NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0251 Researchers Prepare to Demonstrate Hybrid Web-borne Worm Concept:
Researchers have written a proof-of-concept of a potentially destructive and persistent web worm that can run in both clients' browsers and on a web server, and evade signature-based scans. To date, web-borne worms have not been easy to spread from host to host, and they have usually been easy to detect. The so-called "hybrid web worm" has more staying power than previous web worms - such as the Samy worm that infected MySpace - that were restricted to specific hosts and domains, and typically only exploited a single vulnerability. "As [researcher] HD Moore put it, [these older Web worms] were like a smallpox epidemic on a small island," says Billy Hoffman, lead researcher for SPI Dyanmics' Labs and co-author of the hybrid worm proof-of-concept. "Samy couldn't leave MySpace." At the Black Hat conference next month, Hoffman and fellow researcher John Terrill will demonstrate their next-generation web worm in a session entitled "The Little Hybrid Web Worm That Could." Their new worm mutates to evade signature detection - it can even use vulnerability information from sites like Secunia to infect other servers and browsers.
According to the article, web worm attacks are potentially more sophisticated than predecessor email-based attacks, because they can use JavaScript and Flash to run across disparate operating systems. The hybrid web worm is billed as being even more intelligent. When it is injected into a web server, it can write a JavaScript version of itself into web pages, so that when a user visits those sites, it infects his or her browser.
The worm grabs, and then exploits, new vulnerabilities reported on sites such as Secunia and then continues propagating. "Secunia's [vulnerability data] is machine- consumable, so it could pick up new vulnerabilities while it's in the wild" and spread via those bugs as well, Hoffman says. This polymorphic feature of the next-generation worm is a natural evolution for the malware - and it will be tough for enterprises to defend against, according to Hoffman.
One hope for detection is to study the malware's behavior for worm-like characteristics, Hoffman says. Even though the hybrid worm is mutating, it still behaves like any other worm.
(www.darkreading.com 05JUL07)
Last Modified: Tuesday, 31-Jul-2007 22:38:53 EDT