Like Tree1Likes
  • 1 Post By hackerman1

Thread: News from BlackHat: Million Browser Botnet

  1. #1
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default News from BlackHat: Million Browser Botnet

    Hi !

    News from BlackHat: https://www.blackhat.com/us-13/archives.html#Grossman

    Million Browser Botnet

    Online advertising networks can be a web hackerís best friend.
    For mere pennies per thousand impressions (that means browsers),
    there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript!
    You are SUPPOSED to use this ďfeatureĒ to show ads, to track users, and get clicks, but that doesnít mean you have to abide.
    Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly.
    The real-world power is spooky cool. We know, because we tested itÖ in-the-wild.
    With a few lines of HTML5 and javascript code weíll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords.

    Put simply, instruct browsers to make HTTP requests they didnít intend, even something as well-known as Cross-Site Request Forgery.
    With CSRF, no zero-days or malware is required.
    Oh, and there is no patch.
    The Web is supposed to work this way.
    Also nice, when the user leaves the page, our code vanishes.
    No traces.
    No tracks.

    Before leveraging advertising networks, the reason this attack scenario didnít worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass.
    Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins.
    While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale.
    Thatís what we want!
    At a momentís notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser.
    Today this is possible, and practical.
    HappyAndyK likes this.

  2. #2
    DustinH's Avatar
    DustinH is offline Senior Member
    Join Date
    Aug 2008
    Location
    Boardman, OR
    Posts
    243

    Default

    Yikes. Not sure how this would be to defend against...

    Ad-block, NoScript, but then you'd be turning off the ad revenue that some sites rely on, which isn't a good thing. I guess this may be left up to the advertiser publisher to white list certain ads after quality control... At least cut down on some of the offending ads (doubt they could catch them all).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22