I hadn't told many people about this because I didn't know if I would get accepted, but I am presenting at BlackHat Federal in January. The topic is Analysis of Web Application Worms and Viruses Yes, Rattle was right, I am working on some badass Javascript stuff right now. This presentation grew out of that and my analysis of things like Perl.Sanity and the MySpace.com Virus. The really cool Javascript stuff will hopefully be at BlackHat in Las Vegas this summer. A detailed outline of this talk is available on Most Significant Bit Labs. Be sure to check the details on Web Worms and Web Viruses to better understand the threat. Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse. This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the authors sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Smogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats. Participates should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design.
Speaking at Black Hat Federal 2006! |