Could Ad Networks Power Massive, Browser-Based Botnets?

When it comes to security, the web is insecure-by-design. We’ve known that for a long time – what with “man in the middle” attacks like FireSheepdrive-by download attacks and more. The problem has always been how to scale web based attacks. At the end of the day, having an attack web page is great but, like every other website owner, you still have to figure out how to get people to visit your site!

Ad networks provide a ready platform for large-scale browser compromises, researchers from White Hat Security warn.

Now researchers at WhiteHat security say they’ve found an easy way around the “scale” problem: ad networks. In a presentation at Black Hat this week, Jeremiah Grossman, the CTO of WhiteHat Security, and Matt Johansen, the Manager of Threat Research there, will show how would-be attackers can parlay a small cash outlay into a sizeable browser-based botnet that could be used to send out spam, spread malicious code or launch denial of service attacks on other web sites, IT World reports. (And a note: I wrote the IT World piece. :-))

One problem is that ad networks do a poor job vetting the javascript that accompanies many online ads that are submitted for circulation. “The folks we dealt with (at the ad networks) didn’t really have the javascript reading skills to know the difference” between legitimate and sketchy code, Johansen told me.

The two didn’t cross any lines in their research. They simply included a non-malicious script with their ad that would ping a server they controlled from the system on which the ad was displayed. The two then measured the potential reach of an attack that spread over an ad network. The results were eye-opening. For an up-front investment of just $.50, they were able to get 1,000 unique hosts to ping their test server, suggesting that a million-strong browser botnet would cost just $500 to build – chump change.

Read more on IT World’s web site here.

Comments are closed.