Enslaved machines helplessly press Apache's buttons
Black Hat 2013 Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button.
WhiteHat confirmed that the ad network did evaluate the code, but seeing nothing overtly malicious, permitted it to go ahead.
The researchers' code asked the browser to throttle up to its maximum amount of connections (six in Firefox, for example) and access the website via HTTP. They also demonstrated a workaround that can go above the browsers' permitted number of concurrent connections by using an FTP request format, potentially allowing one browser to flood a site with concurrent connections.
This approach let the researchers deploy an ad that could automatically execute when served on a page and force viewers' browsers to hammer a site of WhiteHat's choice with requests.
"What's the benefit of hacking this way – why not do a traditional DDoS attack?" asked WhiteHat's threat research center manager Matt Johansen, who then answered his own question. "There is no trace of these. The JS gets served up, it goes away. It's very, very easy."
The only real way to trace this back to WhiteHat would be to go to the ad network and get the credit card used to buy the malicious adverts, Johansen said. As Reg readers will know, it's not too difficult for hackers to illicitly and anonymously gain access to credit cards.
Next, WhiteHat plans to work with partners to deploy a version of the exploit that explicitly targets a site protected by a DDoS-protection service. They also plan to try and use the technique to run distributed MD5 hash cracking via a software tool such as Ravan. Previously, the same researchers have cracked open Google's Chrome OS.
Much to the dismay of this ad-funded publication, the researchers plugged the use of ad blockers as one of the only easy ways to remediate this problem. ®