Black Hat Briefing: Building a Million Browser Botnet for Cheap

To create a botnet, you have to find some way to take control over thousands of computers and bend them to your will. That's a tough job, right? Well, no. In a presentation at Black Hat in Las Vegas, Jeremiah Grossman, founder and CTO of WhiteHat Security, and Matt Johansen, manager of WhiteHat's Threat Research Center, revealed an extraordinarily simple way anyone can control of thousands or even millions of browsers.

Grossman led off with enthusiasm, saying "We've been working on this for six months, and we're anxious to present. This will go fast, and we'll have fun. We'll crack browsers and use them to crack websites."

The Power of the Web
Grossman went on to note, "The Web has near complete control of your browser as long as you're connected. Everything we do in our demo, we're not hacking anything. We're using the web the way it was meant to be used." Johansen added, "My apologies, we don't have a solution."

The presentation reviewed a huge number of ways a website can subvert your browser simply using a line or two of Javascript, or even a simple (but tweaked) HTML request. "We control the browser without zero-day attacks," said Grossman, "and we have complete control."

Illustrating with a slide showing the simple code involved, he said, "We can force your browser to hack another website, download illegal files from torrents, make embarrassing searches, post offensive messages, even vote for Ed Snowden as Time's person of the year."

Million Browser Botnet
All this was just introduction to the research being presented. Johansen and Grossman devised a very simple denial of service attack and tested it on their own server. They even demonstrated it in real time during Black Hat. This particular attack did nothing more than overload the server with connection requests, but the technique used could do more, much more. And all they had to do was spend a few dollars to place an ad containing the attack.

"Some ad networks allow arbitrary Javascript in the ad," said Grossman, "and some don't." The team had no trouble setting up their attack Javascript. "The ad network reviewers weren't good at reading or even caring about Javascript," said Johansen. "The real problem was making an ad image that looked pretty and looked like an ad."

At first the team was slowed by the need to get re-approval from the ad network every time they changed the Javascript code. They solved that by moving the code to their own host and simply calling it from the ad's code. This step left the ad network completely unable to see what the code might do; they didn't seem to care.

As soon as they enabled the attack code, it started executing on browsers all over. Every time anyone surfed to a page containing the ad, it started making connections to the victim server. The server couldn't withstand the load; it failed.

All browsers impose a limit on the number of simultaneous connections. Johansen and Grossman found a way to raise Firefox's limit from six to hundreds. It turned out their simple attack was completely effective even without this power-up, so they didn't use it.

Whose Problem to Fix?
"This attack is not persistent," said Grossman. "There's no trace of it. It does its ad-display and goes away. The code isn't crazy fantastic, it's just using the Web the way it's supposed to work. So whose problem is it to fix?" 

The same technique could be used to run distributed calculations via Javascript, for example, to brute-force crack password and hashes. "We'll try that hash-cracking for next Black Hat," said Grossman. "How much can you crack for each 50 cents worth of paid page views?"

The presentation left attendees with the unsettling thought that the attack described uses the Web exactly as it's meant to be used, and we don't really know whose responsibility a fix would be. Grossman has said in the past that we must break the Web in order to fix it. Could he be right? Could we even survive a reboot of the entire Internet?