Ad network uses advanced malware technique to conceal CPU-draining mining ads

Enlarge (credit: Lisa Brewster / Flickr)

The rise of drive-by cryptocurrency mining on a growing number of websites has led to a renewed demand for ad-blocking software. Web users are seeking new ways to ward off hidden code that saddles computers with resource-draining coin mining. Now some miners are employing a trick first popularized by botnet software that bypasses ad blocking.

Domain-name algorithms are a software-derived means for creating a nearly unlimited number of unique domain names on a regular basis. DGAs, as they're usually called, came to light in 2008 following the release of the highly viral Conficker worm. To prevent whitehats from seizing the domain names Conficker used to receive command and control instructions, the malware generated hundreds of new, unique domains each day that infected computers would check for updates. In the event that old domains were sinkholed, Conficker needed to reach only one of the new addresses for it to remain under its creator's control. The burden of registering more than 90,000 new domain names every year has proved so great to whitehats that Conficker continues to operate even now.

Researchers at China-based Netlab 360 reported over the weekend that an advertising network is using DGAs to conceal the in-browser currency-mining code it runs on websites. Normally, the ad network will redirect visitor browsers to serve.popad.net, which hosts ads that load coinhive.min.js. That's the JavaScript code that bogs down visitor computers by making them participate in a giant mining pool hosted by coinhive.com, which keeps 30 percent of the proceeds and gives the remainder to the advertiser or website that provided the referral. In most cases, all of this happens behind the scenes with no visible sign of what's happening, with the exception of over-revving fans and decreasing computer performance.

Read 7 remaining paragraphs | Comments