January 19, 2006 - Worm Evolution
Dave Aitel is the first researcher to go above ground with a modern framework for automating the core functionality for writing a worm. Essentially, he has created a worm programming language called Nematode Intermediate Language. Writing a good worm is tougher than people think. At Black Hat Federal, Aitel will discuss many of the technical challenges involved in worm development, what he has done with the Nematodes framework to solve the issues, and legal issues associated with such work.
This year we will see more advanced web-application based worms. Larger web applications are using more dynamic technologies like AJAX everyday. Apparently, worms also like this technology. Billy Hoffman has been researching how worms propagate through web apps, which is decidedly different from past worms. Unlike more traditional worms that just compromised systems to spread, web-app worms are often in a unique position to do something with real consequence to the users compromised. Browsing the web is definitely getting more dangerous, and Billy’s presentation will do a great job of demonstrating why.
by David Aitel posted January 19, 2006
Jose Nazario, editor of wormblog.com, has this to say about my Nematode research: “What is interesting out of Dave's talk is the nematode generation tools he wrote. They work well, and they get around the problem of a lot of boilerplate code that has to be written for any worm. This is potentially a scary development, as more sophisticated attackers will begin improving their worms with these kinds of tools and dropping in exploits in a matter of minutes."
The truth is, very few people really know anything about worms, because very few people are writing them. It's hard to write them it takes longer than most academics feel like putting into the problem. But this just means there's room for an automated solution that takes the grunt work out of it, which is what you need to do before you can start researching them in a serious way. Most of what happens with worms that's interesting is not obvious, and it's chaotic enough that doing things in a mathematical model doesn't produce interesting results. So come to my talk. When you leave my talk, you should be able to write your own Nematode language in less than 15 minutes.
by Billy Hoffman posted January 19, 2006
A few weeks after my Toorcon presentation about using XSS+AJAX to develop dangerous payloads, the MySpace.com virus hit! After dismissing some co-workers asking me "Did you do it?" I started analyzing the code. It was so cool to see something you had just predicted actually happen. It was proof that AJAX, while DOM restricted, was very dangerous indeed. After looking the whole thing through I began to think: How could the payload be even worse... what if it this happened to a bank, or a stock website...Hmmm...What if I could make stock trades for you?
Research on web application worms exists, but is almost all theoretical or laughably silly in scope or proofs of concept. I grabbed the source to all the examples I could and started digging.
Invisible Incidents, Invisible Risk
In this issue of the Black Page we will look at incident response. Kevin Mandia, a world recognized leader of incident response research, points out that a responder must have skills at least that of the attacker. One of the challenges to IR is discovering there is an incident to begin with. If we only look for known attacks, we will only find the moderately skilled attackers—leaving us exposed to the truly skilled adversaries... read more
Implications of the Lynn Cisco Research, and Moving Forward
Did you notice that the original issue of the Black Page is missing? I removed it at the request of Mike Lynn and ISS when they were sorting out what Mike's presentation was going to include. It was getting close to the show, and I was getting conflicting signals from ISS. A common theme we will see in this saga... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us at "#" to learn more about submission rules.