Measuring and Disrupting Anti-Adblockers Using Differential

Execution AnalysisShitong Zhu*, Xunchao Hu†, Zhiyun Qian*, Zubair Shafiq‡, Heng Yin*

*University of California, Riverside

‡The University of Iowa

†Syracuse University

ShitongZhuetal. 1

What Is Happening?

ShitongZhuetal. 2[1]Adblockingrapidlyescalating,saysresearcherhttps://www.networkworld.com/article/3087339/internet/ad-blocking-rapidly-escalating-says-researcher.html

Web Tracking & Ads

ShitongZhuetal. 3

tracking-fueled/conciseness

[2]16CreepiestTargetedFacebookAdshttp://mashable.com/2014/08/13/facebook-ads-creepy/#kuIr6KVMAaqc

Or Worse, Malvertising

ShitongZhuetal. 4[3]RoughTed:theantiad-blockermalvertiserhttps://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Ad Blockers To The Rescue!

ShitongZhuetal. 5

ShitongZhuetal. 6

How Ad blocking Works?

What Does Ads Industry Think/React?

ShitongZhuetal. 7

•  Inaword,nothappy…• Considersadblockersaseriousthreattotheirbusinessmodel•  Theirmove:deployingAnti-Adblockerthat

•  (1)detectsthepresenceofadblocker,•  (2)reactstoadblockerby:

•  completely/partlyblockingtherealcontent•  issuingwarningmessages•  silentlyreportingadblockingstatus

What Does Ads Industry Think/React?

ShitongZhuetal. 8

eitherwhitelistingthesite …orsubscribe

Now, Our Turn?

• Alreadyanescalatingarmsrace,withnowinneryet• Goals:

1)  wewanttoinvestigatetheongoingarmsrace2)  withthisknowledge,wewanttoescalatethisarmsrace

• Ourpriorwork:•  IMC’17:coverageofthecurrentanti-adblockfilter-listisNOTgood(only~9%)•  PETS‘17:A/Btesting,staticanalysis(onlyforvisibleones/cannotlocaterelevantcode)

• Ourlatestmove:differentialexecutionanalysis

ShitongZhuetal. 9

Our Idea & System

• Keyobservation:awebsiteemployinganti-adblockerwouldhaveadifferentJavaScriptexecutiontraceifitisloadedwithadblocker(positivetrace)ascomparedtowithoutadblocker(negativetrace)•  Systemoverview:

Divergencefound:-->anti-adblockerdetected

Divergencefound:-->anti-adblockernotdetected

ShitongZhuetal. 10

①② ③

Differential Execution Analysis? What Is It?

•  It’singeneralalong-awaitedprogramanalysistechnique,butcanbesomehowimplementedquitestraightforwardinourcase:

• whatwillappearinourexecutiontracewhenweenableadblocker?

• whatwillappearinourexecutiontracewhenwedisableit?

ShitongZhuetal. 11

How Good Is It?

• Onground-truthdatasets,oursystemachieves•  TruePositiverate:86.9%|FalsePositiverate:0%

• Moreinformationbeyondthebinaryresults

ShitongZhuetal. 12

Large-Scale Analysis In The Wild

• Keyfinding:•  wedetectedantiad-blockerson30.5%oftheAlexatop-10Kwebsiteswhichis5-52timesmorethanreportedinpriorliterature

• Whysuchabiggap?•  rememberthatatypicalanti-adblockerhastwocomponents:1.  adblockerdetection2.  subsequentreaction(possiblysilent)

ShitongZhuetal. 13

Large-Scale Analysis In The Wild

ShitongZhuetal. 14

Other Findings

• Originsoftopscriptscontaininganti-adblockinglogic:

• Popularityofanti-adblockersbywebsiteranking

ShitongZhuetal. 15

Improving Adblockers

• AvoidingAnti-adblockerswithJavaScriptRewriting

• HidingAdblockerswithAPIHooking(stealthyadblocker)•  allAPIcallsusedbypublisherscriptstoexaminethestateofthepage(e.g.,whetheranadisvisible)canbeinterceptedandmodifiedbyabrowserextension

ShitongZhuetal. 16

Future

• Usersshouldhavetherighttomakeachoice

• Alternativebusinessmodels•  AcceptableAdsprogram&BetterAdsstandards•  Adsprofitre-distribution:Bravebrowser

ShitongZhuetal. 17

Q & A

ShitongZhuetal. 18

• ComplementaryMaterial• https://sites.google.com/view/antiadb-proj