JavaScript botnet code escapes ShmooCon, leaks to Web

[DLSS]

JavaScript botnet code escapes ShmooCon, leaks to Web

Fast-typing attendee has a naive moment, and then Digg kicked in

April 02, 2007 (IDG News Service) -- Software that could be used to turn a Web browser into an unwitting hacker's tool has been posted to the Internet, after it was downloaded by a quick-thinking attendee at last month's Shmoocon hacker conference.

The software, called Jikto, was written by Billy Hoffman, lead researcher at Spy Dynamics Inc. Hoffman demonstrated the code on March 24 as part of a presentation on the dangers of JavaScript malware.

Hoffman had discovered a way to write a Web vulnerability scanner in JavaScript, a Web language that can run in any browser. This technique circumvents JavaScript's security restrictions and, concerned that his Jikto code could be misused, Hoffman says he took extra steps to prevent the code from getting out.

However, in order for his demonstration to work, he had to post the Jikto code somewhere on the Internet. "Very briefly you could see the original URL of where the Jikto code got fetched," Hoffman said.

That was enough for show attendee Mike Schroll to snag a copy.

"I was sitting pretty close to the front and had my laptop out already," said Schroll, an information security consultant at Security Management Partners Inc. "The second I saw it i just started typing away."

Schroll posted the code on his Web site March 25, and submitted a link to the code on Digg.com. He removed the software several hours later at Hoffman's request.

Schroll said he posted the code because he thought it would be useful to other security professionals looking for ways to illustrate just how dangerous a scripting attack can be. "I was pretty interested in it because we do some engagements with clients where we do fake phishing sites," he said. "I wasn't trying to be nefarious or malicious."

The software was downloaded from his Web site about 100 times, Schroll said.

Over the past weekend, the code surfaced again, this time on the Sla.ckers.org online discussion forum.

With Jikto now public, security researchers worry it could be misused by criminals to scan internal networks for sensitive information, or to build a malicious botnet code. "This particular tool is designed to take control of the Web browser," said Jeremiah Grossman, chief technology officer at WhiteHat Security Inc. "It will crawl other Web sites and scan them, looking for vulnerabilities."

Hoffman was sanguine about the release of his tool, saying that criminals would probably have been able to develop something similar to his short, 800-line application.

"It's kind of a tragedy that this ended up getting released," Hoffman said. "But in reality the bad guys probably knew this and even if they didn't have it they were probably a couple of months away."

He said he's not angry at Schroll for snagging and releasing the Jikto code. "He probably did what any curious individual would have done," Hoffman said. "I really can't fault someone for being curious because that's what my job is."

article source : http://computerworld.com/action/article.do...p;intsrc=kc_top

[jool]

So I took a look at this supposedly scary code (it's just a few clicks away). I don't really see how it is so damn scary as some make it seem, it's not nice but it should be very easy to patch.

From what I can see it uses a problem with the XMLHttpRequest object to make requests to other domains, something it shouldn't be allowed to do. With that it just scans for files on a web server (.bak and other things you shouldn't have there). It is almost 900 lines of code to demonstrate something that could be shown in 10, can anyone say overkill?

If I'm too tired and reading things wrong and it isn't even doing the domain changing it is just completely pointless. Otherwise it's the result of really sloppy coding in the browsers affected and they should be ashamed of themselves.

[digip]

Does is say which browsers are affected?

[Deveant]

all

[digip]

I am sure there are ways to block it. Guess its a good thing I use Opera to with javascript turned off and only allow the sites I need to have it on for to run it.

XMLHttpRequest attacks have been around for a long time. Go to Projectip.com and they use it to determine basic settings on your pc, like wether your running java, etc. They don't use it in a malicious manner, but I am sure that this is the sort of thing people will be trying more and more once they see how easy it can be to run it. All they need is someone to make an easy interface or automate different attacks to work around safegaurds, like Metasploits payloads, and this will just be another script kiddies wet dream.

[jool]

After some sleep and some real work I took another look. The only reason someone would want to keep the code a secret is to hide how bad it is and to create a mystery about what it really does. What the stolen code does isn't very much at all, most of the fantastic things mentioned in articles about it are just possibilities which aren't in the code.

To use it against one site you would need to find a xss hole on that site in particular and the browser "infection" they talk about only lasts as long as you are on that site. You are also limited to scanning the site you've already successfully attacked.

It's possible that there are things he left out and just had the things needed for the demonstration available but still, without an actual bug in the XMLHttpRequest which allows cross domain requests this is just an awkward and slow way of scanning a website for a specific set of problems.

To summarize: XSS holes are not good since they let the attacker do what they want with the browser in the context of the attacked site and security companies do silly things to get attention.

[Darren Kitchen]

As someone who was at the conference, in the panel, and interviewed Billy Hoffman about Jikto afterwards I can say that old media has blown this out of proportion. It's not a botnet. It's a vuln scanner. When the URL for the code was displayed on the screen he at first attempted to cover it but then realized, "what the hell, moving on with the presentation". But hey it's not about the truth these days, it's about headlines and hits because thats where the ad dollars pour in. Sorry, I'm just sick of old media, i mean bad media, i mean dirty media right now. and this is the same media outlet that made the Hak5 out to be a neferious hacker group after interviewing us about the switchblade. fuck em.

anyway if you wanna see an intriguing talk with the author of jikto thats not full of bullshit tune into Hak5 episode 2x09.

[SomeoneE1se]

That because hacker's are cool and mysterious and not understood... it's a mystery and everyone loves a mystery... Remember if it bleeds it leads....

"Your computer may explode, how? Tune in tonight at ten."

[jool]

It'll be interesting to see what he really has to say, but I still think it would be very easy for him to just put up a post somewhere explaining what it is and what it isn't to clear up the obvious confusion. Instead he seems content with confirming that it is the real code and letting the mystery remain. He isn't obliged to do so but it would be the nice thing to do. It isn't only old/bad/dirty/big/etc media that have been jumping to extreme conclusions on this subject, some so called experts have been doing the same. With less confusion within the security field maybe the regular media on the outside might be able to get a story right once in a while.

[thespy]

That because hacker's are cool and mysterious and not understood... it's a mystery and everyone loves a mystery... Remember if it bleeds it leads....

"Your computer may explode, how? Tune in tonight at ten."

That's a good one, always gets the noobs following... :D