Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users’ browsers in order to flood the site with traffic.
The attack on the unnamed site involved the use of injected Javascript on the site which would execute in a user’s browser whenever he views a profile image that contains the Javascript. Once the code runs, it then fires off an embedded iframe with a DDoS tool that sends a GET request to the target sites. The attacker embedded the malicious code in his own profile image on the video site, and then posted a comment on hundreds of videos so that his profile image appears next to the comment.
As more and more visitors watched the videos, and therefore viewed the malicious image, the GET requests continues to mount for the targeted sites.
“As a result, each time a legitimate visitor landed on that page, his browser automatically executed the injected JavaScript, which in turn injected a hidden <iframe> with the address of the DDoSer’s C&C domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second,” Ronen Atia of Incapsula, the security company that discovered the attack, wrote in an analysis.
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”
The company was able to intercept the malicious requests going to the target sites and traced it back to the compromised video site, which Incapsula is not naming yet. The researchers then inserted a piece of their own Javascript into the requests, replacing the target URL. They then were able to figure out the persistent XSS vulnerability and alerted the owners of the compromised site.
Despite that success, Atia said that the attacker behind the DDoS has replaced the original tool he was using with a more sophisticated version.
“This leads us to believe that what we saw yesterday was a sort of POC test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using this Alexa Top 50 website to set up a chain of botnets for hire,” he said.
That attack Incapsula uncovered shares some characteristics with some research that Jeremiah Grossman and Matt Johansen of WhiteHat Security presented at Black Hat last year. In their example, an attacker could inject malicious Javascript into ads that are distributed via an ad network and force the user’s browsers to perform an operation, whether it’s launching a DDoS attack on a target server or something else.
