Tweet

The research on browser-based botnets presented during the recent Blackhat conference in Las Vegas touches on our previous study on the abuse of HTML5. Most importantly, it shows how a simple fake online ad can lead to formidable threats like a distributed denial of service (DDoS) attack.

In their briefing, Jeremiah Grossman and Matt Johansen showed that it is possible to initiate a massive distributed denial of service (DDoS) attack via a browser-based botnet. To create the botnet itself, the potential attackers need only to invest on fake online ads which are inexpensive. Because networks serving ads on websites allow the execution of JavaScript, the attackers craft the JavaScript to make hundreds or thousands of users connect to a targeted site simultaneously, which may be enough to make the victim site inaccessible. Unfortunately, this scenario is likely to come to fruition, given that ads are staple on sites and basically a driving force behind the Web.

In 2011, we’ve looked into similar threat scenario, wherein we researched on the possibility of browser-based botnets by way of HTML5. In the said paper, we cited the developments done in HTML5 and how attackers could harness these improvements to their advantage. In particular, with HTML, attackers can create a botnet that will include systems of different operating systems, even mobile devices. The botnet will be memory-based, thus it will be difficult to detect by traditional anti-malware software.

Below are some important points that I raised in the research, specifically on how attackers can use HTML5 for their attacks.

• Compared to traditional botnets, browser-based ones are not deemed as persistent. The malicious code will stop running once users close the browser tab. With this in mind, attackers can instead use persistent XSS and site compromise or a combination of clickjacking and tabnabbing or disguise the malicious page as an interactive game.
• Besides DDoS attacks, this abuse of HTML5 can lead to spamming, bitcoin generation, phishing, internal network reconnaissance, proxy network usage, and spreading of worm via XSS attacks or SQL injections.

This misuse of HTML5 represents a method by which an attacker can infiltrate or initiate an attack against their targets. As browsers and apps (essentially stripped-down browsers) are the likely default way to connect online in this age of consumerization and increasing Internet-connected devices and appliances (Internet of everything), the idea of browser-botnet is an alarming prospect. With the use of HTML5 expected to take off in mobile apps as recently exemplified by Amazon, we can expect this threat to be an increasing reality anytime soon.

For users, the best way to prevent this attack is to study and understand the risks involved. User education, in particular for companies, can come along way in protecting the organizations’ business operations and important information. For more information about the research and how Trend Micro can help users combat this attack, you may refer to the paper HTML5 Overview: A Look At HTML5 Attack Scenarios.