NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0147 Javascript tool Hunts for flaws, creates botnets:
The lead research and development engineer at Atlanta-based SPI Dynamics Incorporated has developed a tool called Jikto that can use cross-site scripting (XSS) flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Jikto works by exploiting an XSS flaw on a given web site and then silently installing itself on a user's PC. It can then operate in one of two modes: In one mode, Jikto crawls a specific web site in much the same way that a web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode, Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.
Jikto's master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto's presence. "AJAX (Asynchronous JavaScript) increases the speed of this tenfold," said Jikto's designer. "All of these Web 2.0 applications are so heavy on JavaScript. I can sit there and tell your browser to do all kinds of nasty things."
JavaScript, by its nature, also has the ability to execute on its own and modify itself on the fly, making many traditional methods of detecting malicious code useless in trying to defend against Jikto and other such threats. "It's almost impossible for anti-virus vendors to create a signature for JavaScript because they can't look at it and see if it's good or bad," he said. "Signature based defenses are useless."
While vulnerability scanning by malware is not new. Jikto runs in a web browser and distributes the bug-hunting task across multiple PCs. Jikto will be released publicly at the ShmooCon hacker event later this week.
(www.searchsecurity.com 20MAR07; news.zdnet.com 20MAR07)
Last Modified: Sunday, 29-Apr-2007 15:09:03 EDT