Ad networks become shadowy JavaScript-flavoured DoS bots

By on
Ad networks become shadowy JavaScript-flavoured DoS bots

Ads get more intrusive.

Malicious web advertisements can be used to build large, difficult to track and dirt-cheap botnets, researchers say.

White Hat security researcher Matt Johansen demonstrated at Black Hat 2013 in Las Vegas how iFrames within advertisements could call JavaScript files to launch denial of service attacks. 

It forced JavaScript to use cross-origin requests to push as many requests as possible from web browsers to a single website.

Threat Intelligence founder Ty Miller who travelled to Blackhat said the attacks were difficult to block meaning they could lead to extortion attempts.

"Instead of using compromised computers, this 'browser botnet' tricks your web browser into sending thousands of requests against an arbitrary system by injecting basic JavaScript into your browser," he said.

"This is then amplified thousands of times by distributing the JavaScript via online advertisements in order to flood the target servers.

"This may lead to an increase in extortion attempts since the attack is quite stealthy and hard to block."

 Johansen ran a successful proof of concept attack on an unnamed live ad network in which the ads called on a JavaScript code hosted within an Amazon Web Services server.

That file could be modified after the ad network evaluated and cleared the code.

Their code by way of an FTP URL boosted a web browser's number of connections, exceeding the number normally allowed and increasing the power of denial of service attacks.

"This then amplifies the attack hundreds of times again," Miller said. 

Those behind such attacks may possibly only be traced by way of tracking down the payment information used to buy the malicious ads.

The Register reported the live Black Hat demonstration had some 256 concurrent connections to one Apache Web Server and more than a million connections were made in the hour.

Miller said traditional botnets cost about $350 a day to run DDoS attacks, whereas the 'browser botnet' used public resources and required minimal skills.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?