Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Demonstrate ‘Million Browser Botnet’ Concept Built on Legitimate Ad Networks

LAS VEGAS – BLACK HAT 2013 – A pair of researchers demonstrated how to create a large botnet capable of launching distributed denial of service (DDoS) attacks or sending out large volumes of spam just by buying an online ad.

LAS VEGAS – BLACK HAT 2013 – A pair of researchers demonstrated how to create a large botnet capable of launching distributed denial of service (DDoS) attacks or sending out large volumes of spam just by buying an online ad.

Just by purchasing inventory on a legitimate online ad network, cyber-criminals could build up a large botnet made up of Web browsers capable of launching distributed denial of service attacks, cracking passwords and hashes, or distributing malware and spam, Jeremiah Grossman, CTO of White Hat Security, told attendees at the Black Hat conference in Las Vegas on Wednesday.

Grossman was joined by Matt Johansen, manager of threat research at White Hat Security, as they demonstrated a real-world attack where ad servers were tricked into serving up malicious code that caused browsers to connect to targeted sites.

The “Million Browser Botnet” took advantage of the fact that the people at ad networks generally don’t have the skills or knowledge to identify malicious JavaScript code. If the attacker managed to inject code into a popular site, the resulting botnet could be so large it would be unstoppable, Grossman and Johansen said.

“As long as it looks pretty, they have no problem with it,” Johansen said.

Normally, when a Webpage is loaded in the browser, it controls the browser so long as the page is open. It’s loading images and accessing resources from all over the Web, and that’s supposed to happen.

“When you put code on an ad network, that code gets in front of a lot of people and now we control a whole lot of browsers,” Grossman said. There is no vulnerability being exploited here—it’s just the way the Web infrastructure works.

Traditional botnets rely on software installed on the endpoint, either by tricking the user or exploiting a vulnerability and using a drive-by-download attack. The browser-based infections is not persistent, as the endpoints are executing the malicious code only so long as the malicious ad is displayed on the browser, Johansen said. As soon as the ad is no longer displayed, because the ad network rotated out the malicious ad to display a different one, or the browser closed the page, the infection disappears from the endpoint.

Grossman and Johansen used a banner ad and a simple script that pinged a server they controlled to measure the potential size of an attack launched from an ad network. For a mere $0.50, the researchers were able to get 1,000 unique machines to ping their server. Extrapolating that figure means a million browsers in a botnet would cost just $500, they said.

One ad network let the researchers select keywords to target with their ad, topical channels, and geo-location tags to control the scope of the attack.

The DDoS attack from their proof-of-concept browser-based botnet did not overwhelm the target site with a large volume of traffic, but rather, relied on exhausting available resources on the server by keeping a large number of connections open, the researchers said.

“We don’t know who is responsible, who is culpable. It’s everybody’s problem,” Grossman said. There is no easy fix, as the browser makers can’t do anything without breaking the web. Ad vendors can’t do anything without collapsing their business model. Users are tricked into becoming an attacker.

While NoScript could be useful to prevent the malicious code from executing in the ads, it is not a complete solution, as it would not block the DDoS attacks, Johansen said. “NoScript wouldn’t help because we could have done it [launch DDoS] all with HTML,” Grossman said. “If you’re going to turn off HTML, nothing will work.”

While some efforts have been made by firms to combat the threat of malicious advertising or “malvertising”, the problem is far from being solved. Twitter, in an effort to protect users against malicious actors, acquired Dasient, a provider of anti-malware solutions for web sites and ad networks, in Janary 2012. Google was an investor in Dasient. The Rubicon Project, a digital advertising company, also acquired an anti-malvertising company when itbought SiteScout in May 2010.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.