A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.
With the advent of online applications, hackers have shown increased interest in breaching Web security. Though vulnerabilities such as cross-site scripting bugs and SQL injection flaws have been around for years, such security problems are increasingly being reported and exploited.
Jikto is a Web application vulnerability scanner. It can silently crawl and audit public Web sites, and then send the results to a third party, Hoffman said. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.
by themselves aren't new. Hackers often use such tools to find holes that let them break into systems. Jikto is like Nikto, a Web application bug-scanning tool popular among hackers. The difference is that Nikto is a traditional PC application, while Jikto runs in a Web browser and distributes the bug-hunting task across multiple PCs.
Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for, Hoffman said. For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.
--Billy Hoffman, Jikto creator
"Half of hacking is collecting information and then sorting it. An attacker can now distribute this job to many people," Hoffman said. As a bonus, the targeted Web site won't know the identity of the attacker because the site is being probed by the unsuspecting Web surfer who happened upon a Web page rigged with Jikto.
Jikto is different in that way from bots, a common method miscreants use to take control over PCs. Typically, bots compromise PCs through security holes in Web browsers or e-mail messages laden with a Trojan horse. Somebody with a patched browser, smart e-mail habits and updated security software would typically be protected against bot software.
Right now, Jikto only crawls and detects vulnerabilities. Hoffman is working on a next version that can also exploit vulnerabilities and extract data. That version may be presented at the Black Hat security conference in Las Vegas this summer, he said.