In this section we will limit ourself to explaining the high level aspects of the attack on which we will base our recommendations. This is done because the specific implemen- tation of the browser botnets is not readily available and we did not implement them ourselves. The recommendations that come forth from this technique do not require the reader to understand the specifics of the implementation. We will give a description about the attack, the benefits from the point of view of the attacker, the distribution mechanisms that can be used and for which purposes the botnets can be used. The attack described in this section was devised and demonstrated Black Hat USA 2013 [100]. We did not implement these attacks ourselves, but it is important that the reader
is aware of them.
4.3.1
Description
A traditional botnet is a collection of programs that are connected to each other through the Internet, and work together to complete some type of task. The botnet is controlled by a Command & Control server, and the hacker is often referred to as “Bot Herder” or “Bot Master”.
Botnets can also be created inside browsers; these usually differ in online time from the traditional botnets, because they operate inside the browser. When a user visits an HTML page that hosts a botnet, the user’s browser becomes part of the network and participates in completing whichever task the botnet is being used for. When the browser window or tab is closed again, the browser is disconnected from the botnet again leaving no trace behind. Because of this the online time of browser based botnets can be very limited, but it leaves no evidence behind when it is disconnected.
The browser botnet is established by loading a script in the browser; it can be loaded in third party HTML content. This script is subsequently executed silently in the back- ground of the browser tab. It will set up an application level connection, which makes sure it is not detected easily, to the malicious server from which it can receive tasks. Alternatively, for a more static botnet the task can be included in the original script code.
4.3.2
Advantages and Disadvantages over Traditional Botnets
One problem that might make browser based botnets less suitable for certain tasks (or attacks), is that the number of HTTP connections per domain is limited. It was shown in the Black Hat presentation, however, that this could be bypassed by using a different protocol instead. The connection could just set up a FTP connection instead, which has no such limit.
Browser based botnets have several advantages over the traditional botnets. • There is no malware required to set them up on the client-side, they are simply
loaded into the browser when the web page is visited.
• This also means no zero day (or unpatched) exploits are needed to infect the individual users with the malware.
• Browser caching can be disabled so no evidence is left behind. The malicious scripts are naturally volatile.
• Everyone who uses a browser is vulnerable by default, it is very easy to implement because the web is supposed to work this way. The HTML documents that are
received from the server are considered as trusted, so the script code within is executed in the context of its domain.
4.3.3
Recruitment
The process of loading the script into the browser of the user is straightforward, but they still have to visit the website on which it is hosted. We list a number of distribution mechanisms by which the script can be spread. The reader should take into account that the longer the user stays on the page, the longer the alive-time of the bot script is. Some of the possibilities listed below are, however, not very practical in real-life attack scenarios.
• The most straightforward solution is using a high traffic website that is owned by the attacker, or that they have access to.
• Exploiting XSS vulnerabilities on popular websites. • HTML email spam.
• Web extensions that the attacker made. These would have to become popular for the attack to be effective.
• Search Engine Poisoning.2
• Buying advertisements through online advertising networks.
It was shown that the most cost effective way for distributing malicious script code was buying advertising space on websites. When advertising space is bought through adver- tising networks, these networks will distribute the ads over various publishers (websites); this means an incredible amount of users can be reached through the use of this mecha- nism. The sites that are reached in this way, are usually popular websites on which the users spend quite some time. During the presentation it was demonstrated that it was not difficult to inject script code into the advertisements once they were bought.
4.3.4
Tasks of the Botnet
The botnets can be used for a large variety of tasks, we will list a few common examples. • Distributed Brute-Force Hash Cracking: An example of such a system is Ravan [101], which is a JavaScript based Distributed Computing system that is used for the cracking of hashes. The cracking process is distributed across several browsers and it makes use of HTML5 WebWorkers to start background JavaScript threads
in the browsers. In this manner each worker is responsible for computing a part of the hash.
• Application Level Distributed Denial of Service attacks: Browsers are able to send a large amount of cross origin requests inside WebWorkers. It was also shown that, using the connection limit bypass (with FTP), DDoS attacks can be enhanced from 6 connections per domain to approximately 300; demonstrating an Apache server could be overwhelmed easily.
• Crytocurrency mining: In line with the distributed hash cracking, other dis- tributed computations can be exploited by botnets. Given the recent popularity of cryptocurrency, it is a viable real-life attack scenario.