Ad network uses malware power

An ad distribution network is sending web browsers content which mines cryptocurrency on scammers' behalfs.
12 March 2018

An ad network is serving JavaScript code which mines Monero. Source: Pixabay


10-year-old malware used by hackers to avoid anti-virus software is being employed by an ad distribution network to point web users to sites which utilize their computers’ resources to mine for cryptocurrencies.

Domain generation algorithms (DGAs) first came to light in 2008 following the release of the Conficker worm. The brains behind Conficker used software to generate hundreds of random domain names which were profligate enough to foil the blacklists of anti-virus software. As soon as a site communicating command and control signals to/from infected nodes was identified, the infected machine would simply switch to a different site identified by one of the newly generated domains.

The same technique currently is being used by an ad distribution network which has been termed DGA.popad by the identifying security outfit, China’s Netlab 360.

The technique gets around the increasing use of ad blockers, as sites hosted on the generated domains are not recognized as suspicious. Once certain websites are visited, embedded JavaScript begins to utilize machines’ processor cycles to mine cryptocurrencies via the mining pool.

Domains take the form of between eight and 14 randomly generated alphabet characters, followed by a .com or .bid TLD suffix.

The process works as follows:

  1. The user visits a site such as (a porn site).
  2. With ad blocking software enabled, the ad distributer’s domain is blocked.
  3. JavaScript code then switches to one of the randomly generated domain names, placing a request and loading…
  4. …both the ad as well as JavaScript to start cryptomining.

More people than might be expected are affected, with one domain at one stage 1,999 in the Alexa website rankings, while the snappily-monikered reached 2,011.

Netlab 360 found that most of the websites running the ads were mostly porn and other content often used to lure in “unsuspecting” web users.

Should this technique become more widespread, creators of ad blocking software such as Chrome plug-ins and the like may have to rethink some of their methods, as the traditional blacks are not sufficient.

Affected users will find their CPU usage ramping up to full, as the code they have unwittingly loaded starts to mine cryptocurrencies.

The CoinHive pool typically takes 30% of any cryptocurrencies it mines, with the rest of the proceeds going, in this case, to the party behind the scam.