- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - Las Vegas -- The bad news is if you click on the wrong online ad, your browser can be immediately enlisted in a botnet carrying out a denial of service attack to take down Web sites.
The good news is that as soon as you move on to another Web site, the browser is released with no harm done, according to researchers who revealed the hack at the Black Hat security conference.
“Who’s problem is this?” says Jeremiah Grossman, CEO of White Hat Labs and one of the researchers. “Browsers? Ad networks? Who fixes this?”
MORE BLACK HAT: Top 20 hack-attack tools
“To scale [the botnet] up you need to get a lot of browsers running it,” he says.
The researchers paid the ad network to distribute their ad and within 18 hours it was generating 8.1 million requests to the server coming in fast enough to take it down. That was using HTTP requests six at a time without using the FTP bypass, Grossman says. Since the users whose browsers were enlisted to the botnet were unwitting, they didn’t want to make any changes to the browsers, he says.
The upside for attackers is that the botnet is random with no command-and-control server that defenders could take down. Grossman says he is uncertain whether it would be possible forensically to track down the ad at the center of such a botnet and ultimately track it to the individuals who bought the ad. “You could be tracked by who paid for the guilty ad,” he says.