14 DAY TRIAL // The next generation hybrid web browser is coming to Internet Explorer, Firefox and Safari but also to additional browsers and to web servers, courtesy of Billy Hoffman, Lead Security Researcher, SPI Dynamics and John Terrill, Executive Vice President and co-founder of Enterprise Management Technology. The two researchers will present at BlackHat a session titled "The Little Hybrid Web Worm that Could" showcasing the proof-of-concept or an evolved web worm. Up until this point, signatures have been the Achilles' heel of web worms but the new variant will be able to run on both servers and browsers and dodge signature-based detection techniques.
"We describe a hybrid web worm combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation across multiple hosts. We will discuss how such a hybrid worm is able to find new vulnerable systems and infect new hosts on different domains from both the client and the server. In addition will we look at how a hybrid worm could upgrade its infection methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single silver bullet fix from stopping it," reads a fragment of the synopsis of the session.
The new hybrid web worm will be designed to implement polymorphism and even mutate its own source code in order to stay one step ahead of signature detection systems. The two security researchers revealed that they simply applied existing techniques to Perl and JavaScript languages. The worm will go as far as to learn new vulnerabilities and exploit them although the flaws were not initially integrated into its fabric.
"While we have not built a fully functioning hybrid worm, we will demo different parts of the worm in isolation to show how these features would function. Specifically we will look at how the worm could upgrade itself with publicly available vulnerability data as well as source code mutation. Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database. Finally we will discuss steps to prevent hybrid web worms from exploiting a website or its users," the synopsis adds.