LAS VEGAS – BLACK HAT 2013 – A pair of researchers demonstrated how to create a large botnet capable of launching distributed denial of service (DDoS) attacks or sending out large volumes of spam just by buying an online ad.
Just by purchasing inventory on a legitimate online ad network, cyber-criminals could build up a large botnet made up of Web browsers capable of launching distributed denial of service attacks, cracking passwords and hashes, or distributing malware and spam, Jeremiah Grossman, CTO of White Hat Security, told attendees at the Black Hat conference in Las Vegas on Wednesday.
Grossman was joined by Matt Johansen, manager of threat research at White Hat Security, as they demonstrated a real-world attack where ad servers were tricked into serving up malicious code that caused browsers to connect to targeted sites.
The “Million Browser Botnet” took advantage of the fact that the people at ad networks generally don’t have the skills or knowledge to identify malicious JavaScript code. If the attacker managed to inject code into a popular site, the resulting botnet could be so large it would be unstoppable, Grossman and Johansen said.
“As long as it looks pretty, they have no problem with it,” Johansen said.
Normally, when a Webpage is loaded in the browser, it controls the browser so long as the page is open. It’s loading images and accessing resources from all over the Web, and that’s supposed to happen.
“When you put code on an ad network, that code gets in front of a lot of people and now we control a whole lot of browsers,” Grossman said. There is no vulnerability being exploited here—it’s just the way the Web infrastructure works.
Traditional botnets rely on software installed on the endpoint, either by tricking the user or exploiting a vulnerability and using a drive-by-download attack. The browser-based infections is not persistent, as the endpoints are executing the malicious code only so long as the malicious ad is displayed on the browser, Johansen said. As soon as the ad is no longer displayed, because the ad network rotated out the malicious ad to display a different one, or the browser closed the page, the infection disappears from the endpoint.
Grossman and Johansen used a banner ad and a simple script that pinged a server they controlled to measure the potential size of an attack launched from an ad network. For a mere $0.50, the researchers were able to get 1,000 unique machines to ping their server. Extrapolating that figure means a million browsers in a botnet would cost just $500, they said.
One ad network let the researchers select keywords to target with their ad, topical channels, and geo-location tags to control the scope of the attack.
The DDoS attack from their proof-of-concept browser-based botnet did not overwhelm the target site with a large volume of traffic, but rather, relied on exhausting available resources on the server by keeping a large number of connections open, the researchers said.
“We don’t know who is responsible, who is culpable. It’s everybody’s problem,” Grossman said. There is no easy fix, as the browser makers can’t do anything without breaking the web. Ad vendors can’t do anything without collapsing their business model. Users are tricked into becoming an attacker.
While NoScript could be useful to prevent the malicious code from executing in the ads, it is not a complete solution, as it would not block the DDoS attacks, Johansen said. “NoScript wouldn’t help because we could have done it [launch DDoS] all with HTML,” Grossman said. “If you’re going to turn off HTML, nothing will work.”
While some efforts have been made by firms to combat the threat of malicious advertising or “malvertising”, the problem is far from being solved. Twitter, in an effort to protect users against malicious actors, acquired Dasient, a provider of anti-malware solutions for web sites and ad networks, in Janary 2012. Google was an investor in Dasient. The Rubicon Project, a digital advertising company, also acquired an anti-malvertising company when itbought SiteScout in May 2010.