to ensnare unwilling visitors.


Be the first to comment

Leave a Reply

Your email address will not be published.


*