updated 8/19/2013 9:18:15 AM ET 2013-08-19T13:18:15

Want to create a huge botnet to distribute malware, pump out spam, crack passwords or knock your enemy's website offline?

Don't bother with designing malware to break into strangers' computers. Instead, say two researchers, all you need to do is spend a few bucks buying online ads, which can hijack tens of thousands of Web browsers across the world — no hacking required.

Last month at the Black Hat security conference in Las Vegas, Jeremiah Grossman and Matt Johansen, the founder/chief technology officer and threat-research manager of White Hat Security in Santa Clara, Calif., showed how an online ad network could be used to create what they called a "million browser botnet."

"There's no malware to detect, no exploits," Grossman said. "We're not really hacking stuff. We are using the Web the way it was meant to be used."

MORE:9 Online Security Tips from a Former Scotland Yard Detective

How the Web fails at security

The World Wide Web is a fundamentally insecure system, Grossman and Hansen explained. Browsers are designed to serve you as much data as possible without authentication, and nowhere is that more true than with online ads.

"When you visit a Web page," Grossman said, "by nature of the way the Web works, it has near-complete control of your browser for as long as you are at that Web page … The JavaScript or Flash on that page can force your browser to do basically whatever it wants."

Grossman and Johansen showed how HTML and JavaScript, the programming languages underlying most Web pages, could be used to probe Web browsers for user settings and login information, force browsers to attack websites in several different ways, break into corporate networks or spread malware.

The problem with these attacks, however, is that they are limited in scope. Whether you're distributing the evil code through a highly trafficked site, search-engine poisoning or third-party widgets such as weather trackers, you're not going to attain the critical mass for a truly efficient browser-based botnet.

"We need to think bigger," the researchers said, then quoted JavaScript pioneer Douglas Crockford: "The most reliable, cost-effective method to inject evil code is to buy an ad."

Ads: the perfect malware distribution system

There are nearly two dozen major ad networks, Grossman and Johansen said, but most of them won't let ad suppliers include code with their ads.  However, there are hundreds of smaller ones that don't ask as many questions.

Many of those smaller networks are incredibly cheap, with rates as low as 50 cents per thousand impressions, or number of times the ad was viewed. A million impressions could cost as little as $500.

Grossman and Johansen tested their theory by creating phony ads that read "Get a 30-day free trial," without specifying what was being offered.

They added JavaScript that redirected to an Amazon cloud server, which meant the ad would inject whatever the cloud server uploaded, right into the ad viewer's browser.

Grossman and Johansen uploaded the ads to a downmarket ad network with a very cheap rate. At the same time, they "click-jacked" themselves, buying views with a shady traffic generator.

(An unexpected result was that many of the ad views seemed to come from pre-existing bots, or software-controlled browsers.)

How to legally kill a Web server

After 10 minutes, the phony ads had more than 15,000 views. After 20 minutes, there were nearly 44,000 views. After an hour, Grossman and Johansen's ads had been displayed on 298,000 Web browsers worldwide.  A day later, the number was 13.6 million, and the researchers had still somehow spent less than $100.

Grossman and Johansen played with the code on their Amazon cloud server, pointing it at a real Web server they controlled — and quickly knocked it offline with a file-transfer-protocol request overload.

"The Web server's effectively dead," Grossman said.

"We did not hack anybody," Johansen said. "We just used the way the Web works and took down our own  servers. We stayed completely on the legal side here."

The researchers' JavaScript redirect was largely benign, but if they'd wanted to, they could have made the browsers carrying the ads do anything they commanded.

If anything, Grossman and Johansen half-joked, their research finally provided a compelling security-related reason to use ad-blocking browser plug-ins.

"You're not breaking the Web with this method," the researchers said. "You're using the Web the way it was designed."

Grossman and Johansen's presentation slides are available on the Black Hat website.

Follow us @tomsguide, on Facebook and on Google+.

© 2012 TechNewsDaily


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments