New parasitic computing proof uses JavaScript to compel computation

Parasitic computing is the process of enlisting remote parties' computers to solve some computational task without their knowledge. An early proof of this involved malformed pings whose checksums were parts of the solution to some larger distributed computation problem. By sending the pings to thousands (or millions, or hundreds of millions) of computers, an attacker could cause them all to solve the problem (by calculating the checksum) and report back on the result (by sending back the error message with the checksum attached).

Here's a new proof of concept, this one using JavaScript in an inline frame. Once the frame is loaded, it keeps itself resident until you close the window. As long as it is resident, it fetches parts of a distributed computation problem (in this case, discovering 32-bit prime numbers), performs calculations and send the results back to a remote server run by the attacker.

This technology has a most assuredly good use as a legitimate JavaScript or
Java applet distributed client. If a person has access to a web browser and an
internet connection on a computer that is "locked down" to prevent the
installation of software–such as at a job, in a library, or in a school
computer lab–the person would still be able to run a distributed client.
Imagine using a web browser on one of these machines. The browser would be
split by frames. The majority of the left-hand frame could be your typical
browsing experience. The right-hand frame could be very thin, maybe 10 or 20
pixels wide. Within this frame a client from a legitimate site (for example, or SETI@Home) could be running. This client could be written
in JavaScript or as a Java Applet. Status information could be displayed as
"colored blinkey lights" or text rotated 90 degrees. Alternately, this could
be done with a frame across the bottom of the browser, although this tends to
cut into usable screen space more than a column down the side of the screen.



(Thanks, John!)