I hadn't told many people about this because I didn't know if I would get accepted, but I am presenting at BlackHat Federal in January. The topic is Analysis of Web Application Worms and Viruses
Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse.
This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the authors sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Smogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats.
Participates should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design.
