Samy opens new front in worm war

Security experts fear would-be attackers will copy the worm, which exploits an unaddressed scripting flaw.

The newly discovered Samy worm is one of the first to exploit a cross-site scripting vulnerability, a technique security experts fear could be used to open a new front in attacks.

Samy is a self-propagating worm that appears to have been written by a member of, a community site dedicated to helping friends stay in touch and share pictures. By exploiting vulnerabilities in the site, the worm added a million users to the author's "friends" list.

Although the worm is no threat to other Web sites, security experts say the new self-propagating cross-site scripting (XSS) worm will likely be copied by other writers of malicious software.

Adam Biviano, senior systems engineer at Trend Micro Australia and New Zealand, explained that the user--called Samy--had created a "malicious" profile by taking advantage of a flaw in the Web site's design. The profile, when viewed, automatically activated code to add the visitor to Samy's "friends" list.

Additionally, the malicious code would be copied into the victim's profile, so that when that person's profile was viewed, the infection spread.

"The infection stays on the Web site and almost creates a denial-of-service attack, because there is an exponential explosion of entries in your friends list that will eventually consume the resources of the infrastructure," Biviano said.

Scott Chasin, chief technology officer at MX Logic, said that although cross-site scripting vulnerabilities have been recognized for some time, this is the first worm he has come across that was designed to exploit one.

"This attack highlights the opportunity for a self-propagating worm to take advantage of XSS technologies...The vulnerability leveraged by Samy allows code to be injected into Web sites with the aim of being parsed and/or executed by Web browsers or e-mail clients," he said.

Chasin said that worms taking advantage of cross-site scripting flaw will become more common as browsers and e-mail applications evolve.

"The XSS worm threat is only becoming more relevant as the sophistication of browsers and the underlying technologies being rendered by them continue to saturate the Internet through blogs and e-mail applications," he said.

"They could have a significant impact for Internet continuity…including distributed denial of service attacks, spam attacks and dissemination of browser exploits," Chasin added.

Trend Micro's Biviano said administrators should take note, because this creates yet another method of attack.

"It is definitely something to consider is you are an application designer or a Webmaster. It is another security issue you need to contend with," he said. "You don't want the ability for a loop like this to be created that will end up causing a denial of service on your Web site."