Are we about to face the next Super Worm?
In recent years, malware attacks have been targeted and mass worms have been quiet. The days of blockbuster headlines about mass infections such as Slammer are long gone. Or are they? Are we about to face the next Super Worm?
The rapid evolution of “Web 2.0” has sparked the convergence of social networking on a massive scale and the adoption of new combinations of technologies that significantly increase the so-called ‘attack-surface’. This combination offers irresistible opportunities to organised crime.
About two years ago, organised criminals discovered around 70% of web applications harboured security flaws and began to switch from targeting operating systems weaknesses to those in the applications.
The web is now the preferred vector for malware. At the same time, the nature of the web has been transformed, through the phenomenon of social networking, and in a sense we have become the ‘we’ in ‘web’.
Under the traditional internet model, when a user clicks on a link, a web browser sends an HTTP Get request to a server. In return the server sends the requested web page to the client. If the client is to send information back to the server, another request is made following the same process.
This synchronous communication method involves the transfer of entire web pages. From the point of a page request, the user must wait and is unable to interact further with the browser until the entire page has been served.
The response time is reduced by the intermediary Ajax application exchanging small amounts of data between the browser and the server, without refreshing the entire page. This gives an impression of seamless interaction.
For example, Gmail, the web-based email service provided by Google, offers a search-oriented interface and a unique “conversation view” and is well-known for its use of the Ajax programming technique in its design.
Although Ajax can dramatically improve the performance of a web application, it also introduces new potential for attack. As Ajax applications reside on both the client and the server, they raise the following security issues:
- Exposure of a much increased attack-surface, as many more points of input are opened
- Exposure of the workings of internal functions of the Web server application
- Allowing a client-side script, with no built-in security mechanisms to access third-party resources
This leaves the web browser and users wide open to the threat of an Ajax Super-Worm.
As I mentioned above, Ajax applications extend across both client and server, unlike traditional web applications. This necessitates a trust relationship between client and server that may be exploited by an attacker.
I like to compare a traditional web application to a house with just one front door and no windows, offering just one point of attack. An Ajax application, however, sends small requests, which create many more points of input in turn creating many more opportunities for attack. In addition to the front and back doors, the house could now be thought of as having numerous windows (points for break and entry) and the doors become of little consequence.
So, what about the Super Worm? Cross-site scripting (XSS) involves the injection of code into a page that is returned to the browser.
The code is then executed by the browser, exposing the user to a variety of threats including:
- Cookie theft (an attacker assumes the identity of the victim and hijacks a live session such as online banking),
- Keystroke logging (leading to the theft of user identification and authentication data), screen scraping (revealing further authentication information selected from dropdown lists etc)
- Denial of service attacks (armies of botnets transmitting huge volumes of packets to a target system, exhausting bandwidth and effectively making it unreachable)
XSS attacks against traditional web applications required manual injection of script into a website, perhaps included in an email link or saved as an entry in a back-end database.
With Ajax, XSS can easily propagate like a worm. The script can autonomously inject itself into web pages and send multiple requests using complex HTTP methods to propagate itself without any page refresh and all completely invisible to the user.
A very interesting piece of research called The next super worm from GNUCITIZEN, a creative hacker organisation, outlines the true power of Ajax worms and raises the prospect of an Ajax Super Worm.
• Web data mappers can extract data from a web page and convert it into XML format.
• Yahoo! Pipes is a web application provided by Yahoo! that allows you to aggregate many information feeds, format and sort them and present them in consolidated form.
The site xssed.com contains an archive of sites vulnerable to XSS and also a record of the attack vector. This database is maintained by volunteers who scour the web and report in a very timely manner.
Setting up a Dap at Dapper, JSON – a notation for transmission of structured data – can be used to aggregate data from the XSSed database and store it in an XML file.
A Super Worm of this kind could have potentially devastating consequences in the very near future. The technology exists and the key question is one of motivation. A multitude of easy targets within the Web 2.0 social networks must certainly be attractive to organised crime.
A permanent solution would be for browser makers to find ways to confirm that Ajax code is indeed running in the context of the current website being visited by a user, while marking web requests with the source of the request (whether a human or a script) could limit attacks on sites.
Whether a Super Worm of this type or similar will appear or not is up for debate. But what is clear is that the increasing use of Ajax in today’s web sites means that we are likely to see more complex attacks which harness the power of Web 2.0 technologies. And for the first time in a long time, we could see another large scale infection spread by a new breed of Super Worm.
Pete Simpson is ThreatLab Manager at Clearswift, the content filtering software and managed service provider