Maksim Pasko - Fotolia
An online ad network used domain generation algorithms to bypass ad blockers and then used the ad traffic for cryptomining. How can DGAs be used to bypass ad blockers, and what can be done to prevent this scheme and protect users from malicious ads?
Anyone who has looked to buy a domain name will be familiar with the search results showing numerous alternatives to the domain name they're hoping to register. These suggestions are created using a domain generation algorithm that creates slightly different variations for any given name. But like any useful technology, it can be used for good and bad.
Hackers have discovered that domain generation algorithms can be used to provide a constant supply of fresh domain names for their command-and-control (C&C) servers to evade detection by ad blockers' blacklists, signature filters, reputation systems and other security controls. It's a practice called domain fluxing.
The hacker uses domain generation algorithms to generate hundreds of new, unique domains at regular intervals, from which infected devices under their control can potentially receive instructions. If a user has an ad blocker deployed that has blacklisted one of these registered domains, the installed malicious code queries names generated by domain generation algorithms until one resolves to the current address of the C&C server, which hasn't been blacklisted. This makes it difficult for ad blockers to keep their blacklists right up-to-date, because as soon as the domain used by the C&C server is blocked, it moves to a fresh one with no history -- one that's not yet blacklisted.
Millions of people use ad blockers to remove intrusive and malicious ads and protect against tracking and pervasive surveillance, but most website owners need to monetize their content by displaying ads, making the topic of ad blockers a contentious one. A new research paper, "Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis," found antiadblockers on 30.5% of the Alexa top 10,000 websites. Facebook has looked to disable content blocking on its network, and companies like Instart Logic, PageFair, Sourcepoint and Uponit provide antiblocking capabilities to other online publishers, creating an arms race between users concerned about privacy and sites that want to display targeted ads.
To avoid users becoming victims of cryptomining scripts and other malware, administrators should ensure browsers are configured to block pop-ups. Browsers can't block pop-ups that are generated by adware installed on a device, so administrators should regularly run antimalware scans to remove any existing adware and cryptomining malware. Unfortunately, domain fluxing is proving difficult for security experts and antimalware vendors to tackle. But enterprise perimeter gateways should block any outgoing calls to Coinhive or other mining services.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on Application and platform security
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption, including how they work and common algorithms, as well as their pros and cons. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
As bitcoin use increases, so too have the number of cyber attacks on cryptocurrency exchanges and wallets. Learn how to keep bitcoin use secure. Continue Reading