Web sites threatened by Samy worm

The newly discovered Samy worm is the first to exploit a cross site scripting vulnerability, prompting security experts to fear the technique could be used to open a new front in the war against malware.Samy is a self-propagating worm that was written by a member of MySpace.

The newly discovered Samy worm is the first to exploit a cross site scripting vulnerability, prompting security experts to fear the technique could be used to open a new front in the war against malware.

Samy is a self-propagating worm that was written by a member of MySpace.com, which is a community site dedicated to helping friends stay in touch and share pictures etc. The worm exploited vulnerabilities in the MySpace.com site to add 1 million users to the author's "friends" list.

The Samy worm -- which was discovered last week -- was written by a member of MySpace.com, a community site dedicated to helping friends stay in touch and share pictures. The worm exploited vulnerabilities in the MySpace.com site to add one million users to the author's "friends" list.

Although the worm is of no threat to other Web sites, security experts say the worm author is the first to create a self-propagating cross-site scripting (XSS) worm, which is likely to encourage other malware writers to do the same.

Adam Biviano, senior systems engineer at Trend Micro Australia and New Zealand, explained that the MySpace.com user -- called Samy -- had taken advantage of a flaw in the Web site's design to create a "malicious" profile. When viewed, code stored in the profile would automatically add the visitor to Samy's friends list. Additionally, the malicious code would be copied onto the victim's profile so when that person's profile is viewed, the infection spreads.

"The infection stays on the Web site and almost creates a denial of service attack because there is an exponential explosion of entries in your friends list that will eventually consume the resources of the infrastructure," said Biviano.

Scott Chasin, chief technology officer at MX Logic, said that although XSS vulnerabilities have been known about for some time, this is the first worm he has come across that has been designed to exploit one.

"This attack highlights the opportunity for a self-propagating worm to take advantage of XSS technologies.... The vulnerability leveraged by Samy allows code to be injected into Web sites with the aim of being parsed and/or executed by Web browsers or e-mail clients," said Chasin.

According to Chasin, worms taking advantage of XSS vulnerabilities will become more common as browsers and e-mail applications evolve.

"The XSS worm threat is only becoming more relevant as the sophistication of browsers and the underlying technologies being rendered by them continue to saturate the Internet through blogs and e-mail applications.... They could have a significant impact for Internet continuity ... including distributed denial of service attacks, spam attacks and dissemination of browser exploits,' said Chasin.

Trend's Biviano said administrators should take note because this creates yet another method of attack.

"It is definitely something to consider is you are an application designer or a Web master. It is another security issue you need to contend with. You don't want the ability for a loop like this to be created that will end up causing a denial of service on your Web site," said Biviano.