Black Hat: Ad networks lay path to million-strong browser botnet
Researchers say lax ad networks and a broken web infrastructure set the stage for massive, browser based botnets.
Image credit: flickr/Kevin K
Long ago, we surrendered our privacy to the web. Most of us take for granted that our interactions with web pages are tracked in browser based cookies, and the data siphoned off to “Big Data” analysis engines in the cloud. This kind of stuff is so ubiquitous that we filter it out - until it's staring us right in the face. As an example, I searched Amazon.com for a pair of Speedo swim goggles four weeks ago. Now I can’t go anywhere without images of buff guys in bikini swim trunks looking back at me. But, hey, that’s the price for living (and shopping) online.
But research presented at this week’s Black Hat Briefings in Las Vegas suggests that, in addition to our privacy, we may have also surrendered the security to the web, as well. Powerful ad networks, coupled with structural flaws in the web make possible a panoply of dangerous attacks, including browser based botnets and distributed password cracking via infected browser sessions.
Web- and browser based attacks are nothing new. In recent years, sophisticated attackers have frequently compromised large, reputable sites, then infecting them with malware that is pushed to those who visit the sites. But researchers Jeremiah Grossman, the CTO of WhiteHat Security, and Matt Johansen, the Manager of Threat Research at WhiteHat say that their research show how enterprising criminals, with a small investment of cash, could leverage default web browser behaviors and known attack types to build large, ephemeral networks of browser “bots” that could be marshaled for distributed denial of service (DDoS) attacks, password cracking expeditions, the distribution of malware and spam or other ends.
“Basically, when a web browser goes to a page, that page can force the browser to do whatever it wants – make web connections, download illegal files, attack other Internet sites, make illegal searchers – whatever,” Grossman told me in an interview last week.
The difficulty (from the malicious actor’s standpoint) has always been getting unwitting web surfers to come to a site you control. Blacklists make it hard to block malicious web sites. And legitimate sites that draw significant traffic aren’t likely to stay compromised for long enough to be much use. Grossman and Johansen discovered a third way, however: web advertising networks. The two discovered that even reputable ad networks do a poor job of vetting the java script that is bundled with ad images. “As long as it looks pretty, they have no problem with it,” Johansen said. “The folks we were dealing with (at the ad networks) didn’t really have the javascript reading skills to know the difference anyway.”
Using a banner ad and a simple, but non-malicious script designed to ping a server they controlled, the two measured the potential reach of an attack that spread over an ad network. The results suggest that massive, browser-based botnets can be had on the cheap. For an up-front investment of just $.50, they were able to get 1,000 unique hosts to ping their test server. Based on that, the two concluded that access to a million-strong browser botnet would cost just $500.
Unlike traditional botnets, which require attackers to install software on the endpoint, the browser-based infections are ephemeral: running while the ad is displayed, but disappearing, without a trace on the endpoint, once the malicious ad rotates out. Grossman and Johansen admit: browser based botnets are more limited in their capabilities than traditional botnet software.
The denial of service attacks they tested were connection-based, not traffic based and were designed to exhaust the target server’s ability to manage simultaneous open sessions. And, more complex attacks, such as data theft, more complex code would be required to make the malicious script persist on the browser or to access local storage on the infected host. That, in turn, could arouse the suspicion of the ad network monitors.
Still, the two tested proof-of-concept ads that could be used for DDoS attacks on web applications, distributed brute-force cracking of encrypted password “hashes,” and cross domain brute force attacks on passwords.
Grossman said that there’s no easy fix for ad network based attacks because “the web is meant to be used this way.” “The model is broken,” Grossman said. “And there’s no interested party that will fix these issues.” Online advertisers are focused on the bottom line. To the extent they’re concerned about the content of their ads, its to ensure that they are backward compatible to older browser and operating system configurations, Grossman said.
