RE: White Paper - Web Application Worms: Myth or Reality?

["Amichai Shulman" <shulman () imperva com>]

You raise some interesting and correct points. Some comments regarding
that:
- Generating an exploit once a vulnerability is exposed may require
non-trivial computational resource (e.g. decrypting frontpage passwords
with JTR). A worm would allow each infected server to handle only a
portion of the entire result set and hence make world wide propagation
much faster.
- A worm makes it hard to trace back the actual attacker. It is my
assumption that evil doers would like to remain anonymous.

The issue of internal servers is indeed a challenging one for an
application level worm. I hope to get more comments and ideas regarding
this issue.

Amichai

-----Original Message-----
From: stephen () twisteddelight org [mailto:stephen () twisteddelight org] 
Sent: Wednesday, March 31, 2004 11:08 AM
To: webappsec () securityfocus com
Subject: RE: White Paper - Web Application Worms: Myth or Reality?



Interesting paper.  There are certain web application vulnerabilities
that could easily be exploited automatically but I don't think that
relying solely on a search engine to discover vulnerable hosts is the
best approach for a worm.

Traditional infrastructure worms cause the chaos they do because each
newly rooted host starts scanning for more hosts to infect.  Because of
network constraints it's just not feasible for one system to search the
entire internet for vulnerable system - hence the worm architecture
where each instance of the worm does it's own search and spreads itself
across the net. But by using a search engine to find vulnerable hosts,
it is entirely feasible for the attacking program to know all the
vulnerable hosts on the net - in one go.  There is no need to propagate
itself onto more systems as each instance is going to be working from
the same set of vulnerable hosts.

Traditional worms also have the advantage that they can infect private
IP address ranges, and therefore private networks.  An application based
worm relying on results from an internet search engine simply can't
infect hosts on  private networks because they won't appear in search
engines. 
For an app worm to pose a threat to internal systems it will have to
include it's own HTTP scanner/spider and once it infects a system peform
traditional HTTP scanning for vulnerabilities on private address ranges.

The number of occurances of unprotected frontpage passwords is surely
higher on internal networks than on the internet. Without the ability to
attack internal systems, an app worm is no different to an app based
auto rooter - There is simply no reason to make it propogate itself to
other systems.


Stephen.