Joey Javas

I heard about Jitko today on Security Now, a podcast I listen to regularly. On March 24, 2007, at the ShmooCon Hacker’s Conference, Billy Hoffman gave a presentation titled “JavaScript Malware for a Grey Goo Tomorrow.” As part of this presentation, Hoffman demonstrated a piece of software he’d written called Jitko. Jitko uses JavaScript to inject itself into a web browser via web forms. It does this by attaching non-standard characters to the data being passed by the form. These non-standard characters cause the browser to execute JavaScript which invokes cross-site scripting. Once it’s running in the browser, Jitko can search other sites, determine which sites have JavaScript vulnerabilities and report those sites back to a third party.

Unfortunately, one of the attendees at the conference quickly noted the URL from which the JavaScript was being served, went to the URL in the brief time it was available during the conference and posted the code for public consumption. It has since been removed by the conference attendee but the code was picked up by others and is believed to be available on the Internet.

There is a lot to this and as I come to understand it better, I will post another blog. For now, please reference the following:

Security Now Episode #85: Intro to Web Code Injection
JavaScript botnet code escapes ShmooCon, leaks to Web
JavaScript Flaw Causes Con-Sternation