JavaScript Botnet Sheds Light On Criminal Activity
A security research group uses cached JavaScript to control computers connecting to a malicious proxy, gaining intelligence on fraudsters and criminals
BLACK HAT USA 2012 -- Las Vegas -- Two researchers from Madrid-based security consultancy Informatica64 used a JavaScript Trojan horse to take control of computers using an untrusted proxy, gaining intelligence on a variety of underground criminal activity, from Nigerian spammers to dating-site scammers to Web-site defacers.
In a presentation at the Black Hat security conference on Wednesday, security consultant Chema Alonso demonstrated a legally questionable technique to eavesdrop on the activities of people, or create a botnet, by replacing cached JavaScript with an attacker's copy. To inject the JavaScript file into a victim's browser, Alonso and a colleague set up an anonymous proxy server and then published its Internet address on a proxy forum.
In a single day, more than 4,000 computers had connected to the proxy server and had the poisoned JavaScript file in their browser caches. Using the JavaScript Trojan horse, the group started collecting cookies and Web site credentials.
"In one day, we were able to get over 4,000 bots -- in one day," Alonso said. "No pay-per install, no paying anyone to create the exploit."
The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.
[ Using JavaScript and cross-site request forgery, two researchers plan to show it's possible to attack routers leveraging computers on the internal network. See Advanced JavaScript Attack Threatens SOHO Routers .]
While other man-in-the-middle attacks could capture data communicated in the clear, by using JavaScript the security researchers could gain access to data that would otherwise be encrypted using the secure sockets layer (SSL) protocol.
The technique could be used to target specific Web sites by gathering information on the JavaScript files on the targeted site. By replacing one of the JavaScript files with a malicious version via the proxy server, the attacker can tailor attacks for specific sites, he said.
Alonso acknowledges that the technique may be legally questionable. While he published a privacy warning and legal disclaimer on the proxy site, he said you have to be careful where you set up the proxy server.
"It is better to search for servers in countries without law," he said.
It is very likely that companies and governments are already using this technique to eavesdrop on criminal activity, Alonso said.
"If we were able to collect that amount of data in only one day doing nothing, two small JavaScript files, how many governments are doing the same on the Internet? How many intelligence agencies are doing the same on the Internet?"
Alonso recommended that anyone who is using anonymous proxies or even the Tor network to only use servers that they trust. In addition, privacy-sensitive people should regularly clear the browser cache. "The cache is not your friend," he said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Read more about:
Black Hat NewsAbout the Author
You May Also Like