Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for disabling Admiral #2502

Open
wants to merge 1 commit into
base: master
from

Conversation

@0x41111111
Copy link

commented Dec 8, 2016

This PR adds support for Admiral, another anti-adblock script.

This one's odd in that the site hosting it completely stopped sending the bootstrapper script to my browser after a little while.

When it did trigger, it did so shortly after the page finished loading. It removed the real page content and replaced it with a box asking me to whitelist the site.

The script itself comes from "unknowntray.com", and blocking this was enough to stop it from working.

The site I saw this on was venturebeat.com.

This is the bootstrapper on the page that loads the full Admiral script:

(function(a, b, c, d, e) {
    e = a.createElement(b);
    a = a.getElementsByTagName(b)[0];
    e.async = 1;
    e.src = c;
    a.parentNode.insertBefore(e, a)
})(document, 'script', '//unknowntray.com/4430b41e83ded20e5f99d3149b838ba9394d5a075c316121705ccd1543bc9320fc690f12c8d6e27a206b5ebdc92207d119db270253373b3e5d39c687bcb5');

The script at unknowntray.com/... can be found here in case anyone wants to figure out what it does:
https://archive.fo/NvQVV

@ghost

This comment has been minimized.

Copy link

commented Jan 28, 2017

Hmm, it appears that admiral also uses the domain concernrain.com

@tofof

This comment has been minimized.

Copy link

commented Feb 7, 2017

Admiral uses Google Cloud and AWS hosting and has many domains.

Domain-based approaches will be a neverending whack-a-mole.
IP-based approaches risk blocking innocent domains hosted on the same cloud servers.

Domain names

Most initially followed an adjectivenoun.com format:
      unknowntray.com    ritzysponge.com    paleleaf.com    bawdybeast.com

Others now use 4-9 (usually 5) random alphanumerics, often under the .xyz and .pw TLDs:
      pz37t.xyz    7e3dr.xyz    0d7dk.xyz    2il3.xyz    4jnzhl0d0.com    h78xb.pw    tzwaw.pw

Finally, there's at least one Admiral domain using the .us TLD:
      owlsr.us

IP Analysis

By walking temporally & spatially related domains, it's possible to discover many Admiral domains:
https://www.threatcrowd.org/domain.php?domain=unknowntray.com
http://www.tcpiputils.com/domain-neighbors/unknowntray.com
http://ipv4info.com/ip-address/sc98ee1/104.155.48.223.html/unknowntray.com/#_
https://otx.alienvault.com/indicator/domain/unknowntray.com

Sample IPs . . .
104.154.148.163 threatcrowd tcpiputils ipv4info
104.155.48.223 threatcrowd tcpiputils ipv4info
146.148.6.205 threatcrowd tcpiputils ipv4info

edited/rewrote in April 2017 for clarity and completeness
AWS hosting seen in August 2017 following Admiral's easylist DMCA takedown

@ghost

This comment has been minimized.

Copy link

commented Feb 7, 2017

hmm, how about we go after the bootstrapper script instead of the domains?

@Marcus-L

This comment has been minimized.

Copy link

commented Mar 6, 2017

The bootstrapper script from @0x4155 is fairly minimal and generic. It seems to be loading up the main payload by injecting that <script async="1" src="//...">. Does loading it async like that make it not capturable by onBeforeScript in Chrome? The main payload doesn't show up as filterable in onBeforeScript. The domain (flavordecision.com) seems to be just one of many (unknowntray.com, concernrain.com, etc...) which could be swapped out at any time, and the path is just a long hex string, which you may not want to filter out generically since a similar url could plausibly be in use elsewhere. This worked for me for a single site to catch the bootstrapper:

onmsft : {
    host : ['.onmsft.'],
        onBeforeScript : function () {
            return [{
                detected: 'Admiral',
                contains : "\\(document,'script','\\/\\/.*\\/[a-f0-9]{114,134}'\\);",
                external : false,
                remove : true
             }];
        }
},

How can scripts loaded by the bootstrapper be filtered?

@tofof

This comment has been minimized.

Copy link

commented Apr 19, 2017

The current inline Admiral script (preserved as a gist) from http://www.thewindowsclub.com/remove-click-context-menu-items-editors looks it's the entire thing inline now instead of the smaller bootstrapper? It makes a couple references to puzzlingfall.com (which is an Admiral domain) but I haven't looked any harder at it.

@anon182739

This comment has been minimized.

Copy link

commented Aug 14, 2017

What about going after the actual script that's inlined/loaded by the bootstrapper? There are some strings which are common for all versions, for example:
'<a href="'+n.tosUrl+'" target="_blank" style="color: rgba('+n.textColor+');">Terms of Service</a>'
'<a href="https://getadmiral.com/terms#access" target="_blank" style="color: rgba('+n.textColor+');">Terms of Access</a>'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.