Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

JavaScript Botnet Sheds Light On Criminal Activity

samzenpus posted more than 2 years ago | from the surfing-dirty dept.

Crime 50

CowboyRobot writes "Informatica64, a security research group, demonstrated the use of cached JavaScript to control computers connecting to a malicious proxy. 'The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.'"

Sorry! There are no comments related to the filter you selected.

Obligatory Noscript fp (-1)

Anonymous Coward | more than 2 years ago | (#40812757)

Now script this [goatse.ru]

Re:Obligatory Noscript fp (2)

Johann Lau (1040920) | more than 2 years ago | (#40815925)

I am disappointed. I clicked the link out of sheer nostalgia , but it's 404. Then I actually typed goatse.cx into the address bar.. and someone is squatting on that domain alright, but not in the way I expected! So read up on wikipedia, and see that's very old news... FFS, what is the web coming to?

2ND TIME TODAY (-1)

Anonymous Coward | more than 2 years ago | (#40812765)

FIRSTYYYYS

Really? (4, Insightful)

Darkness404 (1287218) | more than 2 years ago | (#40812951)

It is very likely that companies and governments are already using this technique to eavesdrop on criminal activity, Alonso said.

Really? How about them using it to eavesdrop on -everyone- regardless on if it is "criminal" or not. Plus, I'm sure governments have more invasive methods rather than just this.

Re:Really? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40813105)

I was at this presentation-- it was a public access proxy. If you're going to risk sending information over a proxy *you do not run* then that is your own mistake.

Re:Really? (3, Funny)

girlintraining (1395911) | more than 2 years ago | (#40813271)

Plus, I'm sure governments have more invasive methods rather than just this.

Yes, in the sage words of Jon Stewart, "I'm sure big government feels its largest when it's in your anus."

This should shut down the naysayers (5, Funny)

Anonymous Coward | more than 2 years ago | (#40812963)

Yep, this is proof... Javascript is a real programming language.

Re:This should shut down the naysayers (1)

Anonymous Coward | more than 2 years ago | (#40813293)

http://bellard.org/jslinux/

Re:This should shut down the naysayers (1)

someones (2687911) | more than 2 years ago | (#40816149)

You made my day!

uh... only if you run it (-1)

Anonymous Coward | more than 2 years ago | (#40813073)

This is another case where you have to volunteer to run the malware, or it does nothing.

Nobody in their right mind runs javascript from random sites any more - the last 5 years should have taught that lesson. It's idiotic, and is objectively one of the biggest threat vectors out there. Of course, many people are not in their right mind, but you can't protect people against themselves if they volunteer to run malware. That's been a problem for as long as PCs have been around.

So for about the 489235th time, if you don't run javascript by default, which no one should be doing, you're fine. Time for people to start learning this lesson.

Re:uh... only if you run it, yet ... (-1)

Anonymous Coward | more than 2 years ago | (#40813175)

The Gnome desktop versiont 3.x is implemented in Javascript, and all the crapware-plugins will be also. We need to really support a modern version of Gnome 2.x

Re:uh... only if you run it, yet ... (1)

Anonymous Coward | more than 2 years ago | (#40813587)

We need to really support a modern version of Gnome 2.x

Isn't that what XFCE is for?

Re:uh... only if you run it, yet ... (0)

Anonymous Coward | more than 2 years ago | (#40815321)

Gnome 3 ? I wonder ... can a botnet of one really be called a botnet ?

Re:uh... only if you run it, yet ... (1)

someones (2687911) | more than 2 years ago | (#40816171)

Its called KDE ;)
Kde4 seems to have lost some weight, or gnome3 put masses on.
But they feel pretty much the same.

I just switched to KDE4 and i must say: wow, you can configure ANYTHING, thing is, you HAVE TO configure anything -.-

Re:uh... only if you run it (4, Insightful)

Culture20 (968837) | more than 2 years ago | (#40813689)

Nobody in their right mind runs javascript from random sites any more

Nobody cares except computer security professionals. Sure, I run noscript, adblock, and requestpolicy in FF, but no one else I know does unless I force them. Tons of sysadmins and low-level techs in the IT field don't even bother or know why they should care. So people who should have a clue are still running javascript (and flash, pdfs, and random exploit laden images from web ads) from random sites. What do you think that means about non-IT folk? They're all doing it, and only changing the browser defaults will do anything about it.

Re:uh... only if you run it (3, Informative)

hairyfeet (841228) | more than 2 years ago | (#40815125)

Hell you can't even change browser defaults because "web designers" have gone suck fucking heavy with JavaScript that most sites will be completely unusable without it.

I used to try to get my customers to use NoScript but now its strictly ABP, why? Because it only takes a half a dozen "reload the page a dozen damned times trying to figure which of the 40 third party scripts loads the fucking content" easter egg hunts for people to become sick of it. Hell its gotten to the point i just sandbox the browser rather than mess with NoScript because i get sick of playing "Where's the content" 3 or 4 times for every. single. page. that I go to.

So if you want to bitch at somebody about the mess? Blame the website designers, a good 99% of whom has gone so damned heavy with third party scripts being loaded from everywhere that most of the time you can't even get the fricking content AT ALL without a ton of JavaScript loaded. And lets face it, its only gonna get worse with all the "HTML V5 Web 3.0 Apps in the cloud" crap coming down the line. To get most of that stuff to even function you have to load a half a dozen scripts from all over the place, what a mess.

Re:uh... only if you run it (1)

kiddygrinder (605598) | more than 2 years ago | (#40815453)

it's true, and i'm not even sorry

Re:uh... only if you run it (1)

someones (2687911) | more than 2 years ago | (#40816199)

If a site i visit, wont lead without JS, im not visiting that site again!

Re:uh... only if you run it (2)

hairyfeet (841228) | more than 2 years ago | (#40823565)

Well that means NO HTML V5 apps, no map sites, most forums and video sites won't work...hell you might as well say 'If the site won't run on my Pentium 100 I'm not coming back!" for all the good it'll do.

That is why I've been saying for years instead of pushing HTML V5 the geeks of the world need to be pushing for the death of JavaScript. Just like ActiveX it was never designed for security, and its had so much shit bolted on over the years good luck trying to tack on any security at this late date.

We need a NEW website language, designed from the ground up with security in mind, where everything is locked in a low rights "penalty box" and the website owners will have to run content strictly on site if they want it to be seen. if they want to get that content from somewhere else? Fine but they should be required to load it to their own site and scan it BEFORE shoveling it along to the user!

JavaScript was cooked up in the days of dialup, when the web was frankly a safer place. its not like that anymore and just as we wouldn't trust an AV from the Win95 era to stop modern threats so too should we not expect a language designed during that time to have a security model useful in today's world.

Re:uh... only if you run it (1)

trev.norris (2010080) | more than 2 years ago | (#40832457)

I won't disagree that the majority of web developers do things like load jQuery, before they even know why they need it. Usually because they're a novice trying to create a blog for their cousin and never had any actual web development experience. But please remember that not all web developers are like that.

When used properly JavaScript can enhance the overall security and experience of the site. For example, I like to SHA1 my user's passwords before submitting them to the server. Then I'll SHA1 that with a random seed and store it in the database. Or I'll add simple encryption algorithms to encrypt sensitive data. Of course it all runs under HTTPS, but never hurts to have a little more security.

Unfortunately the masses of web developers who "have gone suck fucking heavy" with JavaScript drown out the few of us who know when and how to use it.

Re:uh... only if you run it (1)

nstlgc (945418) | more than 2 years ago | (#40815465)

I think it is safe to say (read: pull out of my ass) that 99% of all people surfing the web do so with Javascript enabled, all the time.

I am one of them. And I will keep on doing so. Your scaremongering isn't going to trick me into installing NoScript.

Re:uh... only if you run it (1)

Rockoon (1252108) | more than 2 years ago | (#40817347)

Many proponents of NoScript are often conflating Flash specific issues with JavaScript... and they dont even know it (they know just enough to falsely think that they know what they are talking about.)

Cry me a river (-1)

Anonymous Coward | more than 2 years ago | (#40813161)

Oh, boohoo, somebody ripping off bantus and wogs who just want to show up and get on the dole? Looks like justice has been served.

Wrong again Slashdot (5, Funny)

Anonymous Coward | more than 2 years ago | (#40813197)

"... and another fraudster selling nonexistent Yorkshire Terriers.'"

Bullshit. Yorkshire Terriers most certainly exist.

Re:Wrong again Slashdot (1)

arthurh3535 (447288) | more than 2 years ago | (#40813809)

"... and another fraudster selling nonexistent Yorkshire Terriers.'"

Bullshit. Yorkshire Terriers most certainly exist.

But *he* wasn't selling real ones.

Re:Wrong again Slashdot (0)

star0620 (2696055) | more than 2 years ago | (#40814545)

never manage to be above all, I am sure it. But this website: game iwin [iwinmoi.com] game avatar [gamesieuhot.com] providing the same services but now have to give up because no effective

Re:Wrong again Slashdot (0)

Anonymous Coward | more than 2 years ago | (#40815013)

Wooooooosh

Re:Wrong again Slashdot (1)

Paradise Pete (33184) | more than 2 years ago | (#40815235)

For sufficiently small values of whoosh. I'm sure the OP saw the "joke." It's not only not funny, it's not even really a joke because it relies on an invalid interpretation of the sentence. In essence, it turns out it's the joke that's nonexistent.

Re:Wrong again Slashdot (1)

RobertLTux (260313) | more than 2 years ago | (#40817953)

some folks would not believe that Foo/Temple Dogs exist even if a Tibetan Mastif took a chunk out of their hind end.

(hint here the TM is what inspired the legend of the Temple Dogs and in fact do the same job in real temples)
(as to the existence of actual magical Temple Dogs just ask any fans of The Dresden Files about "Mouse")

Re:Wrong again Slashdot (0)

Anonymous Coward | more than 2 years ago | (#40816211)

"... and another fraudster selling nonexistent Yorkshire Terriers.'"

Bullshit. Yorkshire Terriers most certainly exist.

Ah, but non-existent Yorkshire Terriers also exist. In fact, I'm selling a few if you're interested.

But... non-existant Yorkies are the best! (5, Funny)

Anonymous Coward | more than 2 years ago | (#40813559)

It shouldn't be a crime to sell non-existant Yorkies. Just think of the ensuing peace and quiet of neighbors, because the would-be purchaser no longer has the cash for a real one. That man owes society nothing. Yay, society should reward him for performing such a public service.

Re:But... non-existant Yorkies are the best! (0)

Anonymous Coward | more than 2 years ago | (#40818007)

So, can I sell nonexistent Yorkshire pudding? That would be even quieter. Just sayin'.

Re:But... non-existant Yorkies are the best! (1)

jc42 (318812) | more than 2 years ago | (#40819015)

So, can I sell nonexistent Yorkshire pudding? That would be even quieter. Just sayin'.

Sure; what you'd better not try selling is fake Yorkshire pudding. That would be a trademark violation, which is a much more serious crime than selling something that you don't have.

Re:But... non-existant Yorkies are the best! (0)

Anonymous Coward | more than 2 years ago | (#40819081)

If selling something you don't have were a crime, most of the financial market participants would be behind bars by now.

implication for corporate networks (4, Interesting)

tofupup (14959) | more than 2 years ago | (#40813617)

i saw the talk a def con this weekend.

one of my take ways from this talk is when certain sites such as youtube/imgur/slashdot/reddit are
black listed due to corporate IT guidelines people often go to proxies to circumvent
this. So the net effect of black listing popular sites (besides being a pain) is to make your
network less secure.

imho ... wasted banwidth is better than getting hacked.

Re:implication for corporate networks (0)

Anonymous Coward | more than 2 years ago | (#40814937)

Because noone has ever posted an exploit (or linked to one) on those websites, right..

Re:implication for corporate networks (0)

Anonymous Coward | more than 2 years ago | (#40815093)

We block SSL and the GET requests for the most popular proxy software.

Re:implication for corporate networks (0)

Anonymous Coward | more than 2 years ago | (#40820291)

What about VPNs?

Re:implication for corporate networks (0)

Anonymous Coward | more than 2 years ago | (#40815505)

Then the solution is simple.

Whitelisted sites.

Which browsers? (0)

Anonymous Coward | more than 2 years ago | (#40813735)

Which browsers were affected?

Was IE9 one of them?

In IE9, for example, the sliders for filtering comments in this page don't work at all.

Scale invariance (2)

bosef1 (208943) | more than 2 years ago | (#40813879)

Well, it looks like organized crime has found its own Etsy and Craigslist. I suppose it just demonstrates how the power of just-in-time communication and office automation can be an assest, even on the black market.

I don't get it... (1)

speedplane (552872) | more than 2 years ago | (#40814059)

If all the communication is encrypted using SSL, which not only encrypts but authenticates all data, I don't see how a poisoned javascript file can get passed to the client.

Re:I don't get it... (1)

sgunhouse (1050564) | more than 2 years ago | (#40814635)

The proxy is the man in the middle, nothing to it.

Well if I had a dollar... (1)

brantondaveperson (1023687) | more than 2 years ago | (#40814199)

...for every nonexistent Yorkshire Terrier I'd had to chase out of my back garden I'd have millions.

Re:Well if I had a dollar... (1)

fatphil (181876) | more than 2 years ago | (#40820141)

If the RIAA and MPAA had a dollar for every nonexistent Yorkshire Terrier that pirates had illegally downloaded from the internet, they'd be large and rich enough to be dangerously influential.

Not surprising... (0)

Anonymous Coward | more than 2 years ago | (#40815325)

Bad guys can run honeypots too!

Genious (-1, Redundant)

Footprintsecurity (2696655) | more than 2 years ago | (#40815789)

http://www.footprintsecurity.com.au/ [footprintsecurity.com.au] Looking for security cameras? Or a wireless spy camera? Footprint security carry Australia's largest range of Business and Home Security cameras and CCTV accessories, all supplied at wholesale prices! This website is continually being updated with new products and features. Feel free to browse our current selection of wireless spy cameras as well as surveillance security cameras and CCTV Digital Video Recorders.

Tor users vulnerable? (0)

Anonymous Coward | more than 2 years ago | (#40816533)

TFA says:
Alonso recommended that anyone who is using anonymous proxies or even the Tor network to only use servers that they trust.

If implemented on a server connected to via the Tor network, presumably this would gather traffic details. But would it reveal the end client IP? The Tor Project and others claim that Tor Button has now closed any known javascript vulnerabilities, so we have people (like Tails) claiming it is therefore ok to surf via tor with JS enabled. That doesn't smell right to me. What about unknown vulnerabilities anyway?

How odd... (0)

Anonymous Coward | more than 2 years ago | (#40818831)

It's good that they're light on crime, but I'm not sure why anyone would build a shed for their javascript botnet.

Re:How odd... (0)

Anonymous Coward | more than 2 years ago | (#40819167)

JavaScript bots tend to rust if it rains on them. Therefore it's a good idea to put them in a shed.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?