Ad networks let you easily and quickly make a botnet

The coder and artist Brannon Dorsey (previously) wondered about the potential of "browser based botnets" -- running Javascript on tons of machines, stitched together into one massively parallel computer.

As he notes, this is already happening; among other things, there's cryptocurrency malware that hijacks your browser to do mining.

But that Javascript generally only hits you if you visit the site hosting it. Dorsey wondered if there was a faster, more efficient way to inject malicious Javascript into tons of browsers.

And he discovered that there was: Online ad networks! Anyone can make an account, create an ad with god-knows-what Javascript in it, then pay to have the network serve that ad up to thousands of browser.

So that's what Dorsey did -- very successfully. Within about three hours, his code (experimental, not malicious, apart from surreptitiously chewing up processing resources) was running on 117,852 web browsers, on 30,234 unique IP addresses. Adtech, it turns out, is a superb vector for injecting malware around the planet.

Some other fun details: Dorsey found that when people loaded his ad, they left the tab open an average of 15 minutes. That gave him huge amounts of compute time -- 327 full days, in fact, for about $15 in ad purchase. To see what such a botnet could do, he created one to run a denial-of-service attack (against his own site, just to see if it worked: It did pretty well). He got another to mine the cryptocurrency Monero, at rates that will be profitable if Monero goes much higher. Read the rest