A security researcher on Saturday is set to unveil the first website-scanning script, a tool which allows attackers to gain control of infected users' web browsers and drastically reduce the time it takes to search the web for vulnerabilities.
While it might have taken days and weeks for attackers to troll banking and other popular websites for cross-site scripting (XSS) and SQL vulnerabilities, now would only take "a couple of hours because they just got hundreds of people around the country to do it for them," Hoffman said.
"If someone uses this type of technology, it increases the damage that can be done with a cross-site scripting vulnerability," he said. "The majority of the population is unaware you can do web vulnerability scanning with a script… [But] attackers probably are already starting to write a complicated application like this to use in the next MySpace or other big attack."
Hoffman said he plans to spend half of his discussion reminding the audience how serious XSS vulnerabilities have become with the advent of Web 2.0 technology.
The burden falls on website developers to properly code their pages, Hoffman said. The end-user cannot do much because traditional defenses ,such as anti-virus (AV) solutions, will not defend against malware with no signatures. And solutions that focus on behavior blocking also face obstacles.
In a November AV Comparatives test of 15 anti-virus products, only four companies picked up 25 percent or more of new script malware samples.
Andrew Storms, director of security for nCircle, said anti-virus vendors cannot protect against the malware Hoffman is revealing.
Click here to email reporter Dan Kaplan.