RoughTed bypasses ad blockers


Nonetheless, the most eye-catching script is the one that detects if the user is using an ad blocker extension and finding a way to bypass this system.

Users of several ad blockers such as Adblock Plus, uBlock origin, or AdGuard, have been recently complaining about advertisements that break through their ad blockers.

Segura attributes this to RoughTed, but other malvertisers are also using ad blocker evasion techniques.

"Others are using similar code as well, but RoughTed is on a much larger scale," the Malwarebytes expert told Bleeping Computer.

Based on Segura's statement we can say that while maintainers of ad-blocker technologies were busy fighting off advertisers and online publishers, malvertisers have crept up behind their backs and outsmarted some of their ad-blocking filters, at least for the time being.

As a closing note, showing that RoughTed is not your run-of-the-mill malvertising campaign, its operators weren't fixated on delivering only a particular type of payload to their victims. According to Segura, RoughTed has sent unwitting users to:
➠ different exploits kits (RIG EG, Magnitude)
➠ tech support scam pages
➠ download pages for Mac adware
➠ download pages for Windows PUPs
➠ rogue Chrome extensions
➠ iTues and App Store pages - part of pay-per-install schemes
➠ annoying online surveys

RoughTed uses aggressive fingerprinting
The malicious code present in these rogue ads will load various scripts in the browser's background, which redirect the user through tens of URLs where various checks are performed.

"There is some aggressive fingerprinting which I think most ad networks wouldn't do because it's very privacy invasive," Segura told Bleeping Computer in a private conversation today, describing RoughTed's scripts.

These include checks for browser type, operating system, language settings, and geolocation information. Segura says some of these scripts have been specifically designed to detect when users are faking their user-agent.

These scripts range from using the now standard HTML5 canvas-based fingerprinting technique to a newer trick of checking for a list of installed fonts — which are different based on OS.


IOCs and other details about the campaign are available in Malwarebytes' RoughTed report.
Last edited: