RE: White Paper - Web Application Worms: Myth or Reality?

[stephen () twisteddelight org]

Interesting paper.  There are certain web application vulnerabilities that
could easily be exploited automatically but I don't think that relying
solely on a search engine to discover vulnerable hosts is the best
approach for a worm.

Traditional infrastructure worms cause the chaos they do because each
newly rooted host starts scanning for more hosts to infect.  Because of
network constraints it's just not feasible for one system to search the
entire internet for vulnerable system - hence the worm architecture where
each instance of the worm does it's own search and spreads itself across
the net.
But by using a search engine to find vulnerable hosts, it is entirely
feasible for the attacking program to know all the vulnerable hosts on the
net - in one go.  There is no need to propagate itself onto more systems
as each instance is going to be working from the same set of vulnerable
hosts.

Traditional worms also have the advantage that they can infect private IP
address ranges, and therefore private networks.  An application based worm
relying on results from an internet search engine simply can't infect
hosts on  private networks because they won't appear in search engines. 
For an app worm to pose a threat to internal systems it will have to
include it's own HTTP scanner/spider and once it infects a system peform
traditional HTTP scanning for vulnerabilities on private address ranges. 
The number of occurances of unprotected frontpage passwords is surely
higher on internal networks than on the internet.
Without the ability to attack internal systems, an app worm is no
different to an app based auto rooter - There is simply no reason to make
it propogate itself to other systems.


Stephen.