Headless browsers: legitimate software that enables attack

Legitimate software which is on user’s desktops can be utilised by attackers to install malware and for denial of service (DoS) traffic.

According to DOSarrest CTO Jag Bains and general manager Mark Teolis, big dumb DoS attacks are common and can knock a data centre out, but smarter attacks are smaller, lower and slower.

Now sophisticated botnets, which have more access to compromised computing power are used to run “Headless Browsers”, a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.

Teolis said: “These were made for programmers to test out their websites, so made by Safari, Firefox, and now used for nefarious purposes. You stress on it and open up hundreds of sessions on your laptop and see how it runs, but now you can have unlimited process using Javascript, cookies and Captcha.”

Bains said: “You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services. We looked at adding a monitoring service to see how our website was doing 1-2 years ago and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”

The difference with a headless browser - effectively a piece of software without any control -is that they cannot run effectively by an attacker, as they need the victim to load up the program and actively run it. “We see it as a factor of hackable, dedicated boxes out there, you can rent out a slice of virtual computing for $25 a month or more for compromised bots,” Bains said.

The issue for IT security is that it looks like a legitimate session and regular traffic, and it works because the attacker understands how the website is designed and where the weaknesses are. “You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would,” Bains said.

Teolis described it as “death by a thousand cuts”. He said: “All the boxes could not stop it as slow and low attacks come twice an hour, but with 50,000 of them how do you distinguish? With headless browsers it can jump through hoops and it will be a big problem for older boxes.”

A headless browser runs in its own instance, does its own coordination and just needs an operating system to run it. The only way it can be detected is if the victim runs a NetStack to see what is running out of port 80.

In terms of how to protect against a headless browser, Bains said that a pure play DDoS protection service can help, as this will evade signature-based detection to stop immediately. However it has to be parsed and analysed to be able to see the pattern and anything that wasn’t there an hour ago.

Teolis said: “With real time support there is a human involved and you can develop some rulesets to determine what is going on and implement this module. We can do it in seconds, and that is part of our software and we can do it in under a minute.”

Dan Raywood is editor of The IT Security Guru