Do you know Jikto? It is a new tool written in Java Script that could be used by cyber crooks on PCs of unknowing users to make them do illegal activities without directly commandeer the systems.

According to Jikto creator Bill Hoffman, researcher at Web security firm SPI Dynamics , This is going to drastically change the scope of evil things you can do with JavaScript," Hoffman said.

"Jikto turns any PC into my little drone. Your PC will start attacking Web sites on my behalf, and you're going to give me all the results." 

The tool will be released later this week during  the annual East Coast hacker convention ShmooCon   in Washington D.C. 

Jikto is a Web application vulnerability scanner that, according to Mr. Hoffman, can be embedded into an attacker’s website or injected into trusted sites though cross-site scripting flaws. It can silently sound and audit any kind of web site, and then sent the results to the attacker who set up the tool.

Jikto and other similar tools could be used to detect holes in digital systems, so to facilitate cyber-criminals’ activity. The main difference between Jikto and previous tools is that it uns in a Web browser and distributes the bug-hunting task across multiple PCs, whereas the others were basically traditional PC applications.

  Moreover, according to the magazine C-Net , “Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for, Hoffman said.

For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.” 

This tool is an example of how JavaScript could be used with malicious intentions. Thanks to JavaScript , Jikto can run in most web browser without any warning and without leaving any trace: web surfers  hitting a web site  with Jikto embedded  could never realize what is going on, since the tool will run as long as the browser is open and silently disappear as soon as it will be closed.  

On the other hand, JavaScript-based tools are very slow to perform compared to traditional vulnerability-scanning tools. Moreover, as Fyodor Vaskovich, creator of Nmap Security Scanner said: "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."  

The most scary aspect of Jikto and other JavaScript-based threats is that they do not work on the machine to jeopardize it, so antivirus  will not help in detecting them.  

Jikto’s current version only crawls and detects vulnerabilities, but next version- that could be presented this summer, at Black Hat security conference in Las Vegas- will be designed to exploit vulnerabilities and extract data.

Comments Index (Total Messages: 1)

Jikto info from Billy Hoffman's blog Written by brianc on 2007-03-23 00:45:33

Powered by a Zone-H(ified) version of AkoComment 3.0!