And you thought you'd seen it all. Check out Wade Alcom's Cross-Site Scripting Virus. I admit, I was skeptical when I first heard about it - after all, we're all accustomed to "writing off" XSS as being worthy of little notice. However, I've read this paper (you should too, it's short) and I think it's only a matter of time before someone writes a virus that actually does this.
The methodology works like this: the virus seeks out web pages that allows cross-scripting and that saves content permanently - such pages are not so hard to come by, some wikis and blogs do this, but as we've seen, so do auction sites, chat forums, etc. A browser uploads a script containing code that, when parsed and executed by another browser: 1) causes the browser reading the script to search around for more servers and 2) upload its content to the newly located server. This is all cleverly done within an iFrame. So the upshot is that browsers hunt around looking for new servers to infect and the servers get new browsers started on the task.
I don't see any reasons why this wouldn't work, and I think with refinement this thing could cause some serious nastiness. Mark my words - some folks will say it's not a virus (mostly AV folks since they can't scan for it as of now), but it is. It replicates, it can deliver a payload (e.g. DDOS), and it will be pretty hard to stop once a good "host" product is found (like movabletype, for example.) There weren't statistics in the paper on rate of propagation in his test environment, but that would be interesting to see as well.
Posted by Ed at October 12, 2005 12:02 PM