Adblockers Installed 300,000 Times Are Malicious and Should Be Removed Now

An anonymous reader quotes a report from Ars Technica: Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users' social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github. Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google's Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.

Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code. The first thing Hill noticed the new extension doing was checking if the user had opened the developer console. If it was opened, the extension sent a file titled "report" to a server at https://def.dev-nano.com/. "In simple words, the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing," he wrote. The most obvious change end users noticed was that infected browsers were automatically issuing likes for large numbers of Instagram posts, with no input from users. Cyril Gorlla, an artificial intelligence and machine learning researcher at the University of California in San Diego, told me that his browser liked more than 200 images from an Instagram account that didn't follow anyone. The screenshot to the right shows some of the photos involved.

Doing it wrong

[raymorris]

> If it was opened, the extension sent a file titled "report" to a server at https://def.dev-nano.com/ [dev-nano.com].

These guys suck at malware. When you know an analyst is watching the malware is supposed to ... do nothing. Don't intentionally do suspicious shit when you know the good guys are looking.

Re:

[bmimatt]

I am not sure this is malware. It's more of "spyware manipulating spyware", if I've scanned through TFA correctly.

Re:Doing it wrong

[ShadowRangerRIT]

It's performing actions on behalf of the user without their input. Even something as simple as liking Instagram posts takes it firmly out of the category of mere spyware and into malware territory.

Re:

[raymorris]

Besides that, spyware is a subset of malware.

Ironically ...

[fahrbot-bot]

... the extension sent a file titled "report" to a server at https://def.dev-nano.com/ [dev-nano.com].

I can't browse that URL because it's blocked by uMatrix. :-)

[ I have both uMatrix and uBlock Origin install in Firefox. ]

Re:

[ShadowRangerRIT]

Although now that uMatrix has ended active development [slashdot.org], it seems like only a matter of time until some security bug comes to light and it ends up becoming a liability, security-wise. I hope he picks it up again, but I'm not confident (uBlock Origin exists because he got tired of uBlock, gave it up, then resumed it later under a new name).

unlock origin continues ok?

[fbobraga]

Right?

If the 'new devs' were legit

[OverlordQ]

They could have forked the open source code. They wanted to buy the users.

Re:

[thegarbz]

I know, Slashdot isn't legit either. I mean Bizx could also have forked the code but instead bought the site from Dice.

No legitimate entity would ever pay money for established IP right?

Too good

[martinX]

In situations like this, I am immediately reminded of the sage response [youtube.com] by M. Laughington Baggus.

He is truly a voice of our times.

Extensions should not be allowed to send data

[hcs_$reboot]

Extensions should not be allowed to send data outside.

Re:

[hcs_$reboot]

how is an ad blocker supposed to know what is and isn't an Ad, if it doesn't send a GET request to download filters?

Filters should be part of the extension. Less convenient as it relies on extension updates, but way safer.

Re:

[ShadowRangerRIT]

Bloom filters are good for a cheap check, but you still need the original data source to be able to distinguish true positives from false positives. Bloom filters save space in memory and reduce the number of times you need to check the larger data set (typically on disk), but they don't mean you don't need the larger data set at all. If they did, it wouldn't be a bloom filter, it would just be quasi-magical levels of compression.

Re:Extensions should not be allowed to send data

[ShadowRangerRIT]

That limits configurability dramatically. If I want to block malware, but not simple ads, now I need to fork the extension. If you want to block third-party tracking ads, but don't mind ads elements served as part of the page itself, from the same host, but someone else wants them all blocked, that's another fork. It gets crazy. uBlock Origin ships with 33 different "generic" block lists, plus another 34 lists specific to certain languages and locales, and you're allowed to customize the set however you like. And it lets you add custom additional sources on top of that. Even ignoring the region/language specific lists, if you had to have the filters baked into the extension, that would make custom list sources impossible, and require a few billion forks of the extension for every possible combination of filter list.

And of course, once you've done all that, you've still got an extension that, for legitimate reasons, needs to be able to arbitrarily modify the HTML of the page (assuming you want to allow it remove ads on an element-by-element basis, not just block network connections from the page). For all practical purposes, this lets it communicate with whatever it likes by injecting a combination of frames and scripts. Locking it down to the level of safety you want would leave you with an crippled version of what the extension provides as is.

Re:

[virtualXTC]

Just make each list an app that the blocker can use as a dependency. The lists can get updates thought he app store, so no data need be sent out.

Re:

[ShadowRangerRIT]

So now you have dozens of new apps, any one of which could be compromised and do things far more complex than merely change your filters?

Re:

[jbmartin6]

Unless, of course, that is required for them to function as advertised.

*One* adblocker

[arosenfield]

*One* adblocker, which has been installed 300,000 times, is malicious. Not all adblockers that have been installed 300,000 times are necessarily malicious.

(Yes yes, I know, the editors here can't be expected to actually make a comprehensible title.)

Re:

[desdinova 216]

it's more of a scare tactic by the advertising industry?

Re:

[virtualXTC]

No - it's actually 2 adblockers.... Also, you forgot: "Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users' social media accounts thanks to malware...." Really dumb phrasing of both the title and this.

Re:

[ZiggyZiggyZig]

Actually... "Adblockers Installed 300,000 Times Are Malicious and Should Be Removed Now" --> if your adblocker has been installed 299,999 times or 300,001 times, then you're safe! Don't worry! Also like me on instagram please :3

Re:

[gweihir]

Damn, and there I though we finally had an easy to check parameter to determine maliciousness!

Is uBlock Origin safe or not?

[DintiAlinti]

Not sure I understand from this if uBlock Origin is safe or not?!?

Re:

[Gornkleschnitzer]

It is. uBlock Origin's developer investigated the extension that he had originally forked to create uBO, but he himself has nothing to do with Nano and was only raising awareness.

Re:

[aitan]

uBlock Origin is the original extension, and this one was a fork with some tweaks.

Re:

[Gornkleschnitzer]

Aaaaand I failed in reading comprehension for today. Thanks for clarifying.

So...

[Unnamed Chickenheart]

What about discussing which adblockers are to be trusted, and then I mean both as in capable of disabling ads and the owner/developers are trustworthy. ?

Also: Facebook ads. Please have mercy, Lolth, for I have not deserved this! =,-(

Re:

[bedefiant]

This! Because honestly... there are waaaay too many adblockers out there and I thought uBlock Origin was the best and most trustworthy... like wtf. Anyone have a good recommend?

Re:

[ShadowRangerRIT]

uBlock Origin is fine. The problematic adblocker is Nano Adblocker, which forked from uBlock Origin, and later added malware "features".