Blog Away. RSS Worms Are A Phony Threat

 
 
By Larry Seltzer  |  Posted 2005-12-01 Email Print this article Print
 
 
 
 
 
 
 

Opinion: Yes, there are always new ways for malware to attack a system, but I'm not as worried as some are about RSS.

Trend Micros David Sancho paints a scary picture of a future with ubiquitous RSS capability that will come with the deployment of Internet Explorer 7. History has shown that it often makes sense to assume the worst in computer security, but not every assertion is reasonable. Sanchos paper discusses several potential developments in "bot worms," which have certainly been the most troublesome threat on the Internet for several years. The sexiest claim is that worms will begin to utilize RSS to update themselves and spread new malware.

Specifically he suggests that worms will modify the feed list for the RSS reader to trick it into downloading updates and other malware. As he says, there are no standards for such operations, so a worm would have to write custom hacks for one or more specific readers. Since there is, as of yet, no dominant reader out there, its not clear which reader it should attack.

But all that may change with IE7, which comes with a built-in RSS reader, the final form of which isnt completely set. Presumably there will be some sort of feed list and it will be possible for it to be modified programmatically. Since every version of Internet Explorer achieves unprecedented popularity theres every reason to believe that IE7 will too, although its less of a sure thing that IE7s RSS reader will hit a home run. Not every new IE feature gets used. (Remember "channels" in IE4? They were surprisingly a foreshadow of RSS itself, especially inasmuch as they were XML-based.)

The proposed technique strikes me as novel, but not especially useful from a malware perspective. Its also worth pointing out that Sancho is not describing a new method of infection. All he is describing is a way that systems which are already 0wned can download code from external systems.

If the worm is already running on the system, the cats out of the bag, the horse out of the barn and all that. It can already download code from whatever site it wants. There is a fair point to make, as Sancho makes, that a users personal firewall might be set to allow the RSS reader to download data from the Internet, but a worm directly downloading might not. But this is a smaller hole than he claims, since its not so hard for an existing worm to launch an instance of Internet Explorer to download content.

Sancho also warns that the feed would still be active if the worm were removed, but once again we shouldnt go into conniptions over this. If the content is just downloaded, its not being executed, even if its read by the reader.

A podcaster is seeking legal redress over a cyber-squat that is costing him listeners. Click here to read more. One of the suggestions Sancho makes is that anti-virus scanners start scanning HTTP so that they can find malware in an RSS feed as it is read. This is not a bad idea, but hell have to explain to me what difference it would make, since an "old-fashioned" anti-virus program that didnt scan HTTP would still see the malware when it hit the file system. The only way around this is if the feed store is on a network drive or some other location not monitored by the anti-virus. This is possible, but its going to be a rare edge case.

Its ironic that one of the reasons for RSS itself is to avoid many of the problems that developed in the SMTP mail system. You cant stop people from sending you spam or mail worms, but if you dont want an RSS feed anymore you can just unsubscribe, and that includes any hypothetical hijacked feeds. This alone should put things in perspective.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel