worm blog

Facebook Worm?

Details are sketchy at this point, but is Facebook undergoing an XSS worm attack?

I checked with my Aunt, and she thinks someone may have stolen her password and hijacked her account to send out those messages to all her friends. My brother got a few of these posted to his wall as well from her Account. I also noticed that her status was changed to, “totally hooked on the crush calculator”.

Source: Are We Seeing the First Facebook “Worm”?, via the blog FacebookAdvice.

The Facebook app in question, Secret Crush, has been implicated in spyware installs, so it's conceivable that this "crush calculator" spam is an XSS worm driving installs. I don't have any evidence to support this, however we know that it's possibly vulnerable, in the same way that Orkut and MySpace have fallen victim to XSS worms.

Around the net:

• The First Reported Facebook Worm/Malware Pops Up - Secret Crush, via Darknet
• My name is Zango, I am spyware and I found Facebook applications, via SecuriTeam

March 28, 2008 in new worms | Permalink | Comments (38)

Writing A Modular Universal XSS Worm

With the recent Orkit worm, and a few MySpace worms, web/XSS worms are a very interesting topic. Here's someone's attempt on the Ph4nt0m group discussion site who is trying to create a sustainable, growable XSS worm. It seems that the use of a centralized JS source file could be it's Achilles heel, however.

The biggest issue regarding webapplication worms isn't about the worm size, but about the hole to let it propagate. With remote Javascript files we can go any place and any size we want to. The only trigger we need is a simple instance to let it become part of the website and it's DOM. We only have to call the remote Javascript file each time, and we can adjust or modify the payload of the worm at any time.

Source: Writing A Modular Universal XSS Worm, Google Groups | Ph4nt0m.

January 27, 2008 in malware , new worms | Permalink | Comments (9)

Diminutive XSS Worm Replication Contest

A friend pointed this out to me. Evidently the Sla.ckers.org website is hosting a "Diminutive XSS Worm Replication Contest". Their mission: to see who an write a new XSS worm (like the MySpace one, the recent Orkut one, etc).

The goal of the contest is to have a functional web worm in as small a package as possible. From the website:

Okay folks, new small challenge - no prize, just an exercise in programming skill and because I want to see the results. After reading over the XSS worm thread I got to thinking. We haven't, to my knowledge, ever had a diminutive worm writing contest. We've done it for JS injection and for pulling in remote JS but not for worms. You can submit your code to this thread directly (I'd prefer it actually so that others can benefit from what you've done). If that's for some reason not acceptable sent me your code directly and we can figure something out. Either way the winner's code must be posted in this thread. Actual cutoff to submit is Thursday the 10th of January at 7PM GMT.

Source: Diminutive XSS Worm Replication Contest, from the sla.ckers.org forums.

January 5, 2008 in malware , new trends, new worms | Permalink | Comments (4)

Grey Goo hits Second Life

This isn't the first time a worm (self replicating code) has hit a a large online game, and it wont be the last. Via various news outlets (like this BBC story, Slashdot, and the official Second Life blog:

[PST 2:44PM] An attack of self-replicators is causing heavy load on the database, which is in turn slowing down in-world activity. We have isolated the grey goo and are currently cleaning up the grid. We’ll keep you updated as status changes.

This appearantly took them offline for a few hours. (I don't use Second Life or any of these online communities, so all of my information is second hand.)

Grey Goo within Second life, from richardparent.net.

I have to admit, I like the idea of being able to watch the worm infect a world, sort of like a visible germ cloud or something. Way more interesting than looking at traffic stats when things go awry.

November 20, 2006 in media, new trends, new worms | Permalink | Comments (7)

Worms of the future: Trying to exorcise the worst

Another "worst case" scenario, but this one has seen a few of the preditions (ie messing with debuggers) come true in the botnet world.

According to [Wikipedia], a worm could be defined as: a self-replicating computer program that does not need to be part of another program to propagate itself. This document is an attempt at predicting the worst possible future of worms, given the current computer science possibilities.

Up to now, we've seen many different kind of worms, each new generation improving on the precedent. The fact is that all such threats, for now, have suffered from a few vulnerabilities that prevented them (much to our relief) from functioning to their full potential. Some have achieved their result to a greater extent than others, but none of them seem to have realised the greatest fear: wreaking havoc on the Internet and on Informations Systems on a global scale (although some have come close).

This document tries to look at these present vulnerabilities from a security point of view (that is, by considering the Confidentiality, Integrity and Availability of worms) and in the next chapter, how to maintain these security requirements throughout the life-span of the worm, that is to say, as long as possible.

Following this, the document then attempts to provide hints on solutions that could be used in defense against new threats.

As it has been pointed out to me, other similar papers exist, one of them being [Warhol]. Surely a nice complementary reading to this paper.

Source: Worms of the future: Trying to exorcise the worst, by Nicolas Stampf.

October 12, 2006 in new trends, new worms, papers | Permalink | Comments (2)

A Theoretical Superworm

The ISTS at Dartmouth has been doing some great computer security research over the years. This is a report of theirs from 2002.

This report will explain the current model of vulnerability detection, assessment, and response. The current cycle is as follows:

• Identification of vulnerability
  • Inform security community and/or appropriate vendor and/or press
  • Scan for possible existing exploits of vulnerability
• Development of response, i.e. patches
  • Inform the community of security measures to be taken
  • Hope everyone takes responsibility for applying patches
• Observe effects of vulnerability/exploit on unprepared systems
• Learn from observations, develop new strategies and tactics, and identify new vulnerabilities

The creation of a SuperWorm, malicious code written to incorporate the most successful features of known worms and other malware, could threaten the economy or national security.

The SuperWorm has three tasks:

The worm’s programmer identifies multiple exploitation vulnerabilities that affect a large number of operating systems

Propagation

Delivery of payload and damage The SuperWorm programmer could learn from and utilize the speed of Code Red and CodeRed2, the multiple means of proliferation utilized by Nimda, the ability to incorporate other virus code to be transported with the worm seen with variations of the Klez worm, the ability to access and send files from a hard drive as seen with SirCam, and the destructive payload of Magistr.

The Incident at XYZ University provides an example of a network that was established with information sharing and open education in mind. The security features of the network do not provide adequate protection against an advanced threat. Additionally, the limited resources of the systems administrators do not facilitate either the rapid response to vulnerabilities or the collection and analysis of the evidence of an attack. These factors limit the ability of the administrators of this network, and networks similar to this University, to defend their system against a sophisticated, rapid cyberattack.

The early warning system described in the Early Detection of Active Internet Worms by Metering ICMP Destination Unreachable Messages section provides an example of a security technology capable of detecting worm activity. Early detection will allow security experts to learn about the technical specifications of the worm, and the vulnerabilities exploited by the worm, and give them time to develop a response to the threat. Additionally, the warning system provides data for further analysis of worm and attacker behavior that will enhance the ability to defend against future attacks.

The Modified Reverse Proxy Server (JEANNE) is an example of a security technology that mitigates the threat of worm proliferation on a web server. The technology is a proactive means to address possible threats before they manifest themselves in the wild.

Source: A Theoretical Superworm.

October 4, 2006 in new worms, papers | Permalink | Comments (2)

Google Search API Worms

Worms that search Google to find new victims aren't new. Look at Santy from late 2004, it found vulnerable phpBB sites via Google queries. While web application worms and the idea of a worm that has some target preknowledge to spread is nothing new, the author here suggests that it may be simpler than previously thought. I'm still not convinced.

One of the main disadvantages of all AJAX application is the lack of cross domain request capabilities. In simple words, a web object from one site cannot access another one from a different site. The reason for this security feature is hidden deeply inside every modern browser security sandbox which is responsible for keeping your personal information private and safe.

Unfortunately, with the rise of AJAX enabled application the need to break out the security sandbox receives a lot of enthusiastic support among AJAX developers. Even Google, one of the biggest AJAX evangelist today, provides JavaScript APIs to allow developers to mashup their services with Google’s enormous capabilities. As a result Google unconsciously enables various types of worms to craw and exploit the web.

...

Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.

Source: Google Search API Worms on the GNUCITIZEN website.

September 21, 2006 in malware , new trends, new worms | Permalink | Comments (1)

Two new OS X worms: Leap and Inqtana

Argh I hate Typepad. This post keeps getting lost when I switch windows.

This week saw two new OS X malware families break out. I had a chance to look at one (and I'm sorry, but I can't share the report) but not both.

The first is Leap.A, an IM worm. If you want to see a good description of what it dos have a look at the Ambrosia Software writeup in their forums. Ambrosia also makes some nice games. While technically Leap.A is a Trojan horse, it qualifies as an IM worm.

Leap is important for a few reasons. Firstly, it's the first time we have seen an IM worm not use a central distribution site to propagate the malware. Instead, the malicious file is transferred from one user to another via iChat instant messages. This makes eradication harder (ie you can't just shut down one site, you would have to stop all messages between users with the malicious content). We've been expecting this for a while now, and this can be done with MSN Messenger, AIM, etc ... Secondly, Leap.A shows a classic virus trick, namely modifying other applications using the InputManager on OS X. Crafty ... And thirdly it's the first OS X specific malware. If you want to see more AV vendor writeups, follow the links from the CME-4 entry (Leap.A has this CME identifier).

Now, fast forward a day and you'll see Inqtana.A, a Bluetooth worm for OS X. Because many Macs have Bluetooth installed, they're vulnerable to these sorts of attacks. Inqtana uses a specific vulnerability (the Obex Push vuln) to issue commands to a vulneable machine. Bluetooth worms have been all the rage in some circles for cell phone and PDAs, and this extends it to general purpose computers.

Both are proofs of concepts, and both show what we can expect this year in terms of malware.

February 18, 2006 in new worms | Permalink | Comments (5)

AIM users targeted again by IM worm, rootkit and adware

Via a ZDNet blog post, I came across this story. In a nutshell, it looks like a new IM worm is out there that not only installs bot software and a rootkit, but also a rootkit detection tool (Rootkit Revealer according to the reports). From the Vital Security weblog:

I think this is round 4 of the installs from these guys in the Middle-East - each one is a little more adventurous (and a little more scary) than the last. As for how you get nailed with this thing in IM, you're most at risk if you have already been infected with Lockx.exe or palsp.exe. That's not to say you're immune if those files aren't on board your PC - it's just that you would have to actively click the link in your chat client to get whacked. Anyone with Lockx.exe could find the bad guys have just sent it down the pipes anyway (like the BitTorrent installs). Of course, it goes without saying that they can control your AIM client and send messages to your buddy list too.

Source: IM Hackers distribute Rootkit and...Rootkit Revealer?!, Friday, January 06, 2006.

More information:

• Press Release: New IM Worm Targets AIM Users to Deliver Adware Payload, FaceTime Security.
• AIM users targeted again by IM worm, rootkit and adware, ZDNet blog, Friday, January 06, 2006.

The fact that someone is distributing an IM worm with an IRC bot and a rootkit should come as no surprise. This isn't new. What is odd, however, is the fact that it also comes with a tool to detect the rootkit. That's not something you see everyday.

If someone could send me a sample, I would happily post an analysis here.

January 7, 2006 in IM worms, new worms | Permalink | Comments (2)

Oracle Voyager Worm Mutated

It looks like the Halloween Oracle Voyager worm has been altered. This new version builds upon the original Voyager worm and extends its functionality. Notice that it's still not perfected, it has some flaws and may barely qualify as a worm. But it does show that it's possible, and that people are working on getting it right. When the original Voyager worm came out, a few of us looked it over quickly and came up with some ways we think it could be fleshed out into a worm; we weren't the only ones. Details courtesy of the Appsec writeup of the new Voyager worm:

In summary, this code does not seem to have implemented a spreading mechanism. As in the previous version, it creates the private database link, but the procedure to spread is missing. The improvements over previous version include the use of a known vulnerability in the VALIDATE_STMT procedure to grant DBA to PUBLIC. The code, with a 1 in 100 chance of execution, implements a Google search for its own code in an AFTER LOGON trigger. The intention is probably to rerun the code at some later point in time. As the subject of the initial posting on Full-Disclosure indicates, the latest version of the the worm code tries to mail the username and password hashes to larry@oracle.com and oracle@

. The last, but important, change from the previous version of Voyager is that it tricks the listener to reset the password for user 'mdsys' to 'mdsys' by abusing the 'set log_file' command. The clear intention is to increase the chances of successfully creating a private link to the database.

Source: New Oracle Voyager Worm Variant, January 4, 2005, Application Security, Inc.

Additional information:

• Oracle database worm mutates, News.com, January 6, 2006.
• 12/31/2005: "More detailed analysis of the new Oracle worm",  Pete Finnigan's Oracle security weblog.
• Oracle Worm Voyager - Analysis of the Proof of concept code, Red Database Security.
• [Full-disclosure] Oracle, kwbbwi at findnot.com, Thu Dec 29 21:15:37 GMT 2005.

January 6, 2006 in new worms | Permalink | Comments (1)