Wednesday, December 14, 2016

Use this one weird trick do that Ads DIE DIE DIE

Peter highlights a serious security issue - malware delivered via web ads:
Like many of you, I'm sure, I run ad blocking software, a pop-up blocker, and a script blocker on my Web browser.  In fact, I use multiple Web browsers.  For Web pages that simply must allow scripting, cookies, etc. - such as Blogger, on which I'm writing these words - I use Chrome.  For general browsing, where I don't want to allow Web sites to set cookies, run scripts, etc., I use Firefox, fully loaded with protective software.  As backups, for occasional use when I want to visit a Web site, then instantly clean out whatever it sets in the way of cookies, etc., I use Opera or Edge.  To add to my browsing security, I use a VPN (virtual private network)offering end-to-end encryption, and providing a 'location' that's many hundreds of miles away from where I am.  I want to make life as difficult as I can for scam artists, hackers and intrusive corporate spyware.

I therefore get very frustrated when certain Web sites won't allow access unless I disable my ad blocker, or demand that I disable some or all of my security software in order to use them.  I simply won't tolerate such nonsense. 
This is a serious issue, one that I've blogged about several times.  Web sites typically have little or no control over the ads they serve, and ads are increasingly used by the Bad Guys to serve up malware to unmatched web browsers.  Peter lists a set of tools that I also recommend, but There's another trick that you can use that will deep-six a lot of the web clutter that slows your browser down - and may try to infect it.

Internet Black Holes.  I just made that name up, but it gives you a picture of what this is doing.  If you make as many of the ad sites unreachable to your computer, they can't send you an ad.

Web pages look all nicely formatted, but they're actually a jumble of text, pictures, links, and computer code (especially Javascript).  Going to your browser's menu and selecting "View -> Source"  will show you just how complicated and ugly things are.  Your browser cleans this all up for you, pulling pictures down from links, formatting the text, loading video players, and fetching the ads that are encoded into the (mostly javascript) computer code.

And here is the weird trick: if you tell your computer that a particular ad location is at the Internet  address equivalent of Never Never Land, your browser will never be able to pull down that ad.  Sweet, huh?

What you do is basically override the Domain Name Service (DNS) for a particular set of bad sites.  DNS is what translates names (say, "") into an IP address (I'm too lazy to look it up, but it will look something like "").  DNS runs automagically, where your computer asks a DNS server (typically your home router) to give it the IP address for the name that you're trying to reach.

Except you don't have to always use DNS.  You can selectively (and most importantly, at no effort by you whatsoever) override DNS if you have some of these translations in a "hosts" file on your computer.  Your computer actually looks there first, and only asks DNS if it doesn't find what it's looking for.  If you have a bunch of ad sites in your hosts file, with an IP address pointing to Never Never Land, your browser will never send out DNS requests for those sites, and you will never see the ads (and the malware delivered with them).  Cool, huh?

As a note to the curious, "Never Never Land" has an IP address of "".  This is called the "loopback" address and means that it's referring to your very own computer (whatever the real IP address is).  Since you almost certainly aren't running a web server on your own computer, and certainly aren't hosting those ads on those URLs, your web browser will get a whole bunch of 404 messages instead of ads.  And it will get them fast, because it doesn't have to wait for DNS to reply.

The only thing you need to know is "where can I get a hosts file that is already made up, because I'm far to busy to do it myself?"

The entries look pretty legit, although I can't vouch for everything.  There is non-ad stuff (like Sitemeter - the Sitemeter host that this blog used to point to is listed there) which will break, but it doesn't look like it will break much (or anything) that you'd notice.  And you want to zap a lot of the annoying stuff that Peter was talking about?  This is your huckleberry.

There are installation instructions at the link, and it looks like the file is updated regularly, so give it a try.


Steve said...

One thing that pisses me off is bogus ads that force a browser redirect on mobile devices. They send you through numerous redirects so you can't just hit back. Then they trigger your phone's vibrate feature to warn you of a serious infection. And yes, I've gotten these on legitimate news sites and blogs, though it's not as bad as it used to be.

Different-origin scripts should not be able to redirect a browser. And whoever decided that web pages should be able to activate the vibrate feature should be sentenced to life on a bed with a high power Magic Fingers. This needs to be a browser setting.

Steve said...

And is better on Windows machines if you have a web server running. At least it was in the past. I remember using the loopback IP and it slowed page loading to a crawl.

burt said...

I already do this with iptables on my Linux desktop and server systems.

JBinNM said...

Thank you for posting this info. Immediate improvement.

Phil Kraemer said...

I did this yesterday after reading your post. I had never tried anything like this in the past, so it probably took me longer than it would for most others here.

I noticed an immediate slowing of the page loading (by a lot), so I was going to remove the "hosts" file. Then I went ahead and shut off the computer for about twenty minutes. Upon restart, there was no longer a noticeable slowing of the page loads. I also notice today that the disk access seems to be much lower.