Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/27/2012
02:40 AM
50%
50%

JavaScript Botnet Sheds Light On Criminal Activity

A security research group uses cached JavaScript to control computers connecting to a malicious proxy, gaining intelligence on fraudsters and criminals

BLACK HAT USA 2012 -- Las Vegas -- Two researchers from Madrid-based security consultancy Informatica64 used a JavaScript Trojan horse to take control of computers using an untrusted proxy, gaining intelligence on a variety of underground criminal activity, from Nigerian spammers to dating-site scammers to Web-site defacers.

Click here for more of Dark Reading's Black Hat articles.

In a presentation at the Black Hat security conference on Wednesday, security consultant Chema Alonso demonstrated a legally questionable technique to eavesdrop on the activities of people, or create a botnet, by replacing cached JavaScript with an attacker's copy. To inject the JavaScript file into a victim's browser, Alonso and a colleague set up an anonymous proxy server and then published its Internet address on a proxy forum.

In a single day, more than 4,000 computers had connected to the proxy server and had the poisoned JavaScript file in their browser caches. Using the JavaScript Trojan horse, the group started collecting cookies and Web site credentials.

"In one day, we were able to get over 4,000 bots -- in one day," Alonso said. "No pay-per install, no paying anyone to create the exploit."

The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.

[ Using JavaScript and cross-site request forgery, two researchers plan to show it's possible to attack routers leveraging computers on the internal network. See Advanced JavaScript Attack Threatens SOHO Routers .]

While other man-in-the-middle attacks could capture data communicated in the clear, by using JavaScript the security researchers could gain access to data that would otherwise be encrypted using the secure sockets layer (SSL) protocol.

The technique could be used to target specific Web sites by gathering information on the JavaScript files on the targeted site. By replacing one of the JavaScript files with a malicious version via the proxy server, the attacker can tailor attacks for specific sites, he said.

Alonso acknowledges that the technique may be legally questionable. While he published a privacy warning and legal disclaimer on the proxy site, he said you have to be careful where you set up the proxy server.

"It is better to search for servers in countries without law," he said.

It is very likely that companies and governments are already using this technique to eavesdrop on criminal activity, Alonso said.

"If we were able to collect that amount of data in only one day doing nothing, two small JavaScript files, how many governments are doing the same on the Internet? How many intelligence agencies are doing the same on the Internet?"

Alonso recommended that anyone who is using anonymous proxies or even the Tor network to only use servers that they trust. In addition, privacy-sensitive people should regularly clear the browser cache. "The cache is not your friend," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17610
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.