Ad networks let you easily and quickly make a botnet

The coder and artist Brannon Dorsey (previously) wondered about the potential of "browser based botnets" — running Javascript on tons of machines, stitched together into one massively parallel computer.

As he notes, this is already happening; among other things, there's cryptocurrency malware that hijacks your browser to do mining.

But that Javascript generally only hits you if you visit the site hosting it. Dorsey wondered if there was a faster, more efficient way to inject malicious Javascript into tons of browsers.

And he discovered that there was: Online ad networks! Anyone can make an account, create an ad with god-knows-what Javascript in it, then pay to have the network serve that ad up to thousands of browser.

So that's what Dorsey did — very successfully. Within about three hours, his code (experimental, not malicious, apart from surreptitiously chewing up processing resources) was running on 117,852 web browsers, on 30,234 unique IP addresses. Adtech, it turns out, is a superb vector for injecting malware around the planet.

Some other fun details: Dorsey found that when people loaded his ad, they left the tab open an average of 15 minutes. That gave him huge amounts of compute time — 327 full days, in fact, for about $15 in ad purchase. To see what such a botnet could do, he created one to run a denial-of-service attack (against his own site, just to see if it worked: It did pretty well). He got another to mine the cryptocurrency Monero, at rates that will be profitable if Monero goes much higher.

The most interesting experiment was in writing an adtech-botnet to store and serve Bittorrent files, via Webtorrent. That worked pretty well too: He got 180,175 browsers to run his torrent file in 24 hours, with a 702 Mbps upload speed for the entire network.

All told, this is yet another reason to run an adblocker:

The techniques that I've demonstrated in this post are less of an exploit and more a feature of how the web inherently works. As a result, the steps that can be taken to defend yourself against the type of abuse I'm proposing are somewhat limited. My first suggestion is please, please, please BLOCK ADS. If you've somehow made it all the way to 2018 without using an ad blocker, 1) wtf… and 2) start today. In all seriousness, I don't mean to be patronizing. An ad blocker is a necessary tool to preserve your privacy and security on the web and there is no shame in using one. Advertising networks have overstepped their bounds and its time to show them that we won't stand for it.

Blocking ads defends you from the distribution mechanism that we discussed in this post, but you are still vulnerable to code that is hosted by CPU greedy websites themselves, like The Pirate Bay. The best suggestion that I have for defending against these threats at the moment is to diligently monitor your computer's CPU usage as you browse, responding to CPU spikes and irregularities as you deem fit. Its a good habit to get into to have your system monitor open during regular computer operation so that you can observe CPU and network usage of your machine at an application level.