Writing A Modular Universal XSS Worm
With the recent Orkit worm, and a few MySpace worms, web/XSS worms are a very interesting topic. Here's someone's attempt on the Ph4nt0m group discussion site who is trying to create a sustainable, growable XSS worm. It seems that the use of a centralized JS source file could be it's Achilles heel, however.
Source: Writing A Modular Universal XSS Worm, Google Groups | Ph4nt0m.
Diminutive XSS Worm Replication ContestA friend pointed this out to me. Evidently the Sla.ckers.org website is hosting a "Diminutive XSS Worm Replication Contest". Their mission: to see who an write a new XSS worm (like the MySpace one, the recent Orkut one, etc).
The goal of the contest is to have a functional web worm in as small a package as possible. From the website:
Okay folks, new small challenge - no prize, just an exercise in programming skill and because I want to see the results. After reading over the XSS worm thread I got to thinking. We haven't, to my knowledge, ever had a diminutive worm writing contest. We've done it for JS injection and for pulling in remote JS but not for worms. You can submit your code to this thread directly (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. Actual cutoff to submit is Thursday the 10th of January at 7PM GMT.Source: Diminutive XSS Worm Replication Contest, from the sla.ckers.org forums.
Hacking the Malware– A reverse-engineer’s analysis
A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from.
This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.
I also describe an approach to setting up a flexible laboratory environment using virtual workstation software such as VMware, and demonstrate the process of reverse engineering a worm using a range of system monitoring tools in conjunction with a disassembler.
I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.
Source: Hacking the Malware– A reverse-engineer’s analysis, by Rahul Mohandas. Pointed out by B on IRC. Thanks!
In this paper, the authors look at ways of fine tuning the efficacy of malware, ie making it speedier and more lethal.
In recent years, malicious software (malware) has become one of the most insidious threats in computer security, having been used, in its various forms, with high level of success for a myriad of nefarious purposes. However, this is arguably not the result of increased sophistication in malware design or attack strategies, but rather of the increased presence of computers and computer networks within every aspect of society, offering an increased number of services through increasingly complex and vulnerability-ridden software.
In this paper, we address and defend the commonly shared point of view that the worst is very much yet to come. We introduce an aim-oriented performance theory for malware and malware attacks, within which we identify some of the performance criteria for measuring their “goodness” with respect to some of the typical objectives for which they are currently used. We also use the OODA-loop model, a wellknown paradigm of command and control borrowed from military doctrine, as a tool for organising (and reasoning about) the behavioural characteristics of malware and orchestrated attacks using it. We then identify and discuss particular areas of malware design and deployment strategy in which very little development has been seen in the past, and that are likely sources of increased future malware threats. Finally, we discuss how standard optimisation techniques could be applied to malware design, in order to allow even moderately equipped malicious actors to quickly converge towards optimal malware attack strategies and tools fine-tuned for the current Internet.
Source: Optimising Malware, José M. Fernandez and Pierre-Marc Bureau.
Update 5 October: Update the paper link to a newer version, from Pierre-Marc.
Enabling Internet Worms And Malware Investigation And Defense Using Virtualization
While lengthy, it's good reading if you're wondering about large-scale studies of real malware in a controlled laboratory network setting.
Source: Enabling Internet Worms And Malware Investigation And Defense Using Virtualization, a Ph.D. thesis by Xuxian Jiang.
Internet worms and malware remain a threat to the Internet, as demonstrated by a number of large-scale Internet worm outbreaks, such as the MSBlast worm in 2003 and the Sasser worm in 2004. Moreover, every new wave of outbreak reveals the rapid evolution of Internet worms and malware in terms of infection speed, virulence, and sophistication. Unfortunately, our capability to investigate and defend against Internet worms and malware has not seen the same pace of advancement.
In this dissertation, we present an integrated, virtualization-based framework for malware capture, investigation and defense. This integrated framework consists of a frontend and a back-end. The front-end is a virtualization-based honeyfarm architecture, called Collapsar, to attract and capture real-world malware instances from the Internet. Collapsar is the first honeyfarm that virtualizes full systems and enables centralized management of honeypots while preserving their distributed presence. The back-end is a virtual malware "playground," called vGround, to perform destruction-oriented experiments with captured malware or worms, which were previously expensive, inefficient, or even impossible to conduct.
On top of the integrated framework, we have developed a number of defense mechanisms from various perspectives. More specifically, based on the unique infection behavior of each worm we run in vGround, we define a behavioral footprinting model for worm profiling and identification, which complements the state-of-the-art content-based signature approach. We also develop a provenance-aware logging mechanism, called process coloring, that achieves higher efficiency and accuracy than existing systems in revealing malware break-ins and contaminations.
Google Search API WormsWorms that search Google to find new victims aren't new. Look at Santy from late 2004, it found vulnerable phpBB sites via Google queries. While web application worms and the idea of a worm that has some target preknowledge to spread is nothing new, the author here suggests that it may be simpler than previously thought. I'm still not convinced.
One of the main disadvantages of all AJAX application is the lack of cross domain request capabilities. In simple words, a web object from one site cannot access another one from a different site. The reason for this security feature is hidden deeply inside every modern browser security sandbox which is responsible for keeping your personal information private and safe.Source: Google Search API Worms on the GNUCITIZEN website.
Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.
MS06-040 and the Death of the WormA couple of years ago, when a vulnerability like the recently disclosed Microsoft Security Bulletin MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution was released, you figured a worm was not far behind. And not just a basic worm, the kind that can infect hundreds of thousands of machines quickly. After all, we've been expecting that to happen given what we saw in the past with MS05-039 (Zotob, which really was a bot), MS04-011 (Sasser) and MS03-039 (Blaster).
But this is 2006, and people recognize that if you were able to get your code onto hundreds of thousands of systems, you should be able to do something with them. And so we have bots like W32.Wargbot taking advantage of that vulnerability. It didn't spread nearly as aggressively as Blaster did, but it showed that we're beyond simple worms, for whatever reason.
During my haitus, I spent some time wondering if Wormblog was even still needed. It's only been a few years, but it seems like worm detection systems are no longer as high pressure as they were in the past. For one, you have a significant amount of background noise from bots scanning for victims. Also, you have a dramatic slowdown in malcode propagation compres to a couple of years ago. Don't be surprised if you see more botnet stuff on here because of such changes. I think that there's still interesting research going on in worms and not just in bots, and I'll keep digging for it.
Watershed in malicious code evolutionAnother link from my good friend Kamal. Another link that has been sitting in my inbox for too long ...
I think we'd all agree that the types of threats we're seeing now are changing radically. If we look at the past few years of malware, we see a change in the nature of the threat. One of the things I've noticed is that malware authors seem to be hitting a brick wall in attempting to exploit systems the old fashioned way (ie a buffer overflow) and instead are back to the weakest link - people. Social engineering tricks, such as those used by IM-based malware, and password guessing techniques seem to be popular with some people. Just as popular as ever are mass mailers. But even more popular than ever are client-side exploits that launch a download of some malware to bootstrap itself onto a victim machine. This piece from VirusList is a good set of numbers to infer what's going on and where things are headed.
Accordingly, there has been a watershed in how Kaspersky Lab classifies malware. A professional malware market started to emerge at the very end of 2003, gained ground during 2004, and was well established by the beginning of 2005. Therefore, 2004 could be called the year in which the Internet became comprehensively criminal. Data based on Kaspersky Virus Lab statistics clearly demonstrates this trend. Some of this data is used in the discussion of the malware classifications used by Kaspersky virus analysts which follows.Source: Watershed in malicious code evolution, from VirusList.
VX reversing II, sasser B
The Sasser worm from May of 2004 provides an excellent example of modern malware in a reverse engineering setting. Eduardo Labir's article for the CodeBreakers Journal is a nice tutorial on how to really get into code, analyze it, and understand what is going on.
Tools you'll want to have handy: VMware, so that you don't trash your main machine (another throwaway machine may also be used, but a virtual system is most often a handy way to keep the number of physical machines down); OllyDbg, a (free) 32-bit debugger with plenty of nice features; and IDApro, one of the best disassembler tools I can find (it's commercial, and sometimes the HT editor can do in a pinch).
The well known worm Sasser has been one of the viruses which has received more attention in the press in the latest months. It's author, an 18 years old student from Germany, after causing lots of troubles to many home users and small enterprises faces up to several years of prison. Sasser is not a well programmed virus, it's success is entirely due to the exploit it implements, which was announced by Microsoft in one of their security bulletins. In this paper, we will reverse Sasser.B - the second of its variants - showing how it works and also how to clean your computer after infection.
Visual Basic Worm RecipeI found this in my blog monitoring for worm-related topics. It's a very simple mass mailer recipe, using Visual Basic to spread. While at first this may seem quite irresponsible of me to post it, think about how many mass-mailer detection and prevention systems are in place, and know that there are safeguards in place to prevent this from being a problem. Now, of course, be responsible when you use this. I hope you're using it to study the effects of malware on a test network and maybe to develop detection tools and improve the state of security.
Now the 1st thing we are going to do is show you what our worm we are going to create is going to preform. The worm we are going to create is w32.N00bie. This worm is not very powerfull but is good for the beginner. To be able to create this worm you will need Microsoft Visual Basic. Visual Basic is a RPD or Rapid Application Builder. We will now begin to make our 1st program in Visual Basic. Open up Visual Basic and select a Standrad .exe Program. Now, Visual Basic will load a Windows that is titled “Form1″ This is the main form for Visual Basic. This is your worm.Source: Worm Writing Tutorial, November 20, 2005.