Sign in with
Sign up | Sign in

Online Ads Could Create 'Million Browser Botnet'

By - Source: Tom's Guide US | B 10 comments

Want to create a huge botnet to distribute malware, pump out spam, crack passwords or knock your enemy's website offline?

Don't bother with designing malware to break into strangers' computers. Instead, say two researchers, all you need to do is spend a few bucks buying online ads, which can hijack tens of thousands of Web browsers across the world — no hacking required.

Last month at the Black Hat security conference in Las Vegas, Jeremiah Grossman and Matt Johansen, the founder/chief technology officer and threat-research manager of White Hat Security in Santa Clara, Calif., showed how an online ad network could be used to create what they called a "million browser botnet."

"There's no malware to detect, no exploits," Grossman said. "We're not really hacking stuff. We are using the Web the way it was meant to be used."

MORE: 9 Online Security Tips from a Former Scotland Yard Detective

How the Web fails at security

The World Wide Web is a fundamentally insecure system, Grossman and Johansen explained. Browsers are designed to serve you as much data as possible without authentication, and nowhere is that more true than with online ads.

"When you visit a Web page," Grossman said, "by nature of the way the Web works, it has near-complete control of your browser for as long as you are at that Web page … The JavaScript or Flash on that page can force your browser to do basically whatever it wants."

Grossman and Johansen showed how HTML and JavaScript, the programming languages underlying most Web pages, could be used to probe Web browsers for user settings and login information, force browsers to attack websites in several different ways, break into corporate networks or spread malware.

The problem with these attacks, however, is that they are limited in scope. Whether you're distributing the evil code through a highly trafficked site, search-engine poisoning or third-party widgets such as weather trackers, you're not going to attain the critical mass for a truly efficient browser-based botnet.

"We need to think bigger," the researchers said, then quoted JavaScript pioneer Douglas Crockford: "The most reliable, cost-effective method to inject evil code is to buy an ad."

Ads: the perfect malware distribution system

There are nearly two dozen major ad networks, Grossman and Johansen said, but most of them won't let ad suppliers include code with their ads. However, there are hundreds of smaller ones that don't ask as many questions.

Many of those smaller networks are incredibly cheap, with rates as low as 50 cents per thousand impressions, or number of times the ad was viewed. A million impressions could cost as little as $500.

Grossman and Johansen tested their theory by creating phony ads that read "Get a 30-day free trial," without specifying what was being offered.

They added JavaScript that redirected to an Amazon cloud server, which meant the ad would inject whatever the cloud server uploaded, right into the ad viewer's browser.

Grossman and Johansen uploaded the ads to a downmarket ad network with a very cheap rate. At the same time, they "click-jacked" themselves, buying views with a shady traffic generator.

(An unexpected result was that many of the ad views seemed to come from pre-existing bots, or software-controlled browsers.)

How to legally kill a Web server

After 10 minutes, the phony ads had more than 15,000 views. After 20 minutes, there were nearly 44,000 views. After an hour, Grossman and Johansen's ads had been displayed on 298,000 Web browsers worldwide. A day later, the number was 13.6 million, and the researchers had still somehow spent less than $100.

Grossman and Johansen played with the code on their Amazon cloud server, pointing it at a real Web server they controlled — and quickly knocked it offline with a file-transfer-protocol request overload.

"The Web server's effectively dead," Grossman said.

"We did not hack anybody," Johansen said. "We just used the way the Web works and took down our own servers. We stayed completely on the legal side here."

The researchers' JavaScript redirect was largely benign, but if they'd wanted to, they could have made the browsers carrying the ads do anything they commanded.

If anything, Grossman and Johansen half-joked, their research finally provided a compelling security-related reason to use ad-blocking browser plug-ins.

"You're not breaking the Web with this method," the researchers said. "You're using the Web the way it was designed."

Grossman and Johansen's presentation slides are available on the Black Hat website.

Follow us @tomsguide, on Facebook and on Google+.

Display 10 Comments.
This thread is closed for comments
  • 5 Hide
    curiosul , August 15, 2013 8:10 AM
    Adblock anyone?
  • 2 Hide
    matter37 , August 15, 2013 8:30 AM
    Wow. I do use adblock for the sites I actively go to and trust. Like tomshardware or youtube, since advertisements pay for them. I did not realize such a thing on this scale was possible.
  • 1 Hide
    Onus , August 15, 2013 9:12 AM
    Where unwelcome ads are involved. nefarious intent may be assumed. After all, they are intended to separate people from their money, even when they were not interesting in buying or shopping for anything.
  • 0 Hide
    edogawa , August 15, 2013 10:41 AM
    Scary to think about that. So happy we have things like AdBlocker.
  • 0 Hide
    kenwheeler77 , August 15, 2013 2:12 PM
    Bluecoat K9 anyone?
  • 0 Hide
    none12345 , August 15, 2013 5:09 PM
    This is why i adblock and noscript everything.
  • -1 Hide
    techguy911 , August 15, 2013 8:29 PM
    I clean at least 5 systems a day 100% of malware comes from ads that is main reason why people use adblock what they are talking about in this article is already happening with ZBOT and it's variants.
    99% of all machines are infected with conduit my personal machines stay clean i use adblock plus and noscript year later after scanning not one malware or rootkit.
  • -1 Hide
    techguy911 , August 16, 2013 4:06 AM
    I clean at least 5 systems a day 100% of malware comes from ads that is main reason why people use adblock what they are talking about in this article is already happening with ZBOT and it's variants.
    99% of all machines are infected with conduit my personal machines stay clean i use adblock plus and noscript year later after scanning not one malware or rootkit.
  • 0 Hide
    Someone Somewhere , August 16, 2013 4:34 AM
    So, I guess the fact that my browser has filters that basically don't bother sending data to a couple of dozen ad and tracking sites sort of defeats this?

    However, I think that pumping out spam via JS might be a bit on the sensationalist side.
  • 0 Hide
    Someone Somewhere , August 16, 2013 4:35 AM
    The other thing is that these would only work while you left your browser open. As such, it's a lot less effective than botnets with computers available whenever they're idle - they have to actually have a page with a specific script open.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter