Jeremiah Grossman, Matt Johansen

Company : WhiteHat Security

Million Browser Botnet

Online advertising networks can be a web hacker¹s best friend. For mere
pennies per thousand impressions (that means browsers) there are service
providers who allow you to broadly distribute arbitrary javascript -- even
malicious javascript! You are SUPPOSED to use this ³feature² to show ads,
to track users, and get clicks, but that doesn¹t mean you have to abide.
Absolutely nothing prevents spending $10, $100, or more to create a
massive javascript-driven browser botnet instantly. The real-world power
is spooky cool. We know, because we tested itŠ in-the-wild. Besides
attacking ourselves we've also tested against a well known target with
lots of DDoS protectionŠ Akamai.

With a few lines of HTML5 and javascript code we¹ll demonstrate just how
you can easily commandeer browsers to perform DDoS attacks, participate in
email spam campaigns, crack hashes and even help brute-force passwords.
Put simply, instruct browsers to make HTTP requests they didn¹t intend,
even something as well-known as Cross-Site Request Forgery. With CSRF, no
zero-days or malware is required. Oh, and there is no patch. The Web is
supposed to work this way. Also nice, when the user leaves the page, our
code vanishes. No traces. No tracks.

Before leveraging advertising networks, the reason this attack scenario
didn¹t worry many people is because it has always been difficult to scale
up, which is to say, simultaneously control enough browsers (aka botnets)
to reach critical mass. Previously, web hackers tried poisoning search
engine results, phishing users via email, link spamming Facebook, Twitter
and instant messages, Cross-Site Scripting attacks, publishing rigged open
proxies, and malicious browser plugins. While all useful methods in
certain scenarios, they lack simplicity, invisibility, and most
importantly -- scale. That¹s what we want! At a moment¹s notice, we will
show how it is possible to run javascript on an impressively large number
of browsers all at once and no one will be the wiser. Today this is
possible, and practical.



Jeremiah Grossman founded WhiteHat Security in August 2001 and currently serves as Chief Technology Officer, where he is responsible for Web security R&D and industry outreach. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world.

As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, MIT, and UCLA. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs.

He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!