Cross-platform droneware: Bots written in Javascript.

29 March 2007

Billy Hoffman of the security outfit SPI Dynamics unveiled the fruits of his research at Shmoocon last weekend (which I'm still miffed about not being able to attend), botnet software written in Javascript that runs on any modern web browser. His prototype botnet agent is called Jikto, and it searches for cross-site scripting vulnerabilities in websites after beginning execution when the user looks at a malicious website or e-mail message. Periodically, it will phone home with vulnerable URLs and details of same. This means that even Net-capable cellphones can unwittingly be turned into botnet members.

Javascript can hypothetically be dropped in anywhere on the web - comments in a weblog can contain Javascript unless the engine has a JS scrubber. HTML e-mail and newsgroup posts can contain live Javascript code. Compromised websites can silently have Javascript code dropped into them. All of these tactics have been spotted in use in the wild.

There is also no reason that a Javascript malware agent can only scan for XSS vulnerabilities as the user browses the Net. JS is a very flexible language, and someone somewhen will find other things to do with it - website flooding is just the beginning.

Hoffman changed his plans at the last moment, and did not release the source code to Jikto at Shmoocon because it would be put to abuse almost immediately. When interviewed later, Hoffman was quoted as saying "I'm not that smart a guy. If I'm talking about it at a conference, you better believe somebody else has figured it out. Those people have not told people about it."

Given some of the stuff I've heard coming out of Europe lately, I'm inclined to think that he's right.