Over the years, we've seen a number of "super worms." For example, Nimda, Code Red, and SQL Slammer were devastatingly effective. They spread quickly, infected a huge number of systems, and cost much money to eradicate.

Worm technology has certainly evolved, and in many cases it basically follows the path of least resistance. Since Web technology is dominant and Ajax (a combination of JavaScript and XML) is being more widely used every day, it seems rather natural that worms begin to target those technologies.

In fact, back in 2005, someone created an Ajax-based worm (dubbed Samy) and turned it loose on MySpace. The worm worked by taking advantage of the browser when a MySpace user visited a particular MySpace page. The page loaded JavaScript worm code that used Ajax to spread itself to the MySpace user's page. And that cycle kept repeating itself. Within 24 hours, Samy had reportedly spread to more than 1 million MySpace pages! You can read a blow-by-blow description of how the worm worked at this URL:

http://namb.la/popular/tech.html

Samy took advantage of several problems with Ajax technology, one of which is the familiar cross-site scripting (XSS) scenario in which a script from one site interacts with another site. If someone were to take a worm like Samy further by automating it to contain a longer list of sites vulnerable to XSS attacks, the effect could be far more significant. After all, if the Samy worm could infect over 1 million MySpace sites in only 24 hours, then a worm targeting many different sites would spread exponentially faster. Furthermore, such a worm could do a lot more than simply spread itself. It could, for example, easily be made to steal user credentials and post that information someplace for an intruder to receive.

Recently, Petko Petkov showed how using a combination of available technologies would provide the means for a new super worm to be created. You might know about XSSed.com, a site that aggregates lists of other sites that contain XSS vulnerabilities. The lists are presented in an easy-to-parse format and include examples of how to exploit each XSS vulnerability. Having such a database available online is useful, even educational, but at the same time, it's a treasure trove for a malicious coder.

Petkov showed that a new super worm could use XSSed.com as a base and technologies such as Dapper and Yahoo Pipes to spread itself at lightning speed. Dapper (at the first URL below) lets people grab content from nearly any Web site. The content can be automatically formatted into XML (and other formats). So, effectively, someone can use Dapper to create a list of sites vulnerable to XSS along with the sites' associated exploits, all in XML formatted code that a script can then use for attacks. Yahoo Pipes (at the second URL below) lets the malicious script obtain a list very quickly on the fly.

http://www.dapper.net

http://pipes.yahoo.com

With that data and technology available, a worm would spread incredibly quickly. The problem is compounded by the fact that neither Dapper nor Yahoo Pipes specifically is necessary for such a worm to work. The technology provided by those two services could easily be recreated on any number of sites around the Internet. So stopping such a worm isn't as simple as it might seem at first. The best defense of course is to not create Web sites that contain XSS vulnerabilities!

You can read more about Petkov's ideas at the first URL below. The upcoming Black Hat USA 2007 conference will have at least three presentations that deal with Web worms (see the second URL below), including "Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity" by Brad Hill; "Premature Ajax-ulation" by Bryan Sullivan and Billy Hoffman; and "The Little Hybrid Web Worm that Could" by Billy Hoffman and John Terrill. So if you're going to Black Hat USA this year (July 28 - August 2 in Las Vegas), consider attending these presentations.

http://www.gnucitizen.org/blog/the-next-super-worm

http://blackhat.com/html/bh-usa-07/bh-usa-07-schedule.html