Worms Get Smarter

The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated worms -- ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites.

Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the new worms discovered earlier this month on MySpace are more about stealing data. Example: the XSS exploit that spreads as a worm and tries to force spyware onto a user's machine for nefarious purposes. That attack is a QuickTime movie that is "backdoored" with an XSS exploit, which changes a user's profile to include links to a porn site that hosts spyware. Once a user goes to that site, he or she is infected with the spyware.

Another variant of the QuickTime exploit poses as MySpace and phishes for usernames and passwords.

These attacks are the latest in a series of exploits hitting the wildly popular MySpace over the past few months, first with the Samy worm, and then with a major phishing attack in October, along with publicly disclosed XSS fragmentation vulnerabilities on the popular hangout site. (See MySpace Under Siege.)

Researchers say they are alarmed by the fact that attackers are now so quickly finding and using the newest attack techniques, such as XSS, or new attack vectors such as Apple's QuickTime.

"They are getting more sophisticated and informed, that's for sure," says Jeremiah Grossman, CTO for White Hat Security. "Until a couple of months ago, for instance, we didn't even know QuickTime was an attack vector."

Grossman describes these recent attacks like this: "XSS is the vulnerability, JavaScript malware is the payload, and the social networking Website provides the pool of victims."

He says these XSS and worm attacks are likely to spread beyond the social networking circles, which have begun serving as a popular proving ground for exploits, to other Websites. "We'll be seeing a lot more of them on more and more Websites," he says. "It's going to be very challenging for the AV [antivirus] guys to keep up with these [Web worm] outbreaks. The spread is just too easy and too fast to have a reactive solution."

RSnake, founder of ha.ckers.org and sla.ckers.org, says heavily populated social networking sites like MySpace, Orkut, and Facebook make perfect Petri dishes for testing large-scale XSS attacks, mainly because the user base is both contained yet interconnected.

"Additionally, social networking sites like MySpace offer a large amount of customization, including user-defined, embedded content. That embedded content is very easy to subvert and turn malicious."

What are the chances these attacks could be turned on non-social net sites? XSS exploits have already been used in targeted attacks, Rsnake says, although he would not disclose details of these attacks. "Generally, they are being used to take over administrator accounts or other users of the system."

A Web worm is just one type of payload for these XSS flaws. "Anyone vulnerable to XSS should stay apprised," Grossman says. "It's going to affect us all eventually, either as the targeted Website or as the infected user."

There are some precautions you can take to protect your own Website and your users from this new generation of attacks. If your users are using dynamic content on any social networking site, they should at least turn off JavaScript and Java, according to RSnake. "Currently, those sites are simply not safe."

XSS holes can be elusive, but RSnake says the best bet is to keep your Web server up-to-date with patches, pick your encoding methods wisely (ISO-8895-1), and sanitize all input before sending it out. "That right there will stop 99 percent of XSS attacks."

— Kelly Jackson Higgins, Senior Editor, Dark Reading