Billy Hoffman & John Terrill: The little Hybrid web worm that could




Black Hat Briefings, USA 2007 [Video] Presentations from the security conference. show

Summary: The past year has seen several web worms attacks against various online applications. While these worms have gotten more sophisticated and made use of additional technologies like Flash and media formats, they all have some basic limitations such as infecting new domains and injection methods. These worms are fairly easily detected using signatures and these limitations have made web worms annoying, but ultimately controllable. Often the source website simply fixes a single flaw and the worm dies. In this presentation we will examine ways web worms might evolve to overcome these limitations. We describe a hybrid web worm combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation across multiple hosts. We will discuss how such a hybrid worm is able to find new vulnerable systems and infect new hosts on different domains from both the client and the server. In addition will we look at how a hybrid worm could upgrade its infection methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single silver bullet fix from stopping it. We will examine how web worms could implement polymorphism and source code mutation to evade signature detection systems. While these are not new concepts applying them to interpreted languages like Perl or JavaScript inside a browser allowed for some interesting twists and caused some challenges. While we have not built a fully functioning hybrid worm, we will demo different parts of the worm in isolation to show how these features would function. Specifically we will look at how the worm could upgrade itself with publicly available vulnerability data as well as source code mutation. Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website?s database. Finally we will discuss steps to prevent hybrid web worms from exploiting a website or its users.