3 min read

Post-Warhol Worms

Samy MySpace's dizzying propagation speed may be outdone by some imminent super-massive worms

11:55 AM -- Among other things, Andy Warhol is known for uttering, "In the future, everyone will be world-famous for 15 minutes." The point is not lost on virus writers.

They often think about the scalability of an attack, given the three primary focal points of a large-scale worm. First is its ability to propagate quickly. The second is how long it stays in existence. The last crucial point is how much damage it does. A number of years back a paper was written on the concept of a Warhol worm. Its major finding: A worm could spread across the accessible Internet in less than 15 minutes.

The major incentive for writing a Warhol worm, or Flash worm as it’s sometimes called, is to help with the first two points (the latter issue depending on the payload, not the attack vector itself).

Let's look at the largest scale worm in the history of the Internet -- the Samy MySpace worm. The Samy worm used JavaScript and session riding to perform the attack. Click here to see how quickly it propagated before the entire Website got shut down. Notice that somewhere north of 9,000 users was the point at which the growth became explosive.

It's also obvious from the graph that Samy was still on a growth cycle. Had the machine it resided on stayed up and the worm been allowed to propagate naturally, it would have continued to grow well beyond where it ended. That means not only does it hold the record for most infections in the history of any Internet worm, but it also solves the first critical issue: the speed of the worm as it traverses the Internet.

The second issue centers on how long the worm stays in existence. From start to finish, the worm lasted around 20 hours, nowhere near the one of the other Warhol worms, SQL Slammer. Still, 20 hours was enough time for Samy to spread globally, and to make good on its fast-propagation intentions.

Future JavaScript based worms could employ a tactic called exponential cross-site scripting that leaps from domain to domain, using holes in multiple systems to keep in existence for a greater duration of time, and infecting more users than a single-site worm. Samy was the largest worm ever built, and it paves the way for super-massive worms that could jump an order of magnitude above what the original JavaScript-based Samy worm was able to infect.

That's some serious fame we're talking, and it will likely last longer than 20 hours (in this post-Warhol era). You can bet the aftermath of such an infection will be quite a bit more damaging.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading