Feeds

Malicious JavaScript flips ad network into rentable botnet

Enslaved machines helplessly press Apache's buttons

The Essential Guide to IT Transformation

Black Hat 2013 Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button.

In a presentation at the Black Hat conference in Las Vegas on Wednesday, researchers from WhiteHat Security showed off their technique, which uses iframes in web ads to call a JavaScript file that hammers a site with requests.

The exploit "forces JavaScript to use cross-origin requests to force as many requests as possible out of a single browser or a lot of browsers to a single website," WhiteHat Security's threat research center chief Matt Johansen said.

The company embedded JavaScript code in an advert that they ran on an unnamed ad network. This code pointed to an Amazon Web Services server on which they hosted the core JavaScript file, which they could then modify after the ad was deployed.

WhiteHat confirmed that the ad network did evaluate the code, but seeing nothing overtly malicious, permitted it to go ahead.

"We had kind of benign JavaScript here, but if you started using the evil ideas the code might start to look a bit suspicious," Johansen said. "We didn't dip our toe into the [ad] porn networks."

The researchers' code asked the browser to throttle up to its maximum amount of connections (six in Firefox, for example) and access the website via HTTP. They also demonstrated a workaround that can go above the browsers' permitted number of concurrent connections by using an FTP request format, potentially allowing one browser to flood a site with concurrent connections.

This approach let the researchers deploy an ad that could automatically execute when served on a page and force viewers' browsers to hammer a site of WhiteHat's choice with requests.

"What's the benefit of hacking this way – why not do a traditional DDoS attack?" asked WhiteHat's threat research center manager Matt Johansen, who then answered his own question. "There is no trace of these. The JS gets served up, it goes away. It's very, very easy."

The only real way to trace this back to WhiteHat would be to go to the ad network and get the credit card used to buy the malicious adverts, Johansen said. As Reg readers will know, it's not too difficult for hackers to illicitly and anonymously gain access to credit cards.

In a live demonstration, the researchers showed 256 concurrent connections to a single Apache Web Server, with over a million connections tracked in an hour. The total cost of the ads was lower than the cost of the Amazon instance used to serve the illicit JavaScript, and both only cost tens of dollars.

Next, WhiteHat plans to work with partners to deploy a version of the exploit that explicitly targets a site protected by a DDoS-protection service. They also plan to try and use the technique to run distributed MD5 hash cracking via a software tool such as Ravan. Previously, the same researchers have cracked open Google's Chrome OS.

Much to the dismay of this ad-funded publication, the researchers plugged the use of ad blockers as one of the only easy ways to remediate this problem. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.