SPI Dynamics creates script-based, self-propagating website vulnerability scanner

News by Dan Kaplan

A security researcher on Saturday is set to unveil the first website-scanning script, a tool which allows attackers to gain control of infected users' web browsers and drastically reduce the time it takes to search the web for vulnerabilities.

A security researcher on Saturday is set to unveil the first website-scanning script, a tool which allows attackers to gain control of infected users' web browsers and drastically reduce the time it takes to search the web for vulnerabilities.

Billy Hoffman, lead research engineer at Atlanta-based SPI Dynamics, will show off the proof-of-concept creation during his talk, "JavaScript Malware for a Gray Goo Tomorrow," at the Shmoocon hacker conference in Washington, D.C.

He told SCMagazine.com today that the scanning tool - named Jikto - works so that if a user stumbles on a website running the malicious JavaScript, his browser would become infected. The hacker would assume control of the browser and use it to quickly scan for vulnerabilities on other websites.

While it might have taken days and weeks for attackers to troll banking and other popular websites for cross-site scripting (XSS) and SQL vulnerabilities, now would only take "a couple of hours because they just got hundreds of people around the country to do it for them," Hoffman said.

"If someone uses this type of technology, it increases the damage that can be done with a cross-site scripting vulnerability," he said. "The majority of the population is unaware you can do web vulnerability scanning with a script… [But] attackers probably are already starting to write a complicated application like this to use in the next MySpace or other big attack."

Hoffman said he plans to spend half of his discussion reminding the audience how serious XSS vulnerabilities have become with the advent of Web 2.0 technology.

"The ability of JavaScript has expanded," he said, "but the problem is the developers tend to be two to three years behind where security people are."

The burden falls on website developers to properly code their pages, Hoffman said. The end-user cannot do much because traditional defenses ,such as anti-virus (AV) solutions, will not defend against malware with no signatures. And solutions that focus on behavior blocking also face obstacles.

"JavaScript has the ability to rewrite the code while it’s running," he said. "It’s very dynamic. It’s very difficult to have signature-based JavaScript protection."

In a November AV Comparatives test of 15 anti-virus products, only four companies picked up 25 percent or more of new script malware samples.

Andrew Storms, director of security for nCircle, said anti-virus vendors cannot protect against the malware Hoffman is revealing.

"As of today, no vendor has gone on the record saying they have malware detection for this type of tool," Storms said. "Many web-based applications require JavaScript, so the most straightforward workaround of disabling JavaScript will significantly impact business productivity and is not an option for many enterprises."

Click here to email reporter Dan Kaplan.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events