worm blog: Xanga Website XSS Worm, and IM Worm Using the WMF Attack

« Internet Worms: Walking on Unstable Ground | Main | Happy 2006 »

Xanga Website XSS Worm, and IM Worm Using the WMF Attack

It looks like another social gathering site, Xanga, has been hit by an XSS worm. Xanga is a blogging site popular with middle school kids, think of it as LiveJournal for the younger masses. From: Xanga Hit By Script Worm from the always great SecuriTeam blog:

The worm consists of a simple HTML/script combination, and is highly primitive in nature. The worm propagates by using the XMLHTTP interface in some browsers to create worm-infected posts on the xanga weblogs of users who visit an infected site while signed in. This approach blurs the line between worm and old-style file infecting viruses. I’ll refer to it as a worm for clarity, since most of the literature on the recent MySpace attack uses the same term. Of particular note is that the worm is ‘dumb’ — it will repeatedly repost itself to previously-infected sites. The attack is extremely noisy, with each post carrying the malware’s obnoxious message.

Aside from the fact that such immature and badly-written messages as the one dropped by the worm would already stand out on most xanga blogs (that I care to read, anyway), the incessant reposting as the worm spread more than likely caused serious clogging. As a result, this worm’s life was extremely short. It is already over as you’re reading this analysis.

It appears upon further research that this worm was a variant of the similar Exodus worm that went quietly and unnoticed on December 19th. It was only in researching this outbreak that I saw the reports of Exodus. It appears that neither worm was written by a very skilled individual, as both strains are easily uprooted, browser-specific, badly-structured, trivially-decoded, and unnecessarily bloated. The worm is technically unimpressive (particularly vis-a-vis Exodus) and is a feat on par with the scores of VBSWG tweaks and edits following the infamous “Kournikova” worm outbreak of 2001.

In other news, I haven't commented on the WMF thing this week, but it looks like someone has gone and mashed up the IM worm space with an infected link via the normal IM link-spamming technique. This one is detected as an SDBot variant and appears to use the Kelvir IM-worm codebase, and affects the MSN network. You can find some analysis on the Kaspersky Lab Weblog: More on WMF exploitation. Both the F-Secure blog and the Kaspersky weblog have had great writeups, and so has the MoMusings blog, which has a concise, clear and accurate description of the situation.

December 31, 2005 in IM worms, new trends, new worms | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

On the night from December 28th to December 29th some person, who has named himself after famous hacker Kevin Mitnick, has propagated the net worm created especially for the portal http://new.draugiem.lv/, as the result of which, going by the information found in Latvian blogs friends' records of about 400 users were deleted. The code can be viewed there: http://paste.php.lv/3038

Posted by: Valdis | Jan 1, 2006 1:10:34 PM

computerworld is saying OneCare protects against wmf. Is that so? That's interesting considering how little MS has said about WMF so far.
"If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems," according to Microsoft.
According to:
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107421,00.html?from=story_package

Posted by: hc | Jan 2, 2006 10:47:32 AM

Your post seems to mostly comment on how badly the worm was written. As if it would be better to have a highly sophisticated mature one, brilliantly crafted, with perfect structure that runs on multiple threads, uploads it's self, downloads updates and blah blah. I've noticed this pattern with viruses and copy protection.. If someone bootlegs a CD, the authorities always comment on the inferior quality of the copy as if, "Take that insult you pirates!". Either way, the CD was copied. Who cares? It was a worm.

Posted by: john | Jan 7, 2006 4:23:13 PM

Also, by detailing how simple the worm was, it also helps enlighten more scriddies on how they might write one.

Posted by: John | Jan 7, 2006 4:25:23 PM

john, you do realize the comment on the Xanga site worm was from the Securiteam blog, right? i didn't make any comment about it. now, i've said disparaging things about other worms in the past, but not about this one.

Posted by: jose | Jan 7, 2006 9:34:24 PM

Heyyy! GREAT POST!! I have a question... is there really FREE ringtones @ http://www.bluestickers.info/ringtones.php Provided by http://www.RingtoneCarrier.com is this true?? Thanks :)

Posted by: Glypedeesytup | Mar 17, 2009 5:58:07 AM

Protection for your computer.
Search-and-destroy Antispyware is one of the best options available when you are searching for protection for your computer that you can trust. I know because I have tried many different types of scans in the past and the biggest difference I have found between them is the price. I found the antispyware solution from Search-and-destroy to be a great option that is affordable and easy to use. Visit http://www.Search-and-destroy.com to learn more about this scan and what it can do for you. If you are like me, you will be glad that you took the time to check it out.

Posted by: Chezy | May 1, 2009 1:23:27 PM

The comments to this entry are closed.