Million Browser Botnet presented at OWASPAppSecCalifornia 2014

by Jeremiah Grossman, Matt Johansen,

Summary : Online advertising networks can be a web hacker¹s best friend. For mere
pennies per thousand impressions (that means browsers) there are service
providers who allow you to broadly distribute arbitrary javascript -- even
malicious javascript! You are SUPPOSED to use this ³feature² to show ads,
to track users, and get clicks, but that doesn¹t mean you have to abide.
Absolutely nothing prevents spending $10, $100, or more to create a
massive javascript-driven browser botnet instantly. The real-world power
is spooky cool. We know, because we tested itŠ in-the-wild. Besides
attacking ourselves we've also tested against a well known target with
lots of DDoS protectionŠ Akamai.
With a few lines of HTML5 and javascript code we¹ll demonstrate just how
you can easily commandeer browsers to perform DDoS attacks, participate in
email spam campaigns, crack hashes and even help brute-force passwords.
Put simply, instruct browsers to make HTTP requests they didn¹t intend,
even something as well-known as Cross-Site Request Forgery. With CSRF, no
zero-days or malware is required. Oh, and there is no patch. The Web is
supposed to work this way. Also nice, when the user leaves the page, our
code vanishes. No traces. No tracks.
Before leveraging advertising networks, the reason this attack scenario
didn¹t worry many people is because it has always been difficult to scale
up, which is to say, simultaneously control enough browsers (aka botnets)
to reach critical mass. Previously, web hackers tried poisoning search
engine results, phishing users via email, link spamming Facebook, Twitter
and instant messages, Cross-Site Scripting attacks, publishing rigged open
proxies, and malicious browser plugins. While all useful methods in
certain scenarios, they lack simplicity, invisibility, and most
importantly -- scale. That¹s what we want! At a moment¹s notice, we will
show how it is possible to run javascript on an impressively large number
of browsers all at once and no one will be the wiser. Today this is
possible, and practical.