Incident Response, TDR, Vulnerability Management

Web 2.0: Attack of the JavaScript malware

Imagine you are sitting in front of your computer and all of a sudden you hear weird sounds coming from your hard drive. You think, “what happened?” At first glance nothing -- but your browser is open and you don't remember any backup applications being active. Why is your hard drive working so hard? You ponder it and then wave it off, thinking it's probably just some index process running in the background.

A couple of minutes later, when it doesn't stop, you really get paranoid and recall that you don't have a backup plan. Besides, what sort of index process runs in the middle of the day anyway? Quickly you launch your task manager. After going over the processes one by one, you come to the conclusion that nothing unusual seems to be happening. The only message you get from your anti-virus is an old warning about a copy of netcat you stored on your hard disk from way back when.  By now you're pretty much convinced it's nothing and the sounds have disappeared, so it couldn't be anything serious, right?

The root of all evil
Browsers are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers toward implementing advanced features that would enable the creation of a new user experience with features such as personalization and customization using interactive multimedia applications. This sets the grounds for a fertile environment in which a new breed of malware can come to life.

Myth or truth?
Javascript first appeared in 1995, and it's one of the most popular client-side scripting languages today, implemented in virtually every browser without the need of third party plug-ins or additional software. By now, most security issues involved have been disclosed -- and true malware has never succeeded in thriving, due to "language barriers." The integration of AJAX has changed the situation. For example, the combination of a legacy function, a Web 2.0 feature and a simple design flaw led to the birth of Jinx, a true piece of Web 2.0 malware. It can index hard drives and send files out while an unsuspecting victim is surfing websites, and those are only some of its nefarious capabilities.

Is there more to it?
What is worth implementing in such malware? The answer is the LAN-to-WAN bridging attack.

Tab browsing, which is supported by both Microsoft IE 7.0 and Mozilla Firefox Internet browsers, opens the way for LAN-to-WAN bridging. It's common for company employees to open one tab connecting to, say, the enterprise ERP application while the other tab shows an external web page. This can be exploited by malware that acts as a "proxy" between the organization's intranet and the outside internet. This means that information and resources can be browsed, manipulated and exported thanks to cached passwords, saved session identifiers and cookies.

The strength of malware based on Web 2.0 technology is its obliviousness to the underlying operating system and architecture on which it is running. It can be implemented through a series of standard API calls and, like a real Web 2.0 application, uses the HTTP protocol as its main channel of communication and information leakage, inheriting the browser's footprint to minimize anomalies transmitted over the network. The potential of such malware is tremendous.

Who's filtering Google?
The Achilles' heel of every piece of malware that "phones home" is its static "drop points" and communication servers upon which it relies. Over time, these IPs typically will be revealed and eventually be blocked, leaving the malware isolated from receiving further commands or transferring new information.

The popularity of AJAX and its support from well-known portals such as Google, has made it possible for simple javascript code to submit a query and receive responses. This might not sound alarming, but it actually enables malware to synchronize itself through search engines using regular keywords. This would return a result group of websites in which, after simple enumeration, would bring up a "random" control site, marked by a unique watermark or subtext invisible to the naked eye -- from which the malware could find further commands.

With the momentum of Web 2.0 and the changes it portends, the old myth of impossible javascript malware has been busted. This is the evolutionary cycle of every new technology, and with it comes new threats and problems.

Itzik Kotler will present “Jinx – Malware 2.0” at Black Hat USA." The presentation discusses how the rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications, enabling a new breed of malware to come to life.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.