
Ad network uses advanced malware technique to conceal CPU-draining mining ads - Deinos
https://arstechnica.com/information-technology/2018/02/ad-network-uses-advanced-malware-technique-to-conceal-cpu-draining-mining-ads/
======
soared
There is no "Advertisers" here - blackhats are using advertising tools but
there is no advertiser involved at all. This is not a nitpick - advertisers
aren't doing this.

1\. Ad networks / exchanges allow (don't catch) these ads

2\. Publishers don't do enough to stop them

3\. Browsers allow it to happen

~~~
tyingq
This comment should be higher up. It's not the advertisers. It's the ad
network not noticing that bad actors (that aren't advertisers) are gaming the
system.

~~~
na85
Is that distinction relevant to the user?

I'm still blocking ads and javascript everywhere I browse. If the ad networks
are the ones distributing this malware, they're either complicit or negligent.
Either way, the source of the malware from my perspective as a user is still
"ads".

~~~
tyingq
If they want to direct feedback to the right place, sure. Ad networks need the
pressure. Advertisers can't do much to help.

~~~
na85
Well, I don't think most users care about directing feedback. I know I
personally would rather just deprive them of the impressions with noscript
and/or ad block.

I don't have time to be submitting complaints to faceless Internet
corporations. I just want to use the web without being bothered.

~~~
tyingq
You don't have to, but I suspect your initial reaction is with the publisher
anyway (vs the advertisers).

------
bediger4000
So it has come to this. The Advertisers are shedding their self-righteous
camoflage and just being evil. Adblocking is a necessary component of defense
in depth.

At least nobody will be able to give the old "Oh, but advertising is necessary
for Capitalism" excuse. This is way over the line. Down with the corporate
capitalist "internet" of ads!

Use Firefox. Use uBlock. Use NoScript. Use Privacy Badger.

~~~
Nicksil
Hear hear!

and just to make it all-the-more simpler for some folks, a few links:

Firefox: [https://www.mozilla.org/en-
US/firefox/new/](https://www.mozilla.org/en-US/firefox/new/)

uBlock:
[https://github.com/gorhill/uBlock#installation](https://github.com/gorhill/uBlock#installation)

NoScript: [https://noscript.net/](https://noscript.net/)

Privacy Badger:
[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

~~~
908087
Decentraleyes is another one to add to that group.

[https://decentraleyes.org/](https://decentraleyes.org/)

------
simias
I'm not sure I understand that, why go through the trouble of setting up
random domains to bypass filters if you then load
[https://coinhive.com/lib/coinhive.min.js](https://coinhive.com/lib/coinhive.min.js)
directly? Any filter will probably already block that URL if no other.

Now if they started serving the JS from random domains and URLs that would
mean trouble because you couldn't just use the URL-based filter approach most
adblockers use. I'm surprised this doesn't appear to be more common. If it
gains steam we might have to use a whitelist approach for trusted 3rd party
javascript sources. Not necessarily a bad thing IMO, although that might
stifle innovation a bit on the web.

~~~
gruez
>Now if they started serving the JS from random domains and URLs

you don't even need random domains. random urls from the same domain would
work fine.

~~~
okanesen
> random urls from the same domain would work fine.

What stops someone from blocking the domain? I think a combination of random
domain + url would make it rather hard to detect these things.

~~~
gruez
same domain as in first-party domain. afaik all script blockers block third
party scripts if you block scripts for the first party domain.

~~~
gorhill
You can selectively block inline, 1st-party and 3rd-party scripts with uBlock
Origin ("uBO").[0]

Moreover, the Firefox/webext version allows you to remove specific inline
script tags before the document is parsed by the browser.[1]

uMatrix can selectively block web workers, which are typically used by coin
miners.[2] I have long been thinking of bringing that ability to uBO, but I
want to do it right UI-wise.

* * *

[0] [https://github.com/gorhill/uBlock/wiki/Blocking-
mode:-medium...](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-
mode)

[1] [https://github.com/gorhill/uBlock/wiki/Static-filter-
syntax#...](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#html-
filters)

[2]
[https://github.com/gorhill/uMatrix/releases/tag/1.2.0](https://github.com/gorhill/uMatrix/releases/tag/1.2.0)

~~~
visarga
> uMatrix can selectively block web workers

Maybe we should get rid of web workers at browser level until we figure out
this mess. Web workers are seldom used and could be enabled manually per site.

~~~
tylerhou
Service Workers are a subset of web workers and are heavily used.

~~~
dmitrygr
> are heavily used

Whom by?

~~~
tylerhou
If you're using Chrome, check out chrome://serviceworker-internals/. It'll
show all the websites you've visited which have registered service workers.
Mine has 25 entries, including Twitter, Amazon, Google, Google Drive, Let's
Encrypt, etc.

~~~
dmitrygr
Empty for me. Sites still work, so I guess they are not essential afterall :)

~~~
tylerhou
Service workers are essential for good mobile first, offline experiences.
Check out [https://developers.google.com/web/progressive-web-
apps/](https://developers.google.com/web/progressive-web-apps/) for more
details.

~~~
dmitrygr
I'm sorry. As a user, to me "offline mobile first experience" sounds like a
synonym for "this website takes more than 30 seconds to load and drags my
phone down to its knees and the author was just too lazy to write a native
app". I don't mean that as an insult, but as a user that is precisely what
that sounds like to me. Nothing about web apps I have access to acts to change
my mind in this respect. They're all incredibly slow to load, especially over
anything less than LTE. For extra credit, they usually take up so much RAM
that Chrome RAM usage ends up kicking out all background applications out of
RAM on my phone.

~~~
tylerhou
Does downloading and installing a native app take less than the time to load a
webpage on your phone? In my experience, web pages in general load much faster
than native apps.

~~~
dmitrygr
I download apps when I have a good connection. I load websites when I need
them. The latter is not always on a good connection

------
oldcynic
I think only one approach works these days:

Consider the whole web hostile. Browse with uBlock Origin and JS off. Enable
JS for trusted domains only. Give up, blacklist, and go elsewhere if whack-a-
mole enabling needs too many unknown random domains enabled just to read that
article.

~~~
PuffinBlue
What tool do you use to manage switching JavaScript on and off on a per site
basis? I too want to default off and whitelist but I'm not sure the best way
to do it as the browser addons I have found make it easy to turn JS off, but
they default to on and don't have a default off capability.

~~~
zentiggr
uMatrix is great for blacklisting by default and only enabling as needed for
website core operations.

Also has a "don't filter on this domain" switch for things like bank sites and
other fragile ops.

~~~
Momquist
uMatrix is definitely great for this. I consider it a request firewall at
browser level. And it works very well at blocking everything (JS, CSS, image,
any type of request really) by default, should you wish to do so.

It also allows blocking webworkers which mining sites tend to rely on.

~~~
PuffinBlue
Thanks, I'll take a look.

------
runeks
Chrome displays an icon on a tab to convey that it’s playing audio.

Perhaps it would be a good idea to similarly visualize tabs with high CPU/GPU
consumption?

A browser does most (if not all) of what an OS does, so it shouldn’t be
surprising if a task manager (which shows CPU usage) is also useful for
browsers.

~~~
y03a
Any site running third-party JS should get the red "insecure" icon like http
sites do now.

~~~
tylerhou
So as soon as I serve my JS from a CDN I should be marked with an insecure
icon?

~~~
y03a
I think so. A few days ago someone posted something [1] about how they use
their own sub-domain to alias CDNs so they can simply update DNS records to
easily fix issues with a CDN site suddenly moving or disappearing. I argued
that this breaks any chance for content to be pre-cached before a user visits
your site for the first time but I walked away convinced that this one-of-many
use cases for CDNs isn't all that useful in practice. Alias real content
providing CDNs all you want, but if you want to alias an ad network to get
around my proposed rule, then you risk your entire domain getting blocked by
the likes of uBlock Origin.

I'm not an expert in any of this. I'm not even remotely sure what I'm
proposing is possible or would be effective. I just want to start a
conversation because I know what I don't want and throwing ideas out into the
wild is better than staying quiet. I know I have no interest in giving up any
privacy for a potential few seconds saved on load time for a site I'm not sure
I even want to visit in the first place. Load times should be the burden of
the site owner. Ideally that would be optimized by serving only what is
absolutely necessary to get me to the thing I wanted to see. Not that plus the
10 other things you and/or third-parties decided they deserve to serve and
hope my machine has pro-actively pre-fetched so I don't perceive the shit-show
going on behind the scenes. Given all the details of how this stuff works, I
don't think most users would volunteer for it either.

[1]
[https://news.ycombinator.com/item?id=16372902](https://news.ycombinator.com/item?id=16372902)

------
dingo_bat
I use some advanced techniques myself: ublock origin! Seriously though, fuck
ads, fuck ad companies, fuck browsers made by ad companies. Each and every one
of them is actively working to erode your privacy and use your resources.

~~~
sheepz
What would you consider as the alternative? People are so used to getting news
and various services "for free", it's very difficult to get them to pay for
it.

~~~
pjc50
Quite a lot of material on the web is only there because of advertising, not
because it's any good. Unsurprisingly the "free market" doesn't work very well
when everything has a zero cost associated with it.

The downside of losing ad-supported media will be ad-sponsored media paying to
write the content itself.

~~~
gaius
Right, if Buzzfeed, Upworthy et al vanished overnight, nothing of value would
be lost. The following week they would be completely forgotten.

~~~
pjc50
Buzzfeed, strangely, is about 1% really good investigative journalism.

------
0x17A
Using uBlock Origin in medium mode will block third party domains by default.
You will be safe.

[https://github.com/gorhill/uBlock/wiki/Blocking-
mode:-medium...](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-
mode)

------
blattimwind
Calling random domains to circumvent blacklists an "advanced malware
technique" is tabloid-speak.

~~~
belorn
The use of short lived auto generated domain names is the kind of patterns
that triggers maleware warning at domain registrars and I know IIS (registry
for .se) have people being paid to actually monitor such type of domain abuse.
The domain industry see it as abuse and "advanced malware technique" would not
be out of the question when describing it.

Also, it not just random domain names. It is random registrant data. It is
short lived domain names. It is obfuscated NS infrastructure.

------
Daycrawler
"Conceal" is quite an ambitious term for something that literally makes noise
out of your computer fan. `top` to check that Firefox is guilty and
`about:performance` to close the guilty tab. There are so many shitty JS
single-page sites out there that abuse clients' resources I don't even care
whether it's crypto mining or just incompetence.

~~~
yomly
Plenty of devices have loud fans irrespective of their current CPU load. Being
facetious, there also exist fanless PCs submerged in oil which do not make
sounds based on CPU load.

Checking your CPU usage via `top` is a relatively "power-user" esque function
so your experience is unlikely to be reflective of the general population.

~~~
greglindahl
Firefox has a popup when it notices any tab using a lot of cpu -- no need to
run 'top'.

------
SimeVidas
So… the next line of defense is to block all third parties by default
(requests to other domains) and only enable specific domains on a case-by-case
basis?

~~~
belorn
Or they can do what the spam industry has been doing for years in order to
address random domains names being used for malware.

For example, newly registered domain names tend to get a small added spam
score when used in emails. Spammers could wait a month but that gives
registrars time to detect the fraudulent registrant data and revoke the name
before it can be used.

Spam filters has many years to adapt and develop. The arms race for browser
security is just in the beginning. I expect to see score based systems
becoming popular, just like it did with spam filters.

------
zhughes3
Can someone point me in the right direction to learn about or just simply
explain how modern-day browsers allow for scripts to drain CPU resources?

~~~
simias
Allow me to return the question: how do you prevent scripts from draining CPU
resources? How do you distinguish between legitimate resource usage (like a
heavy web application that runs a lot of javascript) from a cryptocurrency
miner? How do you throttle one without hurting the other?

~~~
JD557
Most browsers already send you a warning if the main thread appears to be
blocked. Maybe they could also add a warning like:

> This page is consuming a lot of resources, do you want to keep executing
> JavaScript on this page?

> Stop / Allow only this time / Allow always

~~~
simias
Possible but if you set the limit too low you're going to have it pop it all
the time on heavier websites (especially on less powerful
hardware/smartphones). Then you condition the user to dismiss these warnings
without thinking about it because of the high rate of false positives.

On the other hand if you set it too high then those websites will aim for that
limit to maximize profit without triggering the warning. You'll still waste a
ton of resources and you've only mitigated the issue somewhat.

I'm not saying it's impossible, just that "just add a dialog when CPU usage is
high" might be a bit naive. There's a subtle balance to these things.

------
bsg75
Publishers with “legitimate” ad mechanisms are using new techniques to entice
people to not use ad blockers.

Are any of the legit ad networks doing anything to combat the problems in the
article?

As long as there are bad actors, the good ones will get caught up in the net
and must own the major share of combating the problem that affects their core
business.

~~~
soared
All legit ad networks are trying - this behavior is awful for them and doesn't
earn them money (it loses them money when the publisher sees these and stops
using the ad network). The miners are just 1/2 a step ahead of ad networks.

------
drb91
I wish I could just throttle javascript execution to 1/100th its current pace.
I really don’t need it for most websites after the initial load of content,
which is unfortunately driven a lot by javascript these days. They mostly
exist to serve more and more annoying ads, best I can tell.

~~~
FLUX-YOU
Some kind of execution budget would be really nice for JS. I wouldn't blame
browsers for not putting it in though, no normal user would touch that kind of
control.

~~~
aiCeivi9
It was almost a thing, browsers started to suspend/rate limit tabs other than
currently active one: [https://docs.google.com/document/d/18_sX-
KGRaHcV3xe5Xk_l6NNw...](https://docs.google.com/document/d/18_sX-
KGRaHcV3xe5Xk_l6NNwXoxm-23IOepgMx4OlE4/pub) So far web workers are not limited
but it is only a matter of time.

------
maxaf
I used to get angry at ads on my laptop, but uBlock Origin took my worries
away. That left my Android phone, but recently I've discovered Blokada[0]. The
app - which is for obvious reasons not available on the Play Store - appears
to run a "VPN" through localhost that filters out an absolutely staggering
amount of ads and other nastiness. Suddenly my battery life has improved, and
my phone no longer runs too hot to touch. It's a win/win.

[0]: [http://blokada.org/](http://blokada.org/)

~~~
mtgx
> which is for obvious reasons not available on the Play Store

Only if the "obvious reason" you meant there is "Google abusing its Android
monopoly power".

I wish the EU would include that part into its anti-trust investigation
against Google, too. It should be illegal for Google to ban ad-blockers on its
store, for the same reason multiple courts in Europe have found that ad-
blockers are legal: the user should have the power to block ads if he or she
wants it.

This is especially true in this case, because Google can't even use the
"security" argument as it did in the early days of ad-blocker banning. This
app is functionally the same as a regular VPN, so unless it's saying that all
VPNs are a security risk and it wants to ban all of them, then Google has no
technical justification for banning VPN-like ad-blockers.

As as side note, why doesn't Blockada use HTTPS? My trust in that app dropped
in half for this reason alone, when it's so easy and free to enable HTTPS
these days.

~~~
maxaf
Yes, the lack of HTTPS is baffling. HTTPS is so pervasive these days that one
has got to wonder.

On the subject of banning apps: my complete lack of empathy for less
technically capable users is probably showing right now, but as long as I'm
able to sideload apps onto my phone running AOSP, I'm good with whatever.

------
chimen
I have an extension to disable WebRTC to prevent leaks (uBlobk added that
too), I have another one that claims it blocks mining, I have uBlock and
Disconnect - all fighting for my privacy.

This is getting out of hand.

~~~
swozey
I have the same miner blocker and it says it's never caught anything which I
find interesting. Has yours?

~~~
chimen
I don't know. Is it supposed to be saying anything? Mine's been quiet all
time.

~~~
swozey
I use minerBlock and it tells you the blocked miner number when you click it
in the tool bar

------
codedokode
If you disable JS you won't need any ad blockers and you will be surprised how
faster the sites will load (if some sites are still not fast enough, try
disabling web fonts; they are heavy and block rendering, but sadly Chrome
doesn't allow to block them on per-site basis).

~~~
Momquist
It is possible to block web font request on a per-domain basis via an
extension, even on Chrome. I have webfonts disabled by default for a while,
and thought about building a whitelist of acceptable ones but have been too
lazy to implement it yet.

------
r1ch
Are there even any legitimate domains under these new super-cheap-50c-domain
TLDs like .bid? I've seen a 100% spam bot rate for all email domains ending in
.bid on our sites.

I'm considering changing my local DNS to NXDOMAIN the whole TLD if it's this
messy.

------
hiram112
Doesn't it cost a few bucks to register a domain name? How could a malware
group pay to register thousands and thousands of randomly generated top level
domains?

~~~
dspillett
[https://en.wikipedia.org/wiki/Domain_tasting](https://en.wikipedia.org/wiki/Domain_tasting)
\- still practical for some TLDs.

------
zaroth
Instead of trying to block ad-mining, consider this;

With the right PoW algorithm and the hardware access to optimize it, it really
seems like an excellent economic model, specifically if you must opt-in in
exchange for seeing no ads.

Today we deal with advertisements that destroy the user experience and have a
very real cost to the user in having to navigate through intrusive ads. Which
also, by the way, often cause the same over-revving and slow downs as mining
do.

In response, ad blockers rewrite or block a site’s code to eliminate the ads,
consuming the content but starving the site from its only revenue stream. Not
theft, perhaps not even morally wrong, but certainly to the detriment of the
site owner.

Microtransactions or subscription-based content pools with view-based payouts
have been proposed for years and have had some traction but certainly aren’t
widespread.

If you could opt-in to mine on behalf of the sites you visit in a way that
respected your real-time compute resources, in exchange for a completely ad-
free experience, would you do it?

It seems like mining for someone is the ultimate micro transaction. There is
no overhead and no fees and you can mine for a portion of time equal to tiny
fractions of a cent of value. In fact, mining for enough cycles to produce
even a penny of value would be a fairly substantial amount of computation.

The crucial question is the effeciency of the process. There are no
transactions fees whatsoever to mine for someone else, the bandwidth is
minuscule, the code is fairly tight. But the one thing that makes it
inefficient is if you’re consuming more compute than necessary to most
optimally perform the PoW. In other words, if your hashrate per CPU-second is
sub-optimal because the sandbox doesn’t allow an efficient PoW implementation,
or because the algorithm can be run orders of magnitude more efficiently on
specialized hardware, that in itself is a form of transaction fee.

If we can get a PoW algorithm which runs near-optimally on general purpose
computers on a blockchain that isn’t dominated by botnets, then the economics
should work out that you are paying whoever you mine for approximately the
cost of the electricity required to perform the mining, effectively leading to
a way to make free micropayments.

~~~
aiCeivi9
Even with perfect algorithm it won't be profitable enough. Value of mined
coins will be roughly equal to value of consumed electricity used by computer
(if no more efficient miner hardware exists). That gives around $1 if someone
stays on your site, mining, for _8 hours_. For anyone other than movie
streaming sites it is unprofitable, AdSense will bring much more money. And
each additional site that uses mining decreases profit for other ones, as they
share the same, fixed amount for found block.

~~~
zaroth
“... in a way that respected your real-time compute resources ...”

That is to say, your machine is constantly mining 24 hours / day at an
extremely preemptable low-priority on behalf of the various sites you visited
that day.

Definitely it can’t work that you’re only mining on behalf of the site while
you’re actively looking at it, because when you’re sitting in front of your
device is precisely when you _don 't_ want to be mining!

As far as how much advertising value does the average internet user provide in
a day? Facebooks ARPU is about $25 in the US. And apparently Facebook users
spend an average of 50 minutes per day on Facebook. So that’s 8.2 cents per
hour, so we’re within an order of magnitude!

------
fwdpropaganda
I don't run JS. Yesterday some ridiculous page on the frontpage of HN called
me an "internet hipster" for having JS disabled.

------
elorant
Why is it that every time I read a story about online advertising it will
always be something malicious? WTF is wrong with these guys.

------
pentagonpapers
I would rather trade my gpu power than get ads

~~~
xxs
I take it you don't have a powerful one that drains 150W. I can trivially hear
the fans (GPU or CPU) if someone site attempts to over-utilize the available
hardware resources.

~~~
2aa07e2
I don't see a problem with heating the room in the winter. [1]

[1]
[https://physics.stackexchange.com/a/2184](https://physics.stackexchange.com/a/2184)

~~~
gruez
heating via electricity is less efficient (cost wise) than via natural gas.

~~~
enord
Thats the point.

