Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/27/2012
02:40 AM
50%
50%

JavaScript Botnet Sheds Light On Criminal Activity

A security research group uses cached JavaScript to control computers connecting to a malicious proxy, gaining intelligence on fraudsters and criminals

BLACK HAT USA 2012 -- Las Vegas -- Two researchers from Madrid-based security consultancy Informatica64 used a JavaScript Trojan horse to take control of computers using an untrusted proxy, gaining intelligence on a variety of underground criminal activity, from Nigerian spammers to dating-site scammers to Web-site defacers.

Click here for more of Dark Reading's Black Hat articles.

In a presentation at the Black Hat security conference on Wednesday, security consultant Chema Alonso demonstrated a legally questionable technique to eavesdrop on the activities of people, or create a botnet, by replacing cached JavaScript with an attacker's copy. To inject the JavaScript file into a victim's browser, Alonso and a colleague set up an anonymous proxy server and then published its Internet address on a proxy forum.

In a single day, more than 4,000 computers had connected to the proxy server and had the poisoned JavaScript file in their browser caches. Using the JavaScript Trojan horse, the group started collecting cookies and Web site credentials.

"In one day, we were able to get over 4,000 bots -- in one day," Alonso said. "No pay-per install, no paying anyone to create the exploit."

The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.

[ Using JavaScript and cross-site request forgery, two researchers plan to show it's possible to attack routers leveraging computers on the internal network. See Advanced JavaScript Attack Threatens SOHO Routers .]

While other man-in-the-middle attacks could capture data communicated in the clear, by using JavaScript the security researchers could gain access to data that would otherwise be encrypted using the secure sockets layer (SSL) protocol.

The technique could be used to target specific Web sites by gathering information on the JavaScript files on the targeted site. By replacing one of the JavaScript files with a malicious version via the proxy server, the attacker can tailor attacks for specific sites, he said.

Alonso acknowledges that the technique may be legally questionable. While he published a privacy warning and legal disclaimer on the proxy site, he said you have to be careful where you set up the proxy server.

"It is better to search for servers in countries without law," he said.

It is very likely that companies and governments are already using this technique to eavesdrop on criminal activity, Alonso said.

"If we were able to collect that amount of data in only one day doing nothing, two small JavaScript files, how many governments are doing the same on the Internet? How many intelligence agencies are doing the same on the Internet?"

Alonso recommended that anyone who is using anonymous proxies or even the Tor network to only use servers that they trust. In addition, privacy-sensitive people should regularly clear the browser cache. "The cache is not your friend," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...