Ad networks become shadowy JavaScript-flavoured DoS bots

By

Ads get more intrusive.

Malicious web advertisements can be used to build large, difficult to track and dirt-cheap botnets, researchers say.

Ad networks become shadowy JavaScript-flavoured DoS bots

White Hat security researcher Matt Johansen demonstrated at Black Hat 2013 in Las Vegas how iFrames within advertisements could call JavaScript files to launch denial of service attacks. 

It forced JavaScript to use cross-origin requests to push as many requests as possible from web browsers to a single website.

Threat Intelligence founder Ty Miller who travelled to Blackhat said the attacks were difficult to block meaning they could lead to extortion attempts.

"Instead of using compromised computers, this 'browser botnet' tricks your web browser into sending thousands of requests against an arbitrary system by injecting basic JavaScript into your browser," he said.

"This is then amplified thousands of times by distributing the JavaScript via online advertisements in order to flood the target servers.

"This may lead to an increase in extortion attempts since the attack is quite stealthy and hard to block."

 Johansen ran a successful proof of concept attack on an unnamed live ad network in which the ads called on a JavaScript code hosted within an Amazon Web Services server.

That file could be modified after the ad network evaluated and cleared the code.

Their code by way of an FTP URL boosted a web browser's number of connections, exceeding the number normally allowed and increasing the power of denial of service attacks.

"This then amplifies the attack hundreds of times again," Miller said. 

Those behind such attacks may possibly only be traced by way of tracking down the payment information used to buy the malicious ads.

The Register reported the live Black Hat demonstration had some 256 concurrent connections to one Apache Web Server and more than a million connections were made in the hour.

Miller said traditional botnets cost about $350 a day to run DDoS attacks, whereas the 'browser botnet' used public resources and required minimal skills.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
black hatblack hat 2013javascriptsecurity

Sponsored Whitepapers

Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond

Events

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?