A javascript tool against which there is no defense!

Hi malware fighters,

As additional information to this here: http://forum.avast.com/index.php?topic=27279.0 Thanks Charley for the heads-up, I present the following:

Jikto is a web application vulnerability scanner, that silently audits public websites, and send the results to a third party. The software can be embedded on a hacker’s site, but also being placed on trusted sites via cross-site scripting.

The major part of a hacking job is gathering information on a certain website. An attacker can let this task being performed by a large number of users. As an added benefit for the victim this is not done to get to the malcreant’s identity, because the scanning is done by individuals that are unknown of the fact they are infected with Jikto.

"Users have no defense against Jikto and other Javascript base threats (so better install NoScript, my friends, says Polonus, maybe have to configure it accordingly!!) . “I do not infect you with a Trojan or a backdoor. I won’t compromise your 'puter, and that makes all this so dangerous. Anti-virus wont help you there”, says Hoffman, the developer of the zombie-tool.

Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user’s PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it.
In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.

Jikto’s master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto’s presence. All of this is done in pure JavaScript and, Hoffman said, helped along by the huge explosion in the
number of AJAX-based applications on the Web in the last year or so. AJAX gives users—and attackers—direct access to the APIs in a Web application, which can be quite useful if you’re trying to send malicious commands to back-end applications.

What do the forum think about being the unknown victims of a “benificial” or whatever zombie-ring?

polonus

Hi malware fighters,

The tool has been downloaded a 1000 times, so we are going to see some (mis-)use of it. Polonus also could get to the sourcecode of the javascript hacktool JIKTO. Want an interesting read and some slides:
http://www.spidynamics.com/spilabs/education/presentations/Javascript_malware.pdf

Javascript, cross-site-scripting, the appearance of Web 2.0, AJAX it all coincides at the right time. Is there really a coincidence, my malware fighting friends?

polonus

Hey polonus, Steve Gibson did a Security Now episode on JIKTO, It’s a good listen.

http://www.twit.tv/sn85

Hi marc57,

Very entertaining, indeed. Listen more often to what Steve Gibson has to report. Do you realize how dangerous malicious javascript is with the new interactivity of Ajax and Web 2.0. That is why I brought in HttpCookieOnly into Firefox or Flock (the add-on is there, but the regular users of Firefox have to wait until 3.0 when it is being brought in, while IE had it for quite some time now). Therefore NoScript is a must nowadays for every Mozilla type browser.
Pre-scanning links (DrWeb’s hyperlink scanner extension and SiteAdvisor or TrustWatch) is no longer optional, but to me is a normal part of searching and working a browser.
What havoc do you think embedded javascript scanners and a combination of weak CGI lists could wreak on a system???. Just a tool like Intellitamper with a specially crafted dictionairy could deliver more than the ‘curious’ could hope for. Interactivity works two ways & certainly helps the clever malcreant with his or her devious ways…

polonus

Hi malware fighters,

A nice description in what ways javascript can be used maliciously is to be read here:
http://www.gnucitizen.org/blog/javascript-remoting-dangers

When you read this, you realize Pandora’s box has been set open. If the man could have put Jikto together in 10 hrs, and the code has escaped, what do you think the malcreants can put together in 10 days.
There is a lot of nastiness coming down the pipeline, friends,

polonus

Guess we will have to be more carefull than ever. Times have changed on the Internet for sure.