Seeking to impress his girlfriend, Samy worm creator introduces huge new attack surface

April 8th, 2008

Book Excerpt
Chapter 15
Pages 189-196
Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity

ISBN- 13: 978-1-4027-5695-5

Expediters
Silly Samy

samy-kamkarIn another sort of counterintuitive development, a vast new sector opened up where cybercriminals could roam, but it did not derive from the work of a brilliant, handsomely paid mercenary programmer. It blossomed thanks to a popularity-starved script kiddie from Los Angeles, nicknamed Samy, who at age nineteen had too much free time on his hands.

Samy was one of the 32 million denizens-including a good many teenagers and adolescents-who populated the MySpace social networking site. MySpace used a hot new technology called AJAX, which stands for asynchronous JavaScript and XML. AJAX has been widely hailed as the enabling technology for “Web 2.0,” the coming generation of Web sites that are more feature rich and interactive.

Samy would underscore a lesson tech companies should have learned by now-hastily adding convenience-driven features to the Internet was akin to adding flimsy new doors and windows for criminals to test. Miffed by the brevity of his “friends” list, Samy scratched around for a way to hack into the Microsoft Internet Explorer browser and the Apple Safari browser of anybody who happened to click on his MySpace profile.

He began spending a couple of hours a day tweaking the AJAX component that allowed visitors to view his profile. After about a week, he discovered how to manipulate the code moving through AJAX, and contrived a way to install a self-propagating worm on the Internet Explorer or Safari browser of anyone who clicked on his profile. He included Apple’s browser because his girlfriend used a Mac.

Samy’s MySpace worm did three silly things: it added Samy to the visitor’s friends list; it printed “. . . and Samy is my hero” on the bottom of the visitor’s own profile; and it replicated itself to everyone on the visitor’s friends list. In an interview on German blogger Phillip Lenssen’s popular Google Blogoscoped Web site, Samy noted that “it didn’t take a rocket or computer scientist” to guess that his worm had the potential to spread exponentially. In a blog interview, Samy advised Lenssen:

I just had no idea it would proliferate so quickly. When I saw 200 friend requests after the first 8 hours, I was surprised. After 2,000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.

Samy was never arrested. He received hundreds of messages from angry MySpace users who didn’t consider him a hero for worming his way onto their friends list. It took Los Angeles-based MySpace, purchased in July 2006 by Rupert Murdoch’s News Corp. for $580 million, a day to clean out the worm. MySpace deleted Samy’s account.

Not long afterward, a copycat hacker launched the Yamanner worm against Yahoo’s free e-mail service to spread spam across Europe, and another hacker released the Spaceflash worm, which installed adware on the hard drives of more than a million MySpace users. Both hacked in through AJAX.

That drew the attention of some of the well-funded crime groups. At least six progressively more sophisticated MySpace worms appeared in the second half of 2006. Serious hackers began gathering up MySpace user names and passwords and systematically testing them to see if they might work as log-ons to other popular online services, said SPI Dynamics lead engineer Billy Hoffman.

“These criminals have programs to automatically check all the other big bank and e-commerce sites to see if you use that same user name and password,” said Hoffman, “which, chances are, if you’re lazy, that’s exactly what you do.”

AJAX is an enabling technology. It allows users of Google Maps to zoom in on a satellite photo of just about any address. It makes Yahoo Calendar, Yahoo Sports, Yahoo Photos, Yahoo Flickr, and Yahoo Mail come alive. It is the technology behind Windows Live, the slate of cutting-edge online services Microsoft continues to roll out. It is a fountainhead of thousands of ethereal data exchanges between the Web page program and the Web browser. And as Samy demonstrated, each such exchange is susceptible to being corrupted.

“AJAX introduced a huge attack surface,” said Hoffman. “AJAX works under the covers to make Web sites really responsive, but criminals can just as easily use it under the covers to do some really bad stuff.”