XSS worm

Last updated

An XSS worm, sometimes referred to as a cross site scripting virus, [1] is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that breaches browser security to propagate among visitors of a website in the attempt to progressively infect other visitors. [2] They were first mentioned in 2002 in relation to a cross site scripting vulnerability in Hotmail. [3]

Contents

Concept

XSS worms exploit a security vulnerability known as cross site scripting (or XSS for short) within a website, infecting users in a variety of ways depending on the vulnerability. Such site features as profiles and chat systems can be affected by XSS worms when implemented improperly or without regard to security. Often, these worms are specific to a single web site, spreading quickly by exploiting specific vulnerabilities.

Cross-site scripting vulnerabilities are commonly exploited in the form of worms on popular social or commercial websites, such as MySpace, Yahoo!, Orkut, Justin.tv, Facebook and Twitter. These worms can be used for malicious intent, giving an attacker the basis to steal personal information provided to the web site, such as passwords or credit card numbers.

Examples

Several XSS worms have affected popular web sites.

Samy worm

The Samy worm, the largest known XSS worm, infected over 1 million MySpace profiles in less than 20 hours. The virus' author was sued and entered a plea agreement to a felony charge. [4]

Justin.tv worm

Graph showing the progress of the XSS worm that impacted 2525 users on Justin.tv Jtv graph1.png
Graph showing the progress of the XSS worm that impacted 2525 users on Justin.tv

Justin.tv was a video casting website with an active user base of approximately 20 thousand users. The cross-site scripting vulnerability that was exploited was that the "Location" profile field was not properly sanitized before its inclusion in a profile page.

The "Location" profile field was sanitized when included in the title of a profile page but not within the actual field in the page's body. This meant that the authors of the worm, in order to achieve stealth to boost the lifetime and spread of the worm, had to automatically remove the XSS payload from the title of the page from within the worm's code, which was already hidden by comments.

After proper development of the worm, it was executed approximately Saturday, 28 Jun 2008 21:52:33 UTC, and finished on Sun, 29 Jun 2008 21:12:21 UTC. Since the social website that was targeted was not particularly active (compared to other popular XSS worm targets), the worm infected a total of 2525 profiles within roughly 24 hours.

The worm was found a few hours before it was successfully removed, and based on data that was recorded (due to the worm's original intent for research purposes) the worm was able to infect uninfected profiles after they were sanitized forcefully by developers of Justin.tv. The worm was sanitized once more after the vulnerability was patched, and it was able to be removed easily. However, this shows the ability for the worm to adapt and spread even after counter-attack.

Other particular factors which are indicated by the graphs and data released by attackers include social activity and lack of new, uninfected users during periods of time.

Orkut "Bom Sabado" worm

Orkut, a social networking Site, was also hit by a XSS worm. Infected users receive a scrap containing the words "Bom Sabado" (Portuguese, "Happy Saturday"). Google has yet to comment on the situation.[ citation needed ]

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

<span class="mw-page-title-main">Malware</span> Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses on the Internet. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy $6 trillion USD in 2021, and is increasing at a rate of 15% per year.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Cross-site scripting</span> Computer security vulnerability

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

<span class="mw-page-title-main">Orkut</span> Social networking website owned and operated by Google

Orkut was a social networking service owned and operated by Google. The service was designed to help users meet new and old friends and maintain existing relationships. The website was named after its creator, Google employee Orkut Büyükkökten.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

<span class="mw-page-title-main">AVG AntiVirus</span> Antivirus computer program

AVG AntiVirus is a line of antivirus software developed by AVG Technologies, a subsidiary of Avast. It is available for Windows, macOS and Android.

<span class="mw-page-title-main">Code injection</span> Computer bug exploit caused by invalid data

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client executing the script. The vulnerability could be:

<span class="mw-page-title-main">Samy (computer worm)</span>

Samy is a cross-site scripting worm that was designed to propagate across the social networking site MySpace by Samy Kamkar. Within just 20 hours of its October 4, 2005 release, over one million users had run the payload making Samy the fastest-spreading virus of all time.

<span class="mw-page-title-main">Samy Kamkar</span> American privacy and security researcher, computer hacker, whistleblower and entrepreneur

Samy Kamkar is an American privacy and security researcher, computer hacker and entrepreneur. At the age of 16, he dropped out of high school. One year later, he co-founded Fonality, a unified communications company based on open-source software, which raised over $46 million in private funding. In 2005, he created and released the fastest spreading virus of all time, the MySpace worm Samy, and was subsequently raided by the United States Secret Service under the Patriot Act. He also created SkyJack, a custom drone which hacks into any nearby Parrot drones allowing them to be controlled by its operator and created the Evercookie, which appeared in a top-secret NSA document revealed by Edward Snowden and on the front page of The New York Times. He has also worked with The Wall Street Journal, and discovered the illicit mobile phone tracking where the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies. His mobile research led to a series of class-action lawsuits against the companies and a privacy hearing on Capitol Hill. Kamkar has a chapter giving advice in Tim Ferriss' book Tools of Titans.

JSONP, or JSON-P, is a historical JavaScript technique for requesting data by loading a <script> element, which is an element intended to load ordinary JavaScript. It was proposed by Bob Ippolito in 2005. JSONP enables sharing of data bypassing same-origin policy, which disallows running JavaScript code to read media DOM elements or XMLHttpRequest data fetched from outside the page's originating site. The originating site is indicated by a combination of URI scheme, host name, and port number.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Online advertisements provide a solid platform for spreading malware because significant effort is put into them in order to attract users and sell or advertise the product. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Self-XSS is a social engineering attack used to gain control of victims' web accounts. In a Self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing personal information to the attacker, a kind of vulnerability known as cross-site scripting.

References

  1. Alcorn, Wade (2005-09-25). "The Cross-site Scripting Virus". BindShell.net. Archived from the original on August 23, 2014.
  2. Faghani, Mohammad Reza; Saidi, Hossein (2009). "Social Networks' XSS Worms". 2009 International Conference on Computational Science and Engineering: 1137–1141. doi:10.1109/CSE.2009.424. ISBN   978-1-4244-5334-4. S2CID   14451635.
  3. Berend-Jan Wever. "XSS bug in hotmail login page".
  4. Mann, Justin (2007-01-31). "Myspace Speaks about Samy Kamkar's Sentencing". Techspot.com.

See also