Analytics // Threat Intelligence
7/27/2012
02:40 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

JavaScript Botnet Sheds Light On Criminal Activity

A security research group uses cached JavaScript to control computers connecting to a malicious proxy, gaining intelligence on fraudsters and criminals

BLACK HAT USA 2012 -- Las Vegas -- Two researchers from Madrid-based security consultancy Informatica64 used a JavaScript Trojan horse to take control of computers using an untrusted proxy, gaining intelligence on a variety of underground criminal activity, from Nigerian spammers to dating-site scammers to Web-site defacers.

Click here for more of Dark Reading's Black Hat articles.

In a presentation at the Black Hat security conference on Wednesday, security consultant Chema Alonso demonstrated a legally questionable technique to eavesdrop on the activities of people, or create a botnet, by replacing cached JavaScript with an attacker's copy. To inject the JavaScript file into a victim's browser, Alonso and a colleague set up an anonymous proxy server and then published its Internet address on a proxy forum.

In a single day, more than 4,000 computers had connected to the proxy server and had the poisoned JavaScript file in their browser caches. Using the JavaScript Trojan horse, the group started collecting cookies and Web site credentials.

"In one day, we were able to get over 4,000 bots -- in one day," Alonso said. "No pay-per install, no paying anyone to create the exploit."

The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.

[ Using JavaScript and cross-site request forgery, two researchers plan to show it's possible to attack routers leveraging computers on the internal network. See Advanced JavaScript Attack Threatens SOHO Routers .]

While other man-in-the-middle attacks could capture data communicated in the clear, by using JavaScript the security researchers could gain access to data that would otherwise be encrypted using the secure sockets layer (SSL) protocol.

The technique could be used to target specific Web sites by gathering information on the JavaScript files on the targeted site. By replacing one of the JavaScript files with a malicious version via the proxy server, the attacker can tailor attacks for specific sites, he said.

Alonso acknowledges that the technique may be legally questionable. While he published a privacy warning and legal disclaimer on the proxy site, he said you have to be careful where you set up the proxy server.

"It is better to search for servers in countries without law," he said.

It is very likely that companies and governments are already using this technique to eavesdrop on criminal activity, Alonso said.

"If we were able to collect that amount of data in only one day doing nothing, two small JavaScript files, how many governments are doing the same on the Internet? How many intelligence agencies are doing the same on the Internet?"

Alonso recommended that anyone who is using anonymous proxies or even the Tor network to only use servers that they trust. In addition, privacy-sensitive people should regularly clear the browser cache. "The cache is not your friend," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web