Antivirus News

A recent wave of web worms appearing on social networking websites represent a new generation of more sophisticated computer worms.

Early forms of the computer threats classified as “worms” were intended more for causing havoc or were designed for proof-of-concept purposes to determine if vulnerabilities could be exploited.

Recently, however, new worms have been discovered on social networking sites such as MySpace, which are designed to steal data.

These new worms employ cross-site scripting (XSS) flaws found on many websites.

XSS is defined on the Whatis.com website as a security exploit in which the attacker inserts malicious codes into a link that appears to be from a trustworthy source. When the user clicks on the link, the embedded programming is submitted as part of that user’s web request and can execute on the user’s computer, typically allowing the attacker to steal information.

Web server applications that generate the web pages dynamically are vulnerable to this type of exploit if they fail to validate user input.

The popular MySpace website was first hit with the Samy worm in October.

Adam Biviano, a senior systems engineer at security firm Trend Micro, said a MySpace.com user, called Samy, had created a “malicious” profile by taking advantage of a flaw in the website’s design. The profile, when viewed, automatically activated a code to add the visitor to Samy’s “friends” list. Additionally, the malicious code would be copied into the victim’s profile, so when that person’s profile was viewed, the infection spread.

According to Biviano, “The infection stays on the website and almost creates a denial-of-service attack, because there is an exponential explosion of entries in your friends list that will eventually consume the infrastructure.”

The apparent intent of the Samy worm creator was to increase his popularity on the social networking site. In terms of numbers of “friends,” it worked.

In an e-mail interview posted on Google Blogoscope, the young author said: “It didn’t take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly.”

“When I saw 200 friend requests after the first eight hours, I was surprised. After 2,000 a few hours later, I was worried,” he said.

“Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.”

The Samy worm demonstrated the ease with which cross-site scripting could be used as an exploit and was quickly followed by a major phishing attack later in October.

One such exploit changes a user’s profile to include links to a pornographic website that hosts spyware.

Hackers are finding cross-site scripting “holes” in numerous large websites.

According to computer firm CGI, sites such as CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired and FBI.gov have one form or another of XSS bugs.

Protecting yourself will involve work.

For specific suggestions on steps to take consider visiting the website www.cgisecurity.com and searching for the article: xss-faq.

John Millar is the president of Digital Boundary Group, a London-based information technology security services firm. This article, written with the assistance of Deborah Washburn, a security specialist, contains general comment and suggestions. Digital Boundary may be reached at 519-652-6898. E-mail him at jmillar@digitalboundary.net.