Black Hat USA 2014: Talking botnets and ad campaigns

Botnets are becoming more sophisticated and White Ops' Michael Tiffany spells out what that means for the advertising campaigns they've been targeting

"The situation we're in with advertising is a lot like where the banks are, where everyone has struggled with the fact that you can't trust the other end of the connection," says White Ops CEO Michael Tiffany. "It's the same cookies, user information, etc. But one is real, and the other is fake."

[Malicious advertising offers broad reach and quick rewards for malware perpetrators]

Tiffany, of course, is referring to the very real threat of botnets targeting ad campaigns by infecting the computers of actual customers and users. When it comes to dodging anomaly detection, this is a far more effective approach than attempting to steal credentials.

It's also far more dangerous.

"It's the world's most sophisticated, non-state sponsored crimeware," says Tiffany. "The best way to rob a bank is to not do it directly, but instead compromise its customers' machines. Then, it does nothing until after they log in. It's web aware malware that lies in wait until someone uses their profile information to log in."


With these types of botnets, there are two types of compromise to a legitimate machine. There's the background process, which is browsing all day whenever the machine is on and effectively masquerading as the user thanks to its access to the user's cookies.

The second type, however, is far more sophisticated. With the "man in the browser" type approach, it's not even a background process, it's your actual browser; the malware is injecting more adds into your legitimate browsing session.

"What it looks like to me is that I'm browsing on," says Tiffany. "What it looks like to advertising servers and networks is that I'm on some other website that has been serving me ads, and I don't know any better."

Naturally, with bots impersonating human visitors and garnering billions of ad impressions, this ends up costing advertisers millions of dollars and completely disrupting the accuracy of online metrics. In fact, not only has the fraud not been squeezed out, agencies are confidently targeting the bots, leading to higher prices. So instead of the bots making a 10 cent CPM, says Tiffany by way of example, they're making a 10 dollar CPM. Thanks to the widespread nature of the practice bot traffic has ended up distorting all of the numbers on the internet.

"The real concrete actions that anyone takes based on advertising are so rare…that even if you have the data model of the gods, your noise floor is going to be really high," Tiffany points out. "You're always showing ads thousands of times before somebody does something. So if online criminals are inflating that number by 50 percent, how can you tell?"

So how long have these types of botnets been around, and more importantly, are they on the rise or fall?

"I wish I knew!" says Tiffany. "We don't have the longitudinal data. But anecdotally, I think it's been getting worse over the past few years because cookies are kind of like an authentication mechanism."

[Yahoo recovers from malicious advertising attack]

The problem there is that the typical approach of using anomalous behavior to sniff out botnets is rendered useless the moment that bot traffic is whitelisted on account of it coming from known and (supposedly) legitimate users.

"So the cookies are getting implicitly trusted and the way that fraud detection usually works is big data, usually anomaly detection," adds Tiffany. "But the botnets get baked into everyone's user info…and [for adversaries] that's the path to winning right there."

There is hope, however; while fighting off such a sophisticated approach can be tricky, it's not impossible. There are ways to detect man in the browser malware by looking at web traffic and differentiating between live human web traffic and a browser that's being driven by remote control (or an entire session that's scripted from the outside).

"[A browser] is a very complex little operating environment and there's a runtime engine -- running software written in JavaScript -- that interacts with hardware," says Tiffany. "And there's the DOM [document object model] that has all these methods and objects that relate to the hardware environment of the browser." What Tiffany and the rest of his team found is that whenever a programmatic bridge is built between some instruction set and the DOM, they find evidence of that going in the opposite direction.

"So if you're in the DOM, we can find out that programmatic bridge stomps on that part of the environment," says Tiffany. "The JavaScript runtime environment is different when it's being stepped on in some way."

Techniques to detect these differences don't have to be static, since there are so many subtle ways in which the environment changes when it's remotely controlled. "We have a very huge parameter base and we can cycle through detection techniques fairly quickly," says Tiffany. "We burn techniques and move on."

And this is done in plain sight, though the system doesn't leak any success/fail information back to the adversary. No matter what, either the attempt succeeds or fails -- either they get the money or they don't -- but they have to play round two to know if they won round one.

"They can see our server, they know we're involved, but they can't tell if they got it right or if they duped us," says Tiffany. "Everyone agrees that there's too much attack surface in the browser. Our big insight is that we can use this property against our adversaries: if we can't protect it, neither can they."

What this eventually amounts to, he says, is an economic disruption of the bad guy business model.

"If you make a computer view ads all day, any computer is going to start racking up money," says Tiffany. "So if we cut off the money made in this model, it takes a bunch of money out of the black market ecosystem."

[Microsoft joins malware, ad teams to fight click fraud]

Ultimately, it's in the adversaries' best interests to spend a lot of money to succeed at their attempts at fraud, but detecting the botnets, when done properly, is not as expensive of a process.

"We've worked out the arms race setup well enough that ultimately our cost of running the arms race is lower that the bad guys'," says Tiffany. "And that's how you win the arms race."

This story, "Black Hat USA 2014: Talking botnets and ad campaigns" was originally published by CSO.


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022