2008 FIRST Annual Conference in Vancouver - Register now

Facebook Worm?

Details are sketchy at this point, but is Facebook undergoing an XSS worm attack?

I checked with my Aunt, and she thinks someone may have stolen her password and hijacked her account to send out those messages to all her friends. My brother got a few of these posted to his wall as well from her Account. I also noticed that her status was changed to, “totally hooked on the crush calculator”.

Source: Are We Seeing the First Facebook “Worm”?, via the blog FacebookAdvice.

The Facebook app in question, Secret Crush, has been implicated in spyware installs, so it's conceivable that this "crush calculator" spam is an XSS worm driving installs. I don't have any evidence to support this, however we know that it's possibly vulnerable, in the same way that Orkut and MySpace have fallen victim to XSS worms.

Around the net:

March 28, 2008 in new worms | Permalink | Comments (49)
Tell others: digg submit | del.icio.us this | Reddit

Writing A Modular Universal XSS Worm

With the recent Orkit worm, and a few MySpace worms, web/XSS worms are a very interesting topic. Here's someone's attempt on the Ph4nt0m group discussion site who is trying to create a sustainable, growable XSS worm. It seems that the use of a centralized JS source file could be it's Achilles heel, however.

The biggest issue regarding webapplication worms isn't about the worm size, but about the hole to let it propagate. With remote Javascript files we can go any place and any size we want to. The only trigger we need is a simple instance to let it become part of the website and it's DOM. We only have to call the remote Javascript file each time, and we can adjust or modify the payload of the worm at any time.

Source: Writing A Modular Universal XSS Worm, Google Groups | Ph4nt0m.

January 27, 2008 in malware , new worms | Permalink | Comments (60)
Tell others: digg submit | del.icio.us this | Reddit

VB2008 call for papers

The Virus Bulletin conference is coming up later this year, but the call for papers closing is only a month and a half away. VB is a nice, fun conference where a lot of top - and rising - AV and malware researchers meet up. There's a growing number of researchers in the field, so getting your research in front of the right people is always a good thing.

I'll skip the long - and interesting - list of topics the conference warmly accepts. About the conference:

Virus Bulletin is seeking submissions from those wishing to present papers at VB2008, which will take place 1-3 October 2008 at the Westin Ottawa, Canada.

To submit a proposal authors should:

  • send an abstract of approximately 200 words outlining the proposed paper to editor@virusbtn.com       
  • include full contact details with each submission    
  • indicate whether the paper is intended for the technical or corporate stream     

    • Note: deadline for submissions 7 March 2008

Submissions received later than 7 March 2008 will not be considered.

Authors are advised that, should their paper be selected for the conference programme, the deadline for submission of the completed papers will be Monday 9 June 2008, and that they must be available to present their papers in Ottawa between 1 and 3 October 2008.

I don't know if I'll be submitting anything or if I'll be attending, although I would like to. I hope many of you consider submitting research works there, however.

January 25, 2008 in events, papers | Permalink | Comments (96)
Tell others: digg submit | del.icio.us this | Reddit

LEET '08 Call for Papers

The First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) has a CFP that closes soon. From the CFP:
Overview As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities in both software and user behavior allow miscreants to compromise millions of hosts (worms, viruses, drive-by exploits, etc.), conceal their activities with sophisticated system software (rootkits), and manage these resources via a distributed command and control framework (botnets). This platform in turn provides economics of scale for a wide range of criminal activities including spam, phishing, DDoS, click fraud, and so on.

Topics LEET has evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), which have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.

Source: LEET '08 Call for Papers. Topics for the workshop for readers here include: Infection vectors for malware (worms, viruses, etc.), Boutique and targeted malware, and Reverse engineering.

Important dates:

  • Submissions due: February 11, 2008, 11:59 p.m. EST
  • Notification of acceptance: March 24, 2008
  • Final papers due: April 4, 2008
I don't know if I'll be submitting anything ...

January 5, 2008 in events, papers | Permalink | Comments (5)
Tell others: digg submit | del.icio.us this | Reddit

Diminutive XSS Worm Replication Contest

A friend pointed this out to me. Evidently the Sla.ckers.org website is hosting a "Diminutive XSS Worm Replication Contest". Their mission: to see who an write a new XSS worm (like the MySpace one, the recent Orkut one, etc).

The goal of the contest is to have a functional web worm in as small a package as possible. From the website:

Okay folks, new small challenge - no prize, just an exercise in programming skill and because I want to see the results. After reading over the XSS worm thread I got to thinking. We haven't, to my knowledge, ever had a diminutive worm writing contest. We've done it for JS injection and for pulling in remote JS but not for worms. You can submit your code to this thread directly (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. Actual cutoff to submit is Thursday the 10th of January at 7PM GMT.
Source: Diminutive XSS Worm Replication Contest, from the sla.ckers.org forums.

January 5, 2008 in malware , new trends, new worms | Permalink | Comments (12)
Tell others: digg submit | del.icio.us this | Reddit

The 5th ACM Workshop on Recurring Malcode (WORM 2007)

Morning, everyone. I know Wormblog has been very, very silent lately as I've been very busy with work. However, I'll wake it up and post a conference call for papers that applies here. I'm on the PC for WORM07, so I should have done this sooner ...

Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. Self-propagating threats, often termed worms, exploit software weaknesses, hardware limitations, Internet topology, and the open Internet communication model to compromise large numbers of networked systems. Malware is increasingly used as a beachhead to launch further malicious activities, such as installing spyware, deploying phishing servers and spam relays, or performing information espionage. Unfortunately, current operational practices still face significant challenges in containing these threats as evidenced by the rise in automated botnet networks and the continued presence of worms released years ago. The goal of this workshop is to provide a forum for exchanging ideas, increasing understanding, and relating experiences on malicious code from a wide range of communities, including academia, industry, and the government.

We are soliciting papers from researchers and practitioners on     subjects including, but not limited to:    

  • Automatic malcode detection
  • Malicious code characterization
  • Botnet detection and disruption
  • Malcode reverse engineering
  • Modeling and analysis of propagation dynamics
  • Forensic methods of attribution
  • Threat assessment
  • Reactive countermeasures
  • Proactive malware defenses
  • Significant operational experiences
  • Measurement studies
  • New threats and related challenges
    •    

    WORM aims to be a true workshop, with a primary goal of fostering the     development of preliminary work and helping nucleate a malcode     research community. To this end, WORM aims to bring together both     academic researchers and practitioners that fight malware in the     fields. WORM is open to two classes of submissions: research papers and panel proposals.    

                               
17 June, 2007 Paper submission deadline
7 August, 2007 Notification of acceptance
22 August, 2007 Camera-ready papers due
2 November, 2007 Workshop co-located with CCS in Alexandria, VA, USA

The workshop is a one day event and will be held on 2 November, 2007, and is co-located with CCS in Alexandria, VA, USA, at the Hilton Alexandria Mark Center. For more information see the WORM07 website.

May 24, 2007 in events | Permalink | Comments (9)
Tell others: digg submit | del.icio.us this | Reddit

Grey Goo hits Second Life

This isn't the first time a worm (self replicating code) has hit a a large online game, and it wont be the last. Via various news outlets (like this BBC story, Slashdot, and the official Second Life blog:

[PST 2:44PM] An attack of self-replicators is causing heavy load on the database, which is in turn slowing down in-world activity. We have isolated the grey goo and are currently cleaning up the grid. We’ll keep you updated as status changes.

This appearantly took them offline for a few hours. (I don't use Second Life or any of these online communities, so all of my information is second hand.)

image of second life grey goo worm
Grey Goo within Second life, from richardparent.net.

I have to admit, I like the idea of being able to watch the worm infect a world, sort of like a visible germ cloud or something. Way more interesting than looking at traffic stats when things go awry.

November 20, 2006 in media, new trends, new worms | Permalink | Comments (27)
Tell others: digg submit | del.icio.us this | Reddit

Hacking the Malware– A reverse-engineer’s analysis

A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from.

This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.

I also describe an approach to setting up a flexible laboratory environment using virtual workstation software such as VMware, and demonstrate the process of reverse engineering a worm using a range of system monitoring tools in conjunction with a disassembler.

I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.

Source: Hacking the Malware– A reverse-engineer’s analysis, by Rahul Mohandas. Pointed out by B on IRC. Thanks!

November 8, 2006 in IM worms, malware , papers, tools | Permalink | Comments (7)
Tell others: digg submit | del.icio.us this | Reddit

A spread model of flash worms

I can't let another week go by and not post a paper on worm modeling. This one looks at a more rigorous model of how a "Flash Worm" would work. Some decent math, it's worth the effort to make sure you understand the equations.
In this work we we introduce a mathematical model for epidemics of worms using hit-list spreading technique. Flash worms to infect the whole vulnerable population. The estimated infection time shows that even heavy network worm can potentially infect large-scale vulnerable population within few seconds. Primarily the work is based on results of the work Top Speed of Flash Worms by S. Staniford et al.. We also genralize infection doubling technique used to increase a resilience of flash worms epidemics. It took the whole day for Code Red I v2 to spread among over 350,000 Internet hosts. Slammer worm infected more than 90 percent of up to 100,000 vulnerable hosts within 10 minutes (Inside the Slammer Worm by D. Moore et al.), Witty worm infected almost all of its 12,000 victims in 45 minutes (The Spread of the Witty Worm by C. Shannon and D. Moore).
Source: A spread model of flash worms,Yury Bulygin.

November 7, 2006 in modeling, papers | Permalink | Comments (6)
Tell others: digg submit | del.icio.us this | Reddit

And you thought you were safe after SLAMMER, not so, Swarms not Zombies present the greatest risk to our national internet infrastructure

I had a great time at WORM06 in Fairfax last week, and in my scramble to get work done in preparation for a day out of the office Wormblog updates slipped.

This paper comes from a conference on swarm intelligence and security. This is another one of those "worst worm" design papers, but it uses a novel approach: swarm intelligence.

The problem of attacks where sophisticated communities, such as BLACKHAT users, compromised larger and larger number of unsuspecting (and unsuspected) home personal computers in an effort to launch major attacks on both Government and corporate networks will be addressed in this manuscript. We called these attacks "Swarm Attacks", like a "swarm of bees". The Slammer, which is currently the fastest computer worm in recorded history, is an early precursor to this class of threat. Most proposed countermeasures strategies proposed to deal with such attacks, are based primarily on rate detection and limiting algorithms, or the detection of a sudden increased occurrence of "Destination Unreachable" messages in a network. However, we speculate that such strategies will prove ineffective in the future.

In this manuscript we will introduce the basic principles behind the idea of such "Swarm Worms", the nature of the intelligent behavior that emerges, as well as the basic structure required in order to be considered a "swarm worm", based on our definition. In addition, we will present preliminary results on the propagation speeds of one such swarm worm, called the ZachiK worm. We will show that ZachiK is capable of propagating at a rate 2 orders of magnitude faster than similar worms without swarm capabilities while remaining stealthy.

Source: And you thought you were safe after SLAMMER, not so, Swarms not Zombies present the greatest risk to our national internet infrastructure, Fernando C. Colon Osorio and Zachi Kloppman.

November 6, 2006 in new trends, papers | Permalink | Comments (3)
Tell others: digg submit | del.icio.us this | Reddit