Tool turns unsuspecting surfers into hacking help

That's possible with a new security tool called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites, said Jikto creator Billy Hoffman, a researcher at Web security firm SPI Dynamics. Hoffman, who developed the tool as a way to advance Web security, plans to release Jikto publicly later this week at the ShmooCon hacker event in Washington, D.C.

"This is going to drastically change the scope of evil things you can do with JavaScript," Hoffman said. "Jikto turns any PC into my little drone. Your PC will start attacking Web sites on my behalf, and you're going to give me all the results."

With the advent of online applications, hackers have shown increased interest in breaching Web security. Though vulnerabilities such as cross-site scripting bugs and SQL injection flaws have been around for years, such security problems are increasingly being reported and exploited.

Jikto is a Web application vulnerability scanner. It can silently crawl and audit public Web sites, and then send the results to a third party, Hoffman said. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

Vulnerability scanners by themselves aren't new. Hackers often use such tools to find holes that let them break into systems. Jikto is like Nikto, a Web application bug-scanning tool popular among hackers. The difference is that Nikto is a traditional PC application, while Jikto runs in a Web browser and distributes the bug-hunting task across multiple PCs.

Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for, Hoffman said. For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.

"Half of hacking is collecting information and then sorting it. An attacker can now distribute this job to many people," Hoffman said. As a bonus, the targeted Web site won't know the identity of the attacker because the site is being probed by the unsuspecting Web surfer who happened upon a Web page rigged with Jikto.

Jikto is an interesting example of how JavaScript can be used maliciously, but traditional vulnerability-scanning tools probably are a more efficient, said Fyodor Vaskovich, creator of Nmap Security Scanner, a tool widely used in the security community to find vulnerabilities.

"These JavaScript attacks are usually very slow to perform compared to the attacker scanning from an already compromised machine," Vaskovich said. "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."

Because it is created in JavaScript, a scripting language commonly used on the Web, Jikto will run in most Web browsers without any warning. Internet users who hit a Web site with Jikto embedded likely won't even know what's happening. The tool will run as long as the browser is open and disappear without any obvious trace, or residual damage.

Jikto is different in that way from bots, a common method miscreants use to take control over PCs. Typically, bots compromise PCs through security holes in Web browsers or e-mail messages laden with a Trojan horse. Somebody with a patched browser, smart e-mail habits and updated security software would typically be protected against bot software.

"As a user you really can't do much against Jikto or other JavaScript-based threats," Hoffman said. "I am not giving you a Trojan or a traditional backdoor. I am not really compromising your computer. That is what makes this so scary. Antivirus is not going to help you."

JavaScript plays a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with the increasingly common Web site security flaws, could lead to insidious Web-based attacks, security experts have said.

Right now, Jikto only crawls and detects vulnerabilities. Hoffman is working on a next version that can also exploit vulnerabilities and extract data. That version may be presented at the Black Hat security conference in Las Vegas this summer, he said.