g00 网站说明

最近在做dns tunnel检测，发现了一堆类似这样的域名：c-6rtwjumjzx7877x24uwjkjwjshjx78x2eywzx78yjx2ehtr.g00.medicinenet.com

都是以g00为子域名，前面一堆随机字符！专门查了下：

从 https://www.reddit.com/r/pihole/comments/6s2zjw/can_i_block_anything_that_comes_from_g00websitecom/ 可以看到：

the problem is this: those g00 pages are ad-tech from a company called Instart Logic. the general idea is that it sees that you have an adblocker and re-writes the page/ads to be served from the domain you are at.

My company uses it and i mesed with my adblocker to block all g00 sites, but it actually messes with the UX of the whole website.

you could accomplish the same thing by disabling javascript also

也就是说，他专门用类似域名来防止广告拦截。我专门查了下 instart logic这个公司：

Instart Logic随后将把这样的分析应用于上述产品，从而使网站或移动应用的访问速度更快，优化搜索引擎排名，帮助发行商规避广告拦截工具。

该公司表示，其电商客户通常会看到营收增长5%到8%，而由广告支撑的发行商会看到营收增长3%到15%。该公司的客户包括Neiman Marcus、Kate Spade、亚洲航空、大西洋传媒、Ziff Davis、Telstra（也是该公司投资方）和纳斯达克。

chrome里安装ublock，访问medicinenet.com，可以看到其block的记录：

https://c-5uwzmx78pmca09x24quiomax2eumlqkqvmvmbx2ekwu.g00.medicinenet.com/g00/3_c-5eee.umlqkqvmvmb.kwu_/c-5UWZMXPMCA09x24pbbx78ax3ax2fx2fquioma.umlqkqvmvmb.kwux2fquiomax2fatqlmapwex2fbpcuj-atqlmapwex2fbpcuj-x78awzqiaqa-umvc.rx78ox3fq98k.uizsx3dquiom_$/$/$/$/$   =》是一张图片

https://c-5uwzmx78pmca09x24ix78qax2eowwotmx2ekwu.g00.medicinenet.com/g00/3_c-5eee.umlqkqvmvmb.kwu_/c-5UWZMXPMCA09x24pbbx78ax3ax2fx2fix78qa.owwotm.kwux2frax2fx78tcawvm.rax3fq98k.uizsx3dakzqx78b_$/$/$  =》是js脚本

https://c-5uwzmx78pmca09x24quiomax2eumlqkqvmvmbx2ekwu.g00.medicinenet.com/g00/3_c-5eee.umlqkqvmvmb.kwu_/c-5UWZMXPMCA09x24pbbx78ax3ax2fx2fquioma.umlqkqvmvmb.kwux2fkaax2fumlqkqvmvmbx2fzmlmaqovx2fdmvlwzx2fidozcvl.kaax3fq98k.uizsx3dtqvs_$/$/$/$/$/$?i10c.ua=1 =》 css

从 https://community.webroot.com/t5/Webroot-SecureAnywhere-Internet/g00-adware-insertion/td-p/279885 也可以看到：

this nasty g00 adware insertion in popular newspaper sites..

https://github.com/uBlockOrigin/uAssets/issues/227

when i go to newspaper site,it just head to g00 adware referrer and consumes lot of bandwidth....

can webroot foil this attempt by prebenting g00 crap....potentially a malicious code is inserted by instart logic code....

you can see no of cookies set by this g00 crap

following is list of sites affected

'baltimoresun.com',
'boston.com',
'capitalgazette.com',
'carrollcountytimes.com',
'celebuzz.com',
'chicagotribune.com',
'courant.com',
'dailypress.com',
'deathandtaxesmag.com',
'gamerevolution.com',
'gofugyourself.com',
'hearthhead.com',
'infinitiev.com',
'mcall.com',
'nasdaq.com',
'orlandosentinel.com',
'ranker.com',
'sandiegouniontribune.com',
'saveur.com',
'sherdog.com',
'spin.com',
'sporcle.com',
'stereogum.com',
'sun-sentinel.com',
'thefrisky.com',
'thesuperficial.com',
'timeanddate.com',
'tmn.today',
'vancouversun.com',
'vibe.com',
'weather.com',
'wowhead.com',
'calgaryherald.com',
'edmontonjournal.com',
'edmunds.com',
'financialpost.com',
'leaderpost.com',
'montrealgazette.com',
'nationalpost.com',
'ottawacitizen.com',
'theprovince.com',
'thestarphoenix.com',
'windsorstar.com',

 

 

here is whats the truth bout instart logic code..
`Instart
Logic's technology used to disguise third-party network requests as
first-party network requests, including the writing/reading of
third-party cookies as first-party cookies. I consider this to be
extremely hostile to users, even those not using a content blocker, as
it allows third-party servers to read/write cookies even if a user chose
to block 3rd-party cookies through your browser setting.`

also
this instart logic is making dns tweaks to news content before it passes
to its end users,it might result in future malicious payload........
ublock origin uses static filter lists,if it has no filter lists against those ,it will no work...
privacy badger not working....see here.....https://github.com/EFForg/privacybadger/issues/1044
webroot should prevent(dns change) this g00 adware insertion at earlier time...
now this affects more no of popular news websites,,,

https://github.com/uBlockOrigin/uAssets/issues/227 也可以看到

g00 adware insertion on newspaper websites #227

 

URL(s) where the issue occurs

orlandosentinel.com
sandiegouniontribune.com
sun-sentinel.com
mcall.com
boston.com

Those are the ones I have seen so far, there may be more.

Describe the issue

Forcibly inserts g00 adware content and abuses window.location API if blocked by a filter like /g00^$important until it turns into a bad request.

Screenshot(s)

https://i.gyazo.com/86ab54811f6aaa1785b3d308566d6af6.png

Versions

• Browser/version: [here] Chromium 57
• uBlock Origin version: [here] 1.10.0