Want to create a huge botnet to distribute malware, pump out spam, crack passwords or knock your enemy’s website offline?
Don’t bother with designing malware to break into strangers’ computers. Instead, say two researchers, all you need to do is spend a few bucks buying online ads, which can hijack tens of thousands of Web browsers across the world — no hacking required.
Last month at the Black Hat security conference in Las Vegas, Jeremiah Grossman and Matt Johansen, the founder/chief technology officer and threat-research manager of White Hat Security in Santa Clara, Calif., showed how an online ad network could be used to create what they called a “million browser botnet.”
“There’s no malware to detect, no exploits,” Grossman said. “We’re not really hacking stuff. We are using the Web the way it was meant to be used.”
The World Wide Web is a fundamentally insecure system, Grossman and Hansen explained. Browsers are designed to serve you as much data as possible without authentication, and nowhere is that more true than with online ads.
“When you visit a Web page,” Grossman said, “by nature of the way the Web works, it has near-complete control of your browser for as long as you are at that Web page … The JavaScript or Flash on that page can force your browser to do basically whatever it wants.”
Grossman and Johansen showed how HTML and JavaScript, the programming languages underlying most Web pages, could be used to probe Web browsers for user settings and login information, force browsers to attack websites in several different ways, break into corporate networks or spread malware.
The problem with these attacks, however, is that they are limited in scope. Whether you’re distributing the evil code through a highly trafficked site, search-engine poisoning or third-party widgets such as weather trackers, you’re not going to attain the critical mass for a truly efficient browser-based botnet.
“We need to think bigger,” the researchers said, then quoted JavaScript pioneer Douglas Crockford: “The most reliable, cost-effective method to inject evil code is to buy an ad.”
Ads: the perfect malware distribution system
There are nearly two dozen major ad networks, Grossman and Johansen said, but most of them won’t let ad suppliers include code with their ads. However, there are hundreds of smaller ones that don’t ask as many questions.
The Latest Bing News on:
Browser Botnet
- This Android TV update will stop your Gmail details from being exposedon April 26, 2024 at 3:12 am
The problem was reported this week by 404 Media, which makes it clear that the problem doesn't mean your neighbor will suddenly be able to get into your inbox: the other person needs physical access ...
- How a Massive Hack of Psychotherapy Records Revealed a Nation’s Secretson April 22, 2024 at 1:00 am
Aleksanteri Kivimäki was a hacker wunderkind with a mean streak. Now he’s on trial for the largest crime in Finland’s history.
- How tech giants cut corners to harvest data for AIon April 15, 2024 at 6:00 am
OpenAI, Google and Meta ignored corporate policies, altered their own rules and discussed skirting copyright law as they sought information to train their newest AI systems.
- Bitcoin scams, hacks and heists – and how to avoid themon April 15, 2024 at 3:28 am
Celebrity impersonation is a common trick for scammers. They’ll create a spoof social media account and impersonate popular figures like Elon Musk to launch bogus crypto giveaways or publicize fake ...
- 92,000 D-Link NAS Devices Are Vulnerable To Malware Attackson April 12, 2024 at 8:02 am
Hackers are scanning and actively exploiting an unpatched vulnerability discovered in four older D-Link Network Area Storage (NAS) devices that allows ...
- The Hacker News | #1 Trusted Cybersecurity News Site — Index Pageon November 22, 2023 at 10:04 pm
The Hacker News is the most trusted and popular cybersecurity publication for information security professionals seeking breaking news, actionable insights and analysis.
The Latest Google Headlines on:
Browser Botnet
[google_news title=”” keyword=”Browser Botnet” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
The Latest Bing News on:
Browser-based botnet
- US indicts botnet operatoron April 24, 2024 at 11:27 am
Moldovan botnet operator Alexander Lefterov, also known as Alipatime, Alipako, and Uptime, has been indicted by the U.S. Department of Justice for his involvement in widespread attacks against ...
- In Other News: OSS Backdooring Attempts, Botnet Operator Charged, Automotive Firm Attackon April 19, 2024 at 6:23 am
OpenSSF and OpenJS incidents similar to XZ backdoor, Moldovan botnet operator charged, US automotive company targeted by FIN7.
- TP-Link routers are still being bombarded with botnet and malware threatson April 18, 2024 at 12:16 pm
A report from Fortinet claims half a dozen botnet operators are scanning for vulnerable TP-Link Archer AX21 (AX1800) routers after cybersecurity researchers discovered a high-severity unauthenticated ...
- Multiple botnets exploiting one-year-old TP-Link flaw to hack routerson April 17, 2024 at 6:03 am
At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to a command injection security issue reported and addressed last year.
- The Hacker News | #1 Trusted Cybersecurity News Site — Index Pageon November 22, 2023 at 10:04 pm
The Hacker News is the most trusted and popular cybersecurity publication for information security professionals seeking breaking news, actionable insights and analysis.
The Latest Google Headlines on:
Browser-based botnet
[google_news title=”” keyword=”browser-based botnet” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]