Recent popularity of interactive AJAX-based Web 2.0 applications has given rise to a new breed of security threats: JavaScript worms. We propose Spectator, the first automatic detection and containment solution for JavaScript worms. Spectator is a proxy that performs distributed data tainting by observing and tagging the traffic between the browser and the Web application. When a piece of data propagates "too far", a potential worm is reported. To prevent worm propagation, subsequent upload attempts performed by the same worm are blocked. Spectator is able to detect fast and slow moving, monomorphic and polymorphic worms with a low rate of false positives. In addition to our detection and containment solution, we propose a range of deployment models for Spectator, ranging from simple intranet-wide deployments to a scalable load-balancing scheme appropriate for large Web sites.

Ben Livshits, a researcher at MSFT is up to some pretty cool code analysis work.

Here is a sneak peak at some of their other up coming work.