Want to create a huge botnet to distribute malware, pump out spam, crack passwords or knock your enemy's website offline?
Don't bother with designing malware to break into strangers' computers. Instead, say two researchers, all you need to do is spend a few bucks buying online ads, which can hijack tens of thousands of Web browsers across the world — no hacking required.
Last month at the Black Hat security conference in Las Vegas, Jeremiah Grossman and Matt Johansen, the founder/chief technology officer and threat-research manager of White Hat Security in Santa Clara, Calif., showed how an online ad network could be used to create what they called a "million browser botnet."
"There's no malware to detect, no exploits," Grossman said. "We're not really hacking stuff. We are using the Web the way it was meant to be used."
How the Web fails at security
The World Wide Web is a fundamentally insecure system, Grossman and Johansen explained. Browsers are designed to serve you as much data as possible without authentication, and nowhere is that more true than with online ads.
The problem with these attacks, however, is that they are limited in scope. Whether you're distributing the evil code through a highly trafficked site, search-engine poisoning or third-party widgets such as weather trackers, you're not going to attain the critical mass for a truly efficient browser-based botnet.
Ads: the perfect malware distribution system
There are nearly two dozen major ad networks, Grossman and Johansen said, but most of them won't let ad suppliers include code with their ads. However, there are hundreds of smaller ones that don't ask as many questions.
Many of those smaller networks are incredibly cheap, with rates as low as 50 cents per thousand impressions, or number of times the ad was viewed. A million impressions could cost as little as $500.
Grossman and Johansen tested their theory by creating phony ads that read "Get a 30-day free trial," without specifying what was being offered.
Grossman and Johansen uploaded the ads to a downmarket ad network with a very cheap rate. At the same time, they "click-jacked" themselves, buying views with a shady traffic generator.
(An unexpected result was that many of the ad views seemed to come from pre-existing bots, or software-controlled browsers.)
How to legally kill a Web server
After 10 minutes, the phony ads had more than 15,000 views. After 20 minutes, there were nearly 44,000 views. After an hour, Grossman and Johansen's ads had been displayed on 298,000 Web browsers worldwide. A day later, the number was 13.6 million, and the researchers had still somehow spent less than $100.
Grossman and Johansen played with the code on their Amazon cloud server, pointing it at a real Web server they controlled — and quickly knocked it offline with a file-transfer-protocol request overload.
"The Web server's effectively dead," Grossman said.
"We did not hack anybody," Johansen said. "We just used the way the Web works and took down our own servers. We stayed completely on the legal side here."
If anything, Grossman and Johansen half-joked, their research finally provided a compelling security-related reason to use ad-blocking browser plug-ins.
"You're not breaking the Web with this method," the researchers said. "You're using the Web the way it was designed."
Grossman and Johansen's presentation slides are available on the Black Hat website.