How hackers can use your browser's javascript to disable your anti-virus software.

Discussion in 'other security issues & news' started by Hop A. Long, Aug 25, 2004.

Thread Status:
Not open for further replies.
  1. Hop A. Long

    Hop A. Long Registered Member

    Aug 19, 2004
    It's an established fact that malicious and compromised websites can use your browser's javascript to sneak trojans onto your hard drive. I know, because I got one in this manner while using the latest version of the Mozilla browser--which is supposed to be one of the safest. The simple reality is that NO browser is immune from javascript based trojan exploits. And permanently disabling javascript isn't a practical solution, since a large percentage of web sites require it in order for various features to function. For more information about the vulnerabilities of javascript, as well as possible solutions--see my thread at

    The title of the below web page is "Hacking With Javascript", and I found it after just five minutes of searching on Google. (I believe the search term I used was "javascript exploits".) Imagine what you could find if you spent TEN minutes searching! :) The part of the site quoted below pertains to the targeting of specific individuals with custom made trojans that are designed to get past their particular security programs. I thought this information was appropriate for this forum since it emphasizes the importance of taking precautions when using javascript, and also serves as a reminder of why effective trojan detection software is so crucial.

    Hopefully, it will motivate irate readers to pressure software companies into giving extra attention to javascript exploits in their security programs. Not only by being the proverbial "squeaky wheel", but also by giving their business to the companies who are the first to address these unconscionable security holes. Because I find it OUTRAGEOUS that you can't even open a web site in 2004 without having to risk getting an unknown or altered trojan, despite having a dozen security programs 'protecting' your computer! A trojan that can then be used to open a back door into your hard drive, and allow a devious stranger to sneak your confidential files past your firewall disguised as legitimate browser traffic.

    Note: If the below link is not sufficient evidence to convince you of how javascript can be used to circumvent your security, then simply spend ten minutes doing some Google searches. Because with Google, you have a WORLD of evidence at your fingertips. (Hint--make "javascript hacks" your first search.)

    Quote from the site: "This one is used to gain enough info on someone in order to form a trojan attack on them. What this javascript will allow us to do is to probe their system and see if they have any security against our attack. It will let us see what anti-virus program they use, what firewall they use, and if they have any programs that allow us to infect them with macros.

    Lets say we check for anti-virus programs, if they don't have any you can display a link to download sub7 and say it is a video game... if they do have an anti-virus program you can display the link to the real game. This way you don't have to worry about the user finding out that you tried to send them a trojan. Only users who don't have an anti-virus program will have downloaded the trojan.

    One possible future for trojan's is modules that you can insert to attack specific programs. For instance if you know the user is running a certain type of anti-virus program and they are running a certain type of firewall you can plug those modules into the trojan. When the user downloads and runs this trojan the modules will trojan those anti-virus and firewall making them seem as if they are running fine, when they aren't. Ether they won't detect your trojan or they will replace them with a emtpy program that just puts the icons in the taskbar and task list. I will try to get a working deminstration of how javascript can be used to download the correct trojan for a user's system or detect if the trojan will be detected by an anti-virus program so it will make them download a regular file."

    Here's a list of the other free articles on the site:

    Database Security (Common-sense Principles)
    Places that viruses and trojans hide on start up
    Step-by-Step Guide to Using the Security Configuration Tool Set
    Improving the Security of Your Site by Breaking Into it
    Domain Name Robbery
    XDCC – An .EDU Admin’s Nightmare
    Database Security
    Database Security
    Is Database Security an Oxymoron?
    Database security: protecting sensitive and critical information
    The database security blanket
    Database security in your Web-enabled apps
    Making Your Network Safe for Databases
    SQL Injection: Modes of Attack, Defence, and Why It Matters
    Database Security in High Risk Environments
    Linksys Router Information (A collection)
    Common Ports
    Protection of the Administrator Account in the Offline SAM
    Windows 2000 Security
    The dangers of ftp conversions on misconfigured systems
    AnnaKournikova worm decrypted
    C/C++ made easy with GoGooSE 1.0
    UNIX Bourne Shell Programming
    BATCH ProgramminG
    Assembly for nerds using linux
    The Ingredients to ARP Poison
    Outlook 2002: can't send .exe file with Email
    Windows 9x/Me Security and System Restrictions
    Exploiting The IPC Share
    Local Windows hacking
    Windows Cryptic Error Messages
    Windows NT Registry Tutorial
    catch a macro virus
    Protecting Files with Windows NTXP
    Microsoft Baseline Security Analyzer V1.1
    A Beginners Guide To Wireless Security
    Default Logins and Passwords for Networked Devices
    How To Eliminate The Ten Most Critical Internet Security Threats
    About computer crime
    System Backdoor Information
    System Backdoors Explained
    Introduction to Buffer Overflow
    Donald Pipkin's Security Tips for the Week of December 23rd
    Getting IP data from numerous sources
    Rainbow Series Library [The One The Only]
    Honeypots (Definitions and Value of Honeypots)
    General Attack Descriptions
    Wireless Taping
    Security from a different angle
    Last edited: Aug 29, 2004
  2. meneer

    meneer Registered Member

    Nov 27, 2002
    The Netherlands
    Re: Hackers can use your browser's javascript to see what security software you're using

    Clickable link to the article.

    Thanks for the info ;)
  3. Justhelping

    Justhelping Guest

    Re: Hackers can use your browser's javascript to see what security software you're us

    An interesting claim, but no proof yet

    This appears to be the crux of the idea, but I'm pretty sure it will not work with Firefox and Opera. I could be dreaming but I thought that IE was also fixed to avoid this problem (accessing local files via javascript).
  4. xmp

    xmp Guest

    Re: Hackers can use your browser's javascript to see what security software you're using

    that may be an old article, esp since he mentions "the pull" advisory, which was patched long ago. b0iler has a couple of sites, if you want to check those.

    there are at least 3 exploits that still work on IE. i'm tempted to try QwikFix to harden IE.

    I use Amaya or Dillo for surfing hostile sites. Mozilla with scripting disabled is another option.
Thread Status:
Not open for further replies.