Maksim Pasko - Fotolia
How can domain generation algorithms be used to bypass ad blockers?
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best way to prevent these attacks.
An online ad network used domain generation algorithms to bypass ad blockers and then used the ad traffic for cryptomining. How can DGAs be used to bypass ad blockers, and what can be done to prevent this scheme and protect users from malicious ads?
Anyone who has looked to buy a domain name will be familiar with the search results showing numerous alternatives to the domain name they're hoping to register. These suggestions are created using a domain generation algorithm that creates slightly different variations for any given name. But like any useful technology, it can be used for good and bad.
Hackers have discovered that domain generation algorithms can be used to provide a constant supply of fresh domain names for their command-and-control (C&C) servers to evade detection by ad blockers' blacklists, signature filters, reputation systems and other security controls. It's a practice called domain fluxing.
The hacker uses domain generation algorithms to generate hundreds of new, unique domains at regular intervals, from which infected devices under their control can potentially receive instructions. If a user has an ad blocker deployed that has blacklisted one of these registered domains, the installed malicious code queries names generated by domain generation algorithms until one resolves to the current address of the C&C server, which hasn't been blacklisted. This makes it difficult for ad blockers to keep their blacklists right up-to-date, because as soon as the domain used by the C&C server is blocked, it moves to a fresh one with no history -- one that's not yet blacklisted.
Qihoo 360's Netlab team researchers found an unnamed ad network has been using this technique to ensure its ads get delivered to every user, whether they have an ad blocker or not. Anyone running an ad blocker that prevents their browser from accessing a blocked ad server has the ads served by another random domain generated by domain generation algorithms. Worse still, these ads contain in-browser JavaScript cryptocurrency miners that slow down victims' computers by enrolling them, without permission, in a mining pool hosted by Coinhive. By using pop-unders -- browser windows that are created and then hidden behind the window of the website a user is visiting -- the user is unaware that any of this is happening. These mining scripts can overload systems to the point where they become unresponsive and shut down.
Millions of people use ad blockers to remove intrusive and malicious ads and protect against tracking and pervasive surveillance, but most website owners need to monetize their content by displaying ads, making the topic of ad blockers a contentious one. A new research paper, "Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis," found antiadblockers on 30.5% of the Alexa top 10,000 websites. Facebook has looked to disable content blocking on its network, and companies like Instart Logic, PageFair, Sourcepoint and Uponit provide antiblocking capabilities to other online publishers, creating an arms race between users concerned about privacy and sites that want to display targeted ads.
To avoid users becoming victims of cryptomining scripts and other malware, administrators should ensure browsers are configured to block pop-ups. Browsers can't block pop-ups that are generated by adware installed on a device, so administrators should regularly run antimalware scans to remove any existing adware and cryptomining malware. Unfortunately, domain fluxing is proving difficult for security experts and antimalware vendors to tackle. But enterprise perimeter gateways should block any outgoing calls to Coinhive or other mining services.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)