Malvertising Campaign Finds a Way Around Ad Blockers

[CrAKeN]

 

Ad blockers, our last hope against the onslaught of malvertising campaigns, appear to have fallen, as today, Malwarebytes published new research detailing a malvertising campaign that successfully bypasses ad blockers to deliver their malicious payload.

 

This malvertising campaign is named RoughTed based on the initial malicious domain at which it was found back in March 2017, but Jérôme Segura, the Malwarebytes security researcher who came across it, says there are clues to show that RoughTed has been active for over a year.

 

The campaign is very complex and well designed (from a crook's standpoint), as it leverages multiple tricks of the trade, most of which have allowed it to grow undetected in the shadows for so much time.

 

The word that describes RoughTed the best is "diversity." The operators of this malvertising campaign not only feature traffic from different types of sources, but also include different user fingerprinting techniques, and very different malicious payloads.

 

Adf.ly, ExtraTorrent, Openloud delivered malicious ads

 

Traffic to this malvertising campaign comes from ads displayed on thousands of sites. Some of these are small, personal sites, while others are in the Alexa Top 500. Malwarebytes says it detected RoughTed-tainted ads on sites such as Adf.ly, ExtraTorrent (now defunct), Openloud, and Ouo.io, just to name a few of the bigger ones.

 

According to Segura, RoughTed domains accumulated over half a billion visits in the past three months since the researcher started tracking the campaign.

 

Cooperating with Sucuri, Segura says they also identified malicious ads inserted into the source code of smaller sites. If the malicious ad code was placed there by the site owner or after the site was hacked is unknown.

 

RoughTed uses aggressive fingerprinting

 

The malicious code present in these rogue ads will load various scripts in the browser's background, which redirect the user through tens of URLs where various checks are performed.

 

"[T]here is some aggressive fingerprinting which I think most ad networks wouldn't do because it's very privacy invasive," Segura told Bleeping Computer in a private conversation today, describing RoughTed's scripts.

 

These include checks for browser type, operating system, language settings, and geolocation information. Segura says some of these scripts have been specifically designed to detect when users are faking their user-agent.

 

These scripts range from using the now standard HTML5 canvas-based fingerprinting technique to a newer trick of checking for a list of installed fonts — which are different based on OS.

 

RoughTed bypasses ad blockers

 

Nonetheless, the most eye-catching script is the one that detects if the user is using an ad blocker extension and finding a way to bypass this system.

 

Users of several ad blockers such as Adblock Plus, uBlock origin, or AdGuard, have been recently complaining about advertisements that break through their ad blockers.

 

Segura attributes this to RoughTed, but other malvertisers are also using ad blocker evasion techniques.

 

"[O]thers are using similar code as well, but RoughTed is on a much larger scale," the Malwarebytes expert told Bleeping Computer.

 

Based on Segura's statement we can say that while maintainers of ad-blocker technologies were busy fighting off advertisers and online publishers, malvertisers have crept up behind their backs and outsmarted some of their ad-blocking filters, at least for the time being.

 

As a closing note, showing that RoughTed is not your run-of-the-mill malvertising campaign, its operators weren't fixated on delivering only a particular type of payload to their victims. According to Segura, RoughTed has sent unwitting users to:

 

Quote

➠ different exploits kits (RIG EG, Magnitude)
➠ tech support scam pages
➠ download pages for Mac adware
➠ download pages for Windows PUPs
➠ rogue Chrome extensions
➠ iTues and App Store pages - part of pay-per-install schemes
➠ annoying online surveys

 

IOCs and other details about the campaign are available in Malwarebytes' RoughTed report.

 

Source

[Agent 86]

 

18 hours ago, CrAKeN said:

RoughTed

I went to HS with this guy, dont wanna fuck with him!  

[straycat19]

Any ad that gets through uBlock and Adguard has all its data recorded by my system.  I then use that data to obtain IP addresses and block the IPs with my firewall.  Most of the time I block the whole host network, for example xxx.xxx.xxx.000-xxx.xxx.xxx.255.  This has proven very useful in blocking any ads and so far I have not had any problems accessing any website that I want to access.

 

RoughTed is a wimp.  Real men don't need ads.

 

 

[DKT27]

4 hours ago, straycat19 said:

Any ad that gets through uBlock and Adguard has all its data recorded by my system.  I then use that data to obtain IP addresses and block the IPs with my firewall.  Most of the time I block the whole host network, for example xxx.xxx.xxx.000-xxx.xxx.xxx.255.  This has proven very useful in blocking any ads and so far I have not had any problems accessing any website that I want to access.

 

RoughTed is a wimp.  Real men don't need ads.

 

I wonder if you have found any IPs for this, or can even share IPs you have found for other such things. I have lost my previous list.

 

Turns out, my router cannot block ads as per this.

[dcs18]

 

9 minutes ago, DKT27 said:

4 hours ago, straycat19 said:

Any ad that gets through uBlock and Adguard has all its data recorded by my system.  I then use that data to obtain IP addresses and block the IPs with my firewall.  Most of the time I block the whole host network, for example xxx.xxx.xxx.000-xxx.xxx.xxx.255.  This has proven very useful in blocking any ads and so far I have not had any problems accessing any website that I want to access.

 

RoughTed is a wimp.  Real men don't need ads.

I wonder if you have found any IPs for this, or can even share IPs you have found for other such things. I have lost my previous list.

Never gonna happen-1,

 

Never gonna happen-2.

 

 

13 minutes ago, DKT27 said:

Turns out, my router cannot block ads as per this.

What you believe is exactly what you get.

 

FYI, while it's easily accomplished, it's also a terminally sick mind that contemplates leaving ad. blocking to routers.

[steven36]

I  cant reproduce this on my system  i use too have way more problems out of it before i started  using a  good popblocker as well  ExtraTorrent is closed and the guy cant even spell Openload. I used Openload  almost everyday for over a year with no problems  Malware campaigns on paid link shortners is nothing new  and you're already having to deal with loads of anti adblock  there are userscripts that get around most of this if   it it cant just block the  urls/ips system wide in you're firewall  

 

What makes these Malware campaigns more  effective  is every site he listed use some type of .anti adblock and many people  turn there adblock off the site too use them without a script blocker , popup blocker or anything.

[DKT27]

37 minutes ago, dcs18 said:

 

Never gonna happen-1,

 

Never gonna happen-2.

 

 

What you believe is exactly what you get.

 

FYI, while it's easily accomplished, it's also a terminally sick mind that contemplates leaving ad. blocking to routers.

 

Not sure why you always seem to be on lookout for arguments man. A person of your caliber knows better.

 

Eitherway, I'm pretty sure a list was provided by staycat before and would not have asked about it had it not have happened before.

 

What makes you think I'm leaving it to routers. I'm on a lookout for layered security, for all the devices connected to the router. The blocking of ads through router was just an experiment that was done earlier to try a few things.

[dcs18]

 

10 minutes ago, DKT27 said:

Not sure why you always seem to be on lookout for arguments man. A person of your caliber knows better.

Argument??? Well, a conversation of your (unjustified and uncalled for) derogatory comments against me in the staff's forum was allowed to be made public — surprise . . . . . blast from the past.

 

A person of your caliber should've known better — you're an admin.

 

 

10 minutes ago, DKT27 said:

Eitherway, I'm pretty sure a list was provided by staycat before and would not have asked about it had it not have happened before.

Since you vest so much confidence in staycat straycat, do feel welcome to provide a link to his fictional list of IPs.

 

 

10 minutes ago, DKT27 said:

What makes you think I'm leaving it to routers. I'm on a lookout for layered security, for all the devices connected to the router. The blocking of ads through router was just an experiment that was done earlier to try a few things.

Perhaps your newfound staycat straycat, would love to volunteer as the official, designated lab rat of your ambitious router experiment.

[dcs18]

 

29 minutes ago, DKT27 said:

1 hour ago, dcs18 said:

What you believe is exactly what you get.

 

FYI, while it's easily accomplished, it's also a terminally sick mind that contemplates leaving ad. blocking to routers.

Not sure why you always seem to be on lookout for arguments man. A person of your caliber knows better.

While this might have been felt as a slap on the face — actually, it was not (at least, not yet):—

 

[steven36]

I only find  system wide adblock useful for programs i can't  install a adblocker in i use it in Linux for a program , but as far these sites it's not as easy  as blocking the offending ips  because you will set anti adblock off anyway if you block the root url.  it can be done it  takes a lot of time finding  the url or ip to each ad. I only had to do this once for one site but it's since been fixed by those who make userscripts.

[DKT27]

18 minutes ago, dcs18 said:

 

Argument??? Well, a conversation of your (unjustified and uncalled for) derogatory comments against me in the staff's forum was allowed to be made public — surprise . . . . . blast from the past.

 

A person of your caliber should've known better — you're an admin.

 

 

Since you vest so much confidence in staycat straycat, do feel welcome to provide a link to his fictional list of IPs.

 

 

Perhaps your newfound staycat straycat, would love to volunteer as the official, designated lab rat of your ambitious router experiment.

 

This is exactly what I'm speaking about. You are always on a lookout for an argument.

 

The thing you are quoting was taken out of context - if you want you can go through all my views about you in the staff forum, made throughout the years - it will surprise you. Not a single derogatory comment next to your name in the staff forum. The reason is that I respect your caliber and your ability, but the problem here is that you do not necessarily do so for everyone when finally, all members are equal on nsane.forums, not only in principal but also as per Guidelines. If there is any criticism from me about you, it's exactly this.

 

Eitherway, what happens with straycat19 is his business, you can suggest or even criticize to some extent, but what's with all this hounding going on here.

[dcs18]

4 minutes ago, DKT27 said:

Not a single derogatory comment next to your name in the staff forum.

We have the screenshots.

[DKT27]

Just now, dcs18 said:

We have the screenshots.

 

I know you do. It's also funny how some members try their best to exploit it - I genuinely hope you are not part of the group which wants to harm not only the site but also it's members individually. Again, you do not know what happens behind the scenes hence are accusing me about things without knowing the background story about them.

[tao]

22 minutes ago, dcs18 said:

Plant a thought and reap a word;
plant a word and reap an action;
plant an action and reap a habit;
plant a habit and reap a character;
plant a character and reap a destiny. 

 

W — Watch your Words.
A — Watch your Actions.
T — Watch your Thoughts.
C — Watch your Companions.
H — Watch your Habits.  

 

 

[dcs18]

 

1 minute ago, DKT27 said:

5 minutes ago, dcs18 said:

We have the screenshots.

I know you do. It's also funny how some members try their best to exploit it - I genuinely hope you are not part of the group which wants to harm not only the site but also it's members individually. Again, you do not know what happens behind the scenes hence are accusing me about things without knowing the background story about them.

It's been more than a year — do you really believe that I can be counted amongst those with herd mentality.

 

As a matter-of-fact, one of your own co-admins had tried to coax me to join his group and was made to bleed, for it (have that screenshot, as well) — you think I came here after one full year to exploit my screenshots?

 

Please don't fool yourself that I'm here for vendetta or some sort of gang-bang — have always hunted alone and on the spur of the moment.

[tao]

23 minutes ago, DKT27 said:

... The thing you are quoting was taken out of context - if you want you can go through all my views about you in the staff forum, made throughout the years - it will surprise you. Not a single derogatory comment next to your name in the staff forum. ...

 

Eitherway, what happens with [...] is his business...

[Methinks] what happens in staff forum is staff forums' business. 

Like politics, this 'politics' could be avoided here.  No?

 

[a morsel for thought:]

"In the practice of tolerance, one's enemy is the best teacher.  ~ Dalai Lama"

 

Cheers! 

 

 

[DKT27]

6 minutes ago, dcs18 said:

 

It's been more than a year — do you really believe that I can be counted amongst those with herd mentality.

 

As a matter-of-fact, one of your own co-admins had tried to coax me to join his group and was made to bleed, for it (have that screenshot, as well) — you think I came here after one full year to exploit my screenshots?

 

Please don't fool yourself that I'm here for vendetta or some sort of gang-bang — have always hunted alone and on the spur of the moment.

 

I'm somehow pleased to hear that. Again, you yourself are well aware the endless heights of your caliber. Cannot I ask you for some more respect for others. Is it too much to ask for.

 

I'm not sure which other admin you are talking about, but I guess it's best not looked into anymore.

 

6 minutes ago, adi said:

[Methinks] what happens in staff forum is staff forums' business. 

 

Like politics, this 'politics' could be avoided here.  No?

 

I agree. I assure all the members of nsane.forums that whatever done and said and decided in the staff forums is done for the best interest of the site and all of it's members here.

[Recruit]

1 hour ago, dcs18 said:

Never gonna happen-2.

 

Sorry to contradict a very old friend, but this has happened here :

Finally,  I found the post but , with all of these, after a little research ,  I saw that these rules are not so good.

 

 

Why ? You will be protected only in the first and second level of folders.

 

If a malware creates more folders into those locations ( to different leveles ) these rules are totally useless.  See screenshot with a test run into a Win 7 VM.

 

The solution might be to use " white rules " instead these " black rules "

Also the loopholes regarding users grups for the folders in which are permitted to execute exe files or dll libraries must be closed also.

 

 

[tao]

25 minutes ago, DKT27 said:

... I assure all the members of nsane.forums that whatever done and said and decided in the staff forums is done for the best interest of the site and all of it's members here.

Nothing is (this) perfect.

Let it be the way it is (with warts and imperfections).

Without any claims.

Thanks & Regards. 

[dcs18]

12 minutes ago, Recruit said:

Sorry to contradict a very old friend, but this has happened here :

Finally,  I found the post but , with all of these, after a little research ,  I saw that these rules are not so good.

Trust me — he'll only proffer lip-service.

 

On a technical note, when group policy is deployed to block executables, the end-User receives a visual + auditory error and therefore realizes it has been blocked by a SysAdmin — in order to exploit the deniability factor, a good SysAdmin would always use a method of blocking executables which is silent and preempts execution in the background.

 

 

 

 

12 minutes ago, Recruit said:

The solution might be to use " white rules " instead these " black rules "

Yes . . . . . . it's a revival — be it firewalling, group policing, anti-executing, anti-spamming, ad. blocking and other such blah blah:—

 

The Allow all and block selectively policy is passé.

 

GenerationNext mantra is Block all and allow selectively.

[nIGHT]

From this

Spoiler

On 8/28/2016 at 3:21 AM, straycat19 said:

I find it truly amazing that in all the articles that have been published on how to avoid malware they always list multiple things you can do that in the end really don't protect you from any  malware.  I know people who have practiced these things but still managed to get some type of malware on their system despite their attempts at protecting their system.  And in reality you can do ONE thing that will stop 99.9% (nothing is absolute) of all malware.  That is to stop anything from running from the appdata folder using group policy.

 

Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

   

 

 

Block executable in %AppData%

        Path: %AppData%\*.exe
        Security Level: Disallowed
        Description: Don't allow executables to run from %AppData%. 

   

Block executable in %LocalAppData%

        Path: %LocalAppData%\*.exe
        Security Level: Disallowed
        Description: Don't allow executables to run from %AppData%. 

   

Block executable in %AppData%

        Path: %AppData%\*\*.exe
        Security Level: Disallowed
        Description: Don't allow executables to run from immediate subfolders of %AppData%. 

   

Block executable in %LocalAppData%

        Path: %LocalAppData%\*\*.exe
        Security Level: Disallowed
        Description: Don't allow executables to run from immediate subfolders of %AppData%. 

   

Block executables run from archive attachments opened with WinRAR:

        Path: %LocalAppData%\Temp\Rar*\*.exe
        Security Level: Disallowed
        Description: Block executables run from archive attachments opened with WinRAR. 

   

Block executables run from archive attachments opened with 7zip:

        Path: %LocalAppData%\Temp\7z*\*.exe
        Security Level: Disallowed
        Description: Block executables run from archive attachments opened with 7zip. 

   

Block executables run from archive attachments opened with WinZip:

        Path: %LocalAppData%\Temp\wz*\*.exe
        Security Level: Disallowed
        Description: Block executables run from archive attachments opened with WinZip. 

   

Block executables run from archive attachments opened using Windows built-in Zip support:

        Path: %LocalAppData%\Temp\*.zip\*.exe
        Security Level: Disallowed
        Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

 

 

to this

Spoiler

1 hour ago, Recruit said:

 

Sorry to contradict a very old friend, but this has happened here :

Finally,  I found the post but , with all of these, after a little research ,  I saw that these rules are not so good.

 

 

Why ? You will be protected only in the first and second level of folders.

 

If a malware creates more folders into those locations ( to different leveles ) these rules are totally useless.  See screenshot with a test run into a Win 7 VM.

 

The solution might be to use " white rules " instead these " black rules "

Also the loopholes regarding users grups for the folders in which are permitted to execute exe files or dll libraries must be closed also.

 

 

 

an exploit was found. Good job @Recruit

[tao]

1 hour ago, dcs18 said:

Trust me — he'll only proffer lip-service....

Don't know if what has happened, not happened, will happen or will not happen. 

 

But I know that if a piece of information is asked for, and a link to that information is available; it takes almost no effort to provide that link.  More importantly, however, one is always free to answer, not answer, or whatever' as a request is a request -- not a demand.  

 

Nevertheless, help is the basic "foundation" of this forum.  No? 

 

Regards. 

[Karlston]

7 hours ago, DKT27 said:

Turns out, my router cannot block ads as per this.

 

Thanks, Pi-hole looks very useful software and RPi's are cheap.

 

I've bought a second Odroid C2 , intending to run the Privoxy web proxy. The Odroid C2 has it all over the RPi3 on specs, faster, double the memory, etc.

 

Privoxy can not only block domains/IPs/URLs(?), but also filter out web page items like annoying slideshows, blocks of outbrain/taboola/etc ads, blocks of "helpful/related" article suggestions, images etc. Think of the combined filtering capabilities of the addons Adblock Plus and Element Hiding Helper for Adblock Plus.

 

(Sorry to interrupt the off-topic nonsense with something relevant. HINT: Please take it elsewhere!)

[46&2]

Well, a conversation of your (unjustified and uncalled for) derogatory comments against me in the staff's forum was allowed to be made public — surprise . . . . . blast from the past.

We have the screenshots

lmfao vol1 from locoJoe !!!!

[nIGHT]

59 minutes ago, 46&2 said:

lmfao vol1 from locoJoe !!!!

So you're locojoe. Hello locojoe!