Maladvertising networks use CDNs to hide their tracks

At this point there are quite significant increase in malicious browser plugins that displays ads without enough disclosure. Quite often their tracks are hidden and it is not so easy to remove them. The makers use 2 ways to start showing adware :

  1. Distributing plugins with bundles or trojans (aka “movie downloads”, etc).
  2. Purchasing popular plugins and releasing ad-supported versions.

While second way is almost legitimate, it is handled by browser makers effectively and is not so dangerous. Fast burning a plugin with significant user base is not something most adware makers want.

However, the makers of trojan – distributed adware plugins try to make sure their ads will be difficult to block permanently or tracked to their companies without caring about how long the plugin itself will last. Thus there is increase in CDNs supported popups. They are hard to block as the same infrastructure is used for legitimate content and pages.

As and example, lets look at hxxp://  – a domain having huge Alexa rating ( ~6500).  The registration is private and the DNS services are ones of cloudflare – webpage acceleration network. Lots of legitimate pages use it, so it is not possible to block sites by IP that easily. I think it is used in Plus-HD plugin family that is made for advertising only. Spyhunter and Adwcleaner should handle the current versions of plugins good enough. 

Screen Shot 2014-02-11 at 12.58.25

They haven’t bothered to set up real page at all. icmapp main domain is godaddy parking page. Some advertising networks care enough to provide some placeholder to explain themselves. Not so in this case.

Screen Shot 2014-02-11 at 13.10.57

What happens now? First, even if the domain will be blocked it is quite easy to launch other domains under same (or different) name under cloudflare without bigger changes to infrastructure. There won’t be a need to change icmapp com mains servers as they are not visible for end user. Even if they are kicked, there won’t be enough checks to make sure such thing won’t happen again.

There is still hope that majority of browsers will change the way plugins get installed and perform checks for installed non-market plugins. This would be privacy risk, but would solve issue with malicious advertisings once and for all. 


Speak Your Mind