Jeremiah Grossman and Matt Johansen's Black Hat presentation "Million Browser Botnet" demonstrated a real-world attack whereby ad networks were tricked into serving malicious code that caused browsers to open numerous spurious connections to a target site. The ad networks do poor Javascript checking (and even very good checking might not catch bad code) and if the malicious code was injected into a popular site, the resulting botnet could be so vast as to be unstoppable. They also demonstrated how captured browsers could be put to work cracking hashes, sending spam, and brute-forcing passwords.
Using a banner ad and a simple, but non-malicious script designed to ping a server they controlled, the two measured the potential reach of an attack that spread over an ad network. The results suggest that massive, browser-based botnets can be had on the cheap. For an up-front investment of just $.50, they were able to get 1,000 unique hosts to ping their test server. Based on that, the two concluded that access to a million-strong browser botnet would cost just $500.
Unlike traditional botnets, which require attackers to install software on the endpoint, the browser-based infections are ephemeral: running while the ad is displayed, but disappearing, without a trace on the endpoint, once the malicious ad rotates out. Grossman and Johansen admit: browser based botnets are more limited in their capabilities than traditional botnet software.
Black Hat: Ad networks lay path to million-strong browser botnet [Paul F Roberts/IT World]
(via /.)
