Feeds

Researchers warn over web worms

Right here, right now

Providing a secure and efficient Helpdesk

LAS VEGAS - Exploiting a lack of security checks in browsers and Web servers, web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned on Thursday.

In separate presentations, researchers showed off techniques for using Javascript code on Web pages to grab browser histories and scan internal networks as well as using AJAX - a technology that adds interactive features to websites - to create web viruses that can steal personal information. The threats are not only theory, but have been used to attack MySpace users and Yahoo! users, said Billy Hoffman, lead research and development researcher for Web security firm SPI Dynamics.

"This isn't a proof of concept; this isn't academic," Hoffman told attendees at the Black Hat Briefings. "People are already doing this."

Last year, the Samy worm propagated among MySpace users, using Javascript and AJAX code to add a MySpace.com user "Samy" to the victim's list of friends. The incident created speculation that more scripts capable of infecting Web site users would follow. Indeed, other worms used Javascript paired with vulnerabilities in Flash and Windows Meta File (WMF) format to spread among users. In June, a web worm - dubbed Yamanner - spread among Yahoo mail users collecting email addresses and sending them to the attacker's email address.

"We went from screwing around and having fun on MySpace to an attacker harvesting email addresses to sell to spammers, all in less than eight months," Hoffman said.

Such attacks are just an early sign of things to come, said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, who talked about Javascript threats at Black Hat.

"We are back in the early days of the email viruses where people were experimenting to see what can be done," he said.

Grossman showed off techniques for detecting which of a list of popular sites that a victim has visited and demonstrated a way to port scan an internal network to which the victim is connected, all through Javascript and without exploiting vulnerabilities.

"We don't need to hack the operating system anymore - everything you need to attack is online," Grossman said.

The web worms also mark the comeback of meaningful cross-site scripting attack.

Considered by many security researchers to be a less-than-hackerly technique used by script kiddies, phishers and spammers to fool trusting users, cross-site scripting (XSS) is a key method for injecting malicious code into a victim's web session. Cross-site scripting allows a malicious Web site to inject code into the context of another website; a user that believes they are interacting with a popular social networking site, might instead be loading a script in from some other malicious site.

Cross-site scripting makes Javascript attacks and Web worms possible, said WhiteHat's Grossman.

"If you don't want your website to be helping spread malware, the best way to prevent it is to resolve your cross-site scripting issues," Grossman said.

SPI Dynamics' Hoffman agreed.

"If you don't do input validation with an application, you may hurt the user," Hoffman said. "If you don't do input validation on a web application, your hurt the user and every other user."

A recent audit of popular social networking sites found that many of them have serious cross-site scripting issues that could be used to create web worms.

There are few other defenses against the attacks, aside from turning off Javascript, Hoffman said.

Secure Sockets Layer (SSL) encryption, far from helping secure against such attacks, could instead aid them in dodging detection by intrusion detection, or prevention, systems, he said. If the website from which the attack is launched uses SSL, then the traffic - encrypted between the site and the user - cannot be parsed by a network-based IDS system.

The most permanent fix would be for browser makers to find ways to confirm that AJAX code is indeed running in the context of the current Web site being visited by a user, while marking Web requests with the source of the request--whether a human or a script - could limit attacks on high-value sites, such as brokerage firms and banks.

"We have made a call out to the browsers makers to fix the problems," Grossman said. "We hope it comes soon before the bad attacks happen."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.