How hackers can use your browser's javascript to disable your anti-virus software.

It's an established fact that malicious and compromised websites can use your browser's javascript to sneak trojans onto your hard drive. I know, because I got one in this manner while using the latest version of the Mozilla browser--which is supposed to be one of the safest. The simple reality is that NO browser is immune from javascript based trojan exploits. And permanently disabling javascript isn't a practical solution, since a large percentage of web sites require it in order for various features to function. For more information about the vulnerabilities of javascript, as well as possible solutions--see my thread at https://www.wilderssecurity.com/showthread.php?t=45472

The title of the below web page is "Hacking With Javascript", and I found it after just five minutes of searching on Google. (I believe the search term I used was "javascript exploits".) Imagine what you could find if you spent TEN minutes searching! The part of the site quoted below pertains to the targeting of specific individuals with custom made trojans that are designed to get past their particular security programs. I thought this information was appropriate for this forum since it emphasizes the importance of taking precautions when using javascript, and also serves as a reminder of why effective trojan detection software is so crucial.

Hopefully, it will motivate irate readers to pressure software companies into giving extra attention to javascript exploits in their security programs. Not only by being the proverbial "squeaky wheel", but also by giving their business to the companies who are the first to address these unconscionable security holes. Because I find it OUTRAGEOUS that you can't even open a web site in 2004 without having to risk getting an unknown or altered trojan, despite having a dozen security programs 'protecting' your computer! A trojan that can then be used to open a back door into your hard drive, and allow a devious stranger to sneak your confidential files past your firewall disguised as legitimate browser traffic.

Note: If the below link is not sufficient evidence to convince you of how javascript can be used to circumvent your security, then simply spend ten minutes doing some Google searches. Because with Google, you have a WORLD of evidence at your fingertips. (Hint--make "javascript hacks" your first search.)

http://governmentsecurity.org/articles/HackingWithJavascript.php

Quote from the site: "This one is used to gain enough info on someone in order to form a trojan attack on them. What this javascript will allow us to do is to probe their system and see if they have any security against our attack. It will let us see what anti-virus program they use, what firewall they use, and if they have any programs that allow us to infect them with macros.

Lets say we check for anti-virus programs, if they don't have any you can display a link to download sub7 and say it is a video game... if they do have an anti-virus program you can display the link to the real game. This way you don't have to worry about the user finding out that you tried to send them a trojan. Only users who don't have an anti-virus program will have downloaded the trojan.

One possible future for trojan's is modules that you can insert to attack specific programs. For instance if you know the user is running a certain type of anti-virus program and they are running a certain type of firewall you can plug those modules into the trojan. When the user downloads and runs this trojan the modules will trojan those anti-virus and firewall making them seem as if they are running fine, when they aren't. Ether they won't detect your trojan or they will replace them with a emtpy program that just puts the icons in the taskbar and task list. I will try to get a working deminstration of how javascript can be used to download the correct trojan for a user's system or detect if the trojan will be detected by an anti-virus program so it will make them download a regular file."

Here's a list of the other free articles on the site:

Database Security (Common-sense Principles)
Places that viruses and trojans hide on start up
Step-by-Step Guide to Using the Security Configuration Tool Set
Improving the Security of Your Site by Breaking Into it
Domain Name Robbery
XDCC – An .EDU Admin’s Nightmare
Database Security
Database Security
Is Database Security an Oxymoron?
Database security: protecting sensitive and critical information
The database security blanket
Database security in your Web-enabled apps
Making Your Network Safe for Databases
SQL Injection: Modes of Attack, Defence, and Why It Matters
Database Security in High Risk Environments
Linksys Router Information (A collection)
Common Ports
Protection of the Administrator Account in the Offline SAM
Windows 2000 Security
The dangers of ftp conversions on misconfigured systems
Win98.BlackBat
AnnaKournikova worm decrypted
C/C++ made easy with GoGooSE 1.0
UNIX Bourne Shell Programming
BATCH ProgramminG
Assembly for nerds using linux
THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
The Ingredients to ARP Poison
Outlook 2002: can't send .exe file with Email
Windows 9x/Me Security and System Restrictions
Exploiting The IPC Share
Local Windows hacking
Windows Cryptic Error Messages
Windows NT Registry Tutorial
catch a macro virus
Protecting Files with Windows NTXP
Microsoft Baseline Security Analyzer V1.1
A Beginners Guide To Wireless Security
Default Logins and Passwords for Networked Devices
How To Eliminate The Ten Most Critical Internet Security Threats
About computer crime
System Backdoor Information
System Backdoors Explained
Introduction to Buffer Overflow
Donald Pipkin's Security Tips for the Week of December 23rd
Getting IP data from numerous sources
Rainbow Series Library [The One The Only]
Honeypots (Definitions and Value of Honeypots)
General Attack Descriptions
Wireless Taping
CYBERTERRORISM
Security from a different angle

 

Re: Hackers can use your browser's javascript to see what security software you're using

Clickable link to the article.

Thanks for the info

 

Re: Hackers can use your browser's javascript to see what security software you're us

An interesting claim, but no proof yet

This appears to be the crux of the idea, but I'm pretty sure it will not work with Firefox and Opera. I could be dreaming but I thought that IE was also fixed to avoid this problem (accessing local files via javascript).

 

Re: Hackers can use your browser's javascript to see what security software you're using

that may be an old article, esp since he mentions "the pull" advisory, which was patched long ago. b0iler has a couple of sites, if you want to check those.

there are at least 3 exploits that still work on IE. i'm tempted to try QwikFix to harden IE.

I use Amaya or Dillo for surfing hostile sites. Mozilla with scripting disabled is another option.