This particular attack did nothing

Malicious web advertisements can be used to build large, difficult to track and dirt-cheap botnets, researchers say.

White Hat security researcher Matt Johansen demonstrated at Black Hat 2013 in Las Vegas how iFrames within advertisements could call JavaScript files to launch denial of service attacks.

It forced JavaScript to use cross-origin requests to push as many requests as possible from web browsers to a single website.

Threat Intelligence founder Ty Miller who travelled to Blackhat said the attacks were difficult to block meaning they could lead to extortion attempts.

"Instead of using compromised computers, this 'browser botnet' tricks your web browser into sending thousands of requests against an arbitrary system by injecting basic JavaScript into your browser," he said.

"This is then amplified thousands of times by distributing the JavaScript via online advertisements in order to flood the target servers.

"This may lead to an increase in extortion attempts since the attack is quite stealthy and hard to block."

 Johansen ran a successful proof of concept attack on an unnamed live ad network in which the ads called on a JavaScript code hosted within an Amazon Web Services server.

That file could be modified after the ad network evaluated and cleared the code.

Their code by way of an FTP URL boosted a web browser's number of connections, exceeding the number normally allowed and increasing the power of denial of service attacks.

"This then amplifies the attack hundreds of times again," Miller said.

Those behind such attacks may possibly only be traced by way of tracking down the payment information used to buy the malicious ads.

The Register reported the live Black Hat demonstration had some 256 concurrent connections to one Apache Web Server and more than a million connections were made in the hour.

All this was just introduction to the research being presented. Johansen and Grossman devised a very simple denial of service attack and tested it on their own server. They even demonstrated it in real time during Black Hat. This particular attack did nothing more than overload the server with connection requests, but the technique used could do more, much more. And all they had to do was spend a few dollars to place an ad containing the attack.

"Some ad networks allow arbitrary Javascript in the ad," said Grossman, "and some don't." The team had no trouble setting up their attack Javascript. "The ad network reviewers weren't good at reading or even caring about Javascript," said Johansen. "The real problem was making an ad image that looked pretty and looked like an ad."

At first the team was slowed by the need to get re-approval from the ad network every time they changed the Javascript code.Cheap Dedicated Server, They solved that by moving the code to their own host and simply calling it from the ad's code. This step left the ad network completely unable to see what the code might do; they didn't seem to care.

As soon as they enabled the attack code, it started executing on browsers all over. Every time anyone surfed to a page containing the ad, it started making connections to the victim server. The server couldn't withstand the load; it failed.
Click on their website www.mileweb.com/software-services for more information.