Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Black Hat USA 2014: Talking botnets and ad campaigns

Grant Hatchimonji | Aug. 7, 2014
Botnets are becoming more sophisticated and White Ops' Michael Tiffany spells out what that means for the advertising campaigns they've been targeting.

"I wish I knew!" says Tiffany. "We don't have the longitudinal data. But anecdotally, I think it's been getting worse over the past few years because cookies are kind of like an authentication mechanism."

The problem there is that the typical approach of using anomalous behavior to sniff out botnets is rendered useless the moment that bot traffic is whitelisted on account of it coming from known and (supposedly) legitimate users.

"So the cookies are getting implicitly trusted and the way that fraud detection usually works is big data, usually anomaly detection," adds Tiffany. "But the botnets get baked into everyone's user info...and [for adversaries] that's the path to winning right there."

There is hope, however; while fighting off such a sophisticated approach can be tricky, it's not impossible. There are ways to detect man in the browser malware by looking at web traffic and differentiating between live human web traffic and a browser that's being driven by remote control (or an entire session that's scripted from the outside).

"[A browser] is a very complex little operating environment and there's a runtime engine -- running software written in JavaScript -- that interacts with hardware," says Tiffany. "And there's the DOM [document object model] that has all these methods and objects that relate to the hardware environment of the browser." What Tiffany and the rest of his team found is that whenever a programmatic bridge is built between some instruction set and the DOM, they find evidence of that going in the opposite direction.

"So if you're in the DOM, we can find out that programmatic bridge stomps on that part of the environment," says Tiffany. "The JavaScript runtime environment is different when it's being stepped on in some way."

Techniques to detect these differences don't have to be static, since there are so many subtle ways in which the environment changes when it's remotely controlled. "We have a very huge parameter base and we can cycle through detection techniques fairly quickly," says Tiffany. "We burn techniques and move on."

And this is done in plain sight, though the system doesn't leak any success/fail information back to the adversary. No matter what, either the attempt succeeds or fails -- either they get the money or they don't -- but they have to play round two to know if they won round one.

"They can see our server, they know we're involved, but they can't tell if they got it right or if they duped us," says Tiffany. "Everyone agrees that there's too much attack surface in the browser. Our big insight is that we can use this property against our adversaries: if we can't protect it, neither can they."


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.