Ad network uses advanced malware technique to conceal CPU-draining mining ads

[Murasaki]

silly greedy planet

[kuddlesworth9419]

I have so many extensions now just for staying a little safer online and a little more private. 

[porina]

If I'm reading correctly, there is still a weakness to the method they use. They have to serve you the ad in the first place before any of that domain shenanigans takes place. If they're selling ads, I'm not sure if it would be easy for the site using the ads to reference constantly changing domains, so the ad company would still have a fixed presence up front, and that can continue to be blocked. 

[Zodiark1593]

2 hours ago, hey_yo_ said:

I don't know what a PWM type system is but just as I've said before, they crawl the internet all the time to classify sites, scripts and applications as malicious or not (cloud protection). I know that malware made sophisticated can slip past an anti-virus, my anti-virus program has never failed me in blocking mining scripts.

  Reveal hidden contents

 

PWM = Pulse Width Modulation. 

 

The idea here in electronics is rather than adjust power via altering amperage or voltage, you apply a full power pulse briefly, many times a second. Adjusting the frequency and duration of the pulses will, in effect, control power. Electric motors are the most common application. LEDs may also use PMW to control brightness in DC circuits.

 

Applied to malicious mining scripts, where cpu load rapidly fluctuates between full and very minimal, it may be possible to reduce heat output and potentially even fool monitoring tools.

[vorticalbox]

12 hours ago, bob51zhang said:

The problem is that every website that isn't made in 2005 seems to crap out because they use JS for everything now.

That's what a whitelist is for.

[ScratchCat]

4 hours ago, hey_yo_ said:

I don't know what a PWM type system is but just as I've said before, they crawl the internet all the time to classify sites, scripts and applications as malicious or not (cloud protection). I know that malware made sophisticated can slip past an anti-virus, my anti-virus program has never failed me in blocking mining scripts.

  Hide contents

 

PWM - pulse width modification e.g. 50% Mining, 50% sleeping. Not the correct terminology but gives an alright description.

 

The idea would be that the script sleeps randomly for some percentage of the time in order to disguise itself as a generic script.  If a process were to max out one or more cores than this would be suspicious an a sample could be submitted , if it were using e.g. 10% of the CPU one could assume it is just a heavy script and would have to wait for a random sample submission in order for the script to be discovered as a mining script.

[Energycore]

3 hours ago, Zodiark1593 said:

PWM = Pulse Width Modulation. 

 

The idea here in electronics is rather than adjust power via altering amperage or voltage, you apply a full power pulse briefly, many times a second. Adjusting the frequency and duration of the pulses will, in effect, control power. Electric motors are the most common application. LEDs may also use PMW to control brightness in DC circuits.

 

Applied to malicious mining scripts, where cpu load rapidly fluctuates between full and very minimal, it may be possible to reduce heat output and potentially even fool monitoring tools.

Your CPU also uses PWM - it sends pulses of a voltage over the semiconductor threshold and those are registered as 1s. Pretty much any IC does so, your VRMs use it as well.

[Zodiark1593]

Just now, Energycore said:

Your CPU also uses PWM - it sends pulses of a voltage over the semiconductor threshold and those are registered as 1s. Pretty much any IC does so, your VRMs use it as well.

Yeah, I thought as much, though I'm not familiar enough with cpu design to really say. Thank you.

[AnonymousGuy]

Just block the functions that it needs to do crypto operations, or instate a quota where if its exceeded then it gets blocked.

[mr moose]

8 hours ago, kiska3 said:

In the tone of "Your call could not be connected. Please check the number and try again"

"Your browser could notI know, but  load Sydney trains timetable, please check your browser settings and try again. JS not found"

 

Pretty much Sydney trains site is full of js interactivity

 

I know, but they don't have to,  remember back in the day when mobile internet was just becoming a thing and you had websites set up specifically for WAP enabled phones?  Companies can have really basic sites setup for basic browsing.  It literally just needs a header (or something) that redirected if you were using a full functioning browser because the dumb one can't redirect.