In the diminutive XSS worm contest, a discussion considering XHR versus other methods of propagation arose. I would like to hear what everyone has to say about the questions below.

(an excerpt from one of my posts in the contest thread)

Quote:

Assuming the goal of the worm is for itself to be copied as many times as possible, a few questions are posed.
Stealth is certainly needed for mass propagation, so how should a good worm be silent?
How should web developers best detect worms, assuming they're relatively silent?
Also, it should be hard to clean up, so how can one make a worm "messy" to fix?
How can a web developer best resolve the issue of a messy worm?

I believe that time is of ultimate importance for propagation, especially considering that these grow at an increasing rate. The more time it takes to fix, naturally, the more it will spread. In creating the questions I asked, I decided that "messiness" and "silence" are the two most important qualities of a worm that will buy it time to propagate. I also hope to hear about detecting and removing the ultimately silent and messy worm.

-Dan

I think one of the biggest problems with Samy and others was that it did something visually to the user that they didn't like. Clearly, reducing the visual noise to the user would be critical to making something silent. Changing someone's profile is sure to raise eyebrows. I'd suspect that even competent IT people wouldn't notice something going on under the hood unless it left a visual or auditory cue (like the clicking between pages). CSRF is a good candidate as a payload. Propagation itself is tough unless you go the XMLHttpRequest route.

- RSnake
Gotta love it. http://ha.ckers.org

One idea I toyed with once was set up an XSS worm with script hosted somewhere externally that you control. Let it propagate completely silently for a while. Once it is fairly widespread change the code to add the payload. The only flaw to this method is users may notice their browser accessing a domain they haven't seen before which will draw suspicion.

One idea that is sort of similar that would work on a social networking site or something related is to store the payload in a profile or somewhere that you can edit (as opposed to externally) and have the worm load the payload via XHR and eval it.

Quote:

DoctorDan
"messiness" and "silence"

Can you tell me the difference? I mean a truly silent worm isn't messy right? Or can you define 'messy' for me :-).

Quote:

Spikeman
One idea I toyed with once was set up an XSS worm with script hosted somewhere externally that you control. Let it propagate completely silently for a while. Once it is fairly widespread change the code to add the payload. The only flaw to this method is users may notice their browser accessing a domain they haven't seen before which will draw suspicion.

The idea of an XSS proxy (you can even control individual users, like not the admins or x IP range .. etc). How would a user notice? A "Waiting for http://attacker"? (in IE) I don't think much users pay attention on that, there are trillions of addresses cycling there, many of ad's or tracking servers. You could make it something like http://ads.company.com/468x60.gif (which can be the source in your <script src=""></script>).

Off-host payloads add an additional point of failure. Not only do you rely on the hole not being fixed but you also have to rely on the bandwidth of your own site, and their ability to not DoS you off the net by whatever means necessary (calling your upstream, getting your registrar to nuke your domain, etc...). Granted, it does give you a lot more flexibility and it reduces the size of the code to only a few chars. An alternative is to request the code and if it suddenly goes offline or can't get the info from the host it starts it's noisy mode, so you aren't as reliant on the remote server.

- RSnake
Gotta love it. http://ha.ckers.org

@bwb labs
to clarify, "silence" would be in terms of detection. A silent worm probably wouldn't reload a page or affect it much visually. In terms of "messiness", I'm talking about how hard it is to remove from the web developer's point of view. The "messier", the more time it will take to remove the worm once it has been detected.
Silence buys time for propagation before detection, and messiness buys time afterwards.

Cool, I like what I'm hearing. I never thought much about the effect on a server having to deal with serving the payload. I can see where bandwidth could become an issue. I believe that an off-site payload is not the way to go (partially because requests to multiple domains are not as "silent"). The best choice would be to have an editable payload on the same domain as the worm. For messiness, how about the idea of spreading multiple versions of the same worm fuzzed in different ways?

-Dan

EDIT: do you all believe XHR to be best means of propagation?



Edited 1 time(s). Last edit at 01/06/2008 10:44PM by DoctorDan.

@spikeman - a time based payload would be good - and by that i mean it would only seek to obtain the payload from an external source after a certain date or time period.

@rsnake - another good alternative is to add the payload into your profile using (well i use) div tags anyway, you then xhr your profile page and read the text as necessary (which provides a poor mans c&c).

finally, i think a true super xss worm will be self morphing with a wide range of different methods for generating the attack. for instance a worm using '<script>' tags can be easily found in database but if the worm (say after a single morph) was to use a '<body onload="">' or <img src=x onerror=""> to fire the event it would make detection and eradication a lot harder. therefore i think a great worm needs to modify itself continually to avoid a single point of detection.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

The problem with putting it on your profile (or even just housing the payload on the same domain) is that, once discovered and even briefly analyzed, it is very easily stopped by removing the on-site payload. There should probably be some sort of backup method if the on-site payload is removed. Perhaps the "ultimate" worm does not even have an editable payload, but rather a timed one.

A good worm, as you say, needs to morph. It must have different forms. Perhaps every form of the worm begins on just a few pages. Once one of these seed pages is accessed, one of the forms is randomly chosen to propagate for the user. Or, if there is an off-page payload, perhaps the form can be chosen randomly each replication. How in hell would a company deal with stopping 10 versions of the same worm?!

-Dan



Edited 1 time(s). Last edit at 01/06/2008 11:47PM by DoctorDan.

We could take a step further and take some ideas from my variations on the Warhol Worm.
How about if the worm used a basic xss scanner via xhr to find new attack vectors? Even if they are simple ones, it would be extra attack surface area and harder to clean up. Imagine 10 forms of the worm using 5 different attack vectors each! Essentially 50 variations of the worm! How's that for messy? Mix it with a timed payload, so it's totally silent for awhile, searching for new vulnerabilities.

Pre-timer payload, it could generate a random number from a large range, if the number = =1, request a script containing an array of current vectors that you may find that are more complex, thus adding diversity to the 'gene pool'.

Assuming it goes undetected for awhile, it would be totally disasterous!

- Kyran

So a polymorphic worm? That'd be cool. It'd be fun to code as well.

Well, I guess there are a few hallmarks of a good worm, in my opnion those are:

a) good longlivity.
b) aggressivly persisting (stored or in memory)
c) morphing, or custom to each instance.
d) at alterting becomming more dangerous.

whether that be XHR I'm not sure, but it does gives really good control.

`



Edited 1 time(s). Last edit at 01/09/2008 12:11AM by 4909.

Good point, 4909, don't uniformly attack the same XSS flaw. Attack 'em all! I believe Kyran's idea of an XSS scanning worm fits into that concept (what an evil, evil idea that is :P). I think at that point we're talking about either a lot of code, or starting to have an off-site/off-page payload. I also started to wonder about tracking these worms. I gotta run, but I'll say what I think about that later...

-Dan

The problem with using an XSS scanner are:

a) it's slow (takes a lot of time, even for multi-threaded vuln scanners to do this sort of work)
b) it's redundant (everyone ends up scanning the same thing - which is why the flash worm concept was so important to viral research)
c) it's very difficult to find persistent XSS - not impossible - just very difficult, compared to reflected XSS.

One thing we have to keep in mind is that the worm author probably has prior knowledge of the site and can release multiple versions of the same code at different times, or use a series of command and control. Someone mentioned it may get deleted, but that's a form of command. If the C&C isn't there, switch to C&C#2. People have built complex encryption into JavaScript, you could easily keep the payload intact until the C&C isn't there. Really, that's obfuscation, because it's easy for anyone like us to mimic that same behavior with a proxy and test the results of removing the C&C before it happens so we can find C&C#2 ahead of time.

- RSnake
Gotta love it. http://ha.ckers.org

a) Add another (what I'll now call) chance-object. Only scan on a low percentage, it should lower the usage of the site and stop a possible DDoS. Or just before the timer runs out, it could do the requesting of a file with new vectors.

b) Nothing we can do here, except perhaps have it search multiple levels of pages for keywords and links on the same domain. -> infected.php -> linkonpage.php -> menu.php ->etc

c) Pseudo-reflective attack, send reflective payloads via some sort of messaging system on the site. It will probably have one if it's a site big enough to do something like this on properly. <<-- Will require C&C/remoteJS.

Good points RSnake, way to hobble my evil idea. :(

- Kyran

polymorphism for a XSS based worm is easy and the same payload could be randomised on each request and be pretty much impossible to detect. Me and Ronald plan to release some research soon which will demonstrate this.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

I suppose you could also pull in some remote JS on a 1:1000 chance or something. That would reduce the number of calls to the remote server, and still allow you to make changes on the fly on average after one out of one thousand infections... or something. Kinda thinking out loud here.

I'll be interested in your research Gareth. Is it based on these few threads or did it come from something before this.

- RSnake
Gotta love it. http://ha.ckers.org

Well I've known about the technique for a long time but I haven't published any details because fear of being taken to court but I don't think I'm breaking the law so I'm gonna publish it with Ronald. Should be fun within the next few days we plan to release it....

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

So, how could we detect things things and even find the initial culprit?

I was thinking IDS + browse-time check. If someone looks like they are spidering, temp ban then and alert an admin to check their profile/etc. But this can be countered with timers and a hijacked browser session. :\

- Kyran

I was thinking about looking at traffic patterns... I think this has a lot of hope, actually. Also, checking referrers, obviously would be a good heuristic measure since it's unlikely people would be modifying their profile from other people's pages.

- RSnake
Gotta love it. http://ha.ckers.org

XHR doesn't send a referer header I think. So assuming the profile page isn't on a subdomain, it would be nothing to add one.

- Kyran

just a quick thought on Kyrans post about searching out new vectors for attack and replication. ATM our focus seems towards bad things (which is great fun) but essentially you could also release the worm via source code to continually search out and report any new vulnerabilities it may find within sites controlled by yourself (legitimately). Essentially this type of worm, with a structured command and control centre could be continually updating itself with the latest information required to perform its tests and therefore it could possible even increase a sites security as it operates 24/7 in the user environment.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

@digi7al64 - I've had this thought before, but unlike a user submitted worm, if you as a site owner wanted to do this, it would be far more efficient to just control some JS on the page, rather than relying on propagation methods.

- RSnake
Gotta love it. http://ha.ckers.org

Kyran Wrote:
-------------------------------------------------------
> XHR doesn't send a referer header I think. So
> assuming the profile page isn't on a subdomain, it
> would be nothing to add one.

I know it's optional, but I believe by default it actually does send the HTTP Referer header along with the data (at least in Internet Explorer).


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
[www.awesomeandrew.net]

What i could understand..

Worm > trafic > ads > click > money

hmmm...sounds good...but example?

krazl
www.krazl.com

[www.krazl.com]