Worm

Twitter is certainly bypassing Facebook as the most popular site out there, at least when it comes to security incidents.This time somebody decided abuse Twitter to demonstrate Clickjacking, an attack that RSname and Jeremiah Grossman re-christened in the OWASP conference in New York in September.

XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

• A worm is now considered an attack method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.
• I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.

A proof of concept XSS worm crawled justin.tv, a popular lifecasting platform. The warm succeeded in planting a self replicating code on 2525 accounts in less than 24 hours before the vulnerability was fixed.

Additional information:

• XSS Worm At Justin.tv Affects 2525 Profiles [CyberInsecure, Jul 15 2008]

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.

Additional information:

• The Orkut XSS Worm [GNU Citizen, Dec 19 2007]
• Orkut XSS [Sounds From The Dungeon, Dec 19 2007]
• Orkut XSS worm in the wild [CGI Security, Dec 19 2007]
• Orkut Worm Code (and why was Google so slow to respond?) [TechnoSocial, Dec 19 2007]

MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.

Additional information:

• Myspace Hack spreading like wildfire: SPAIRLKAIFS [Chase and Sam page, Jul 16 2006]
• How the myspace SWF hack worked [Unknown, Jul 16 2006]
• Political hacking hits MySpace [SC Magazine, Jul 17 2006]

Worm used Google to locate sites vulnerable to OS

Additional information:

• Santy worm makes unwelcome visit [BBC, Dec 22 2004]
• Santy worm defaces websites using php bug [Sans Storm Center, Dec 21 2004]

phpBB worm

Additional information:

• PHP Scripts Automated Arbitrary File Inclusion [Vulnerabiliy Publisher's Site, Dec 25 2004]
• New Variant of Santy Worm Spreads [PC World, Dec 27 2004]
• Santy.E worm poses threat to sites badly coded in PHP [Computer World, Dec 27 2004]

The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.

Additional information:

• My Lunch With Samy [ha.ckers, Mar 10 2007]
• MySpace XSS worm writer notes [bindshell, Apr 10 2005]
• MySpace XSS worm source [bindshell, Apr 10 2005]
• MySpace XSS virus development [bindshell, Apr 10 2005]
• Cross-Site Scripting Worm Hits MySpace [Beta News, Apr 10 2005]