Malware attacks created using emerging Web development tools such as AJAX are expected to begin showing up more frequently, as writers of malicious code match the skills of their legitimate counterparts.
With the arrival of the Yamanner virus targeting Yahoo Messenger on June 13, industry analysts and security software vendors say the era of what might loosely be called Web 2.0 threats has arrived.
AJAX (Asynchronous JavaScript and XML), a technique that combines elements of the JavaScript and XML programming languages to allow Web site developers to speed the interactivity of their sites, can just as easily be used to help amplify attacks, experts agree.
The Yamanner worm uses AJAX to amplify and cloak delivery of its payload as it attempts to exploit a vulnerability in Yahoo Messengers JavaScript code. The JavaScript issue is a common cross-site scripting vulnerability, but the use of the Web 2.0 technology by Yahoo allows the worm to spread without user intervention, as AJAX is used to steal IM contact information and forward the threat to other accounts.
While there have been few high-profile manifestations of such threats, including Yamanner and a similar attack that shut down News Corp.s MySpace social networking site in October 2005, it appears inevitable that more AJAX worms and other variations on the theme will appear.
“Theres a developer education issue that needs to be figured out before we get too far into the use of AJAX, to make it safer for everyone,” said Andrew Jaquith, an analyst with Yankee Group, in Boston. “Its early in the game now, but these are likely to be the avenues that malware writers will be looking at and the most popular AJAX implementations will be the first targets.”
Interestingly, some of the earliest adopters of AJAX technology have been companies that have traditionally avoided high-profile attacks, such as Apple and Google, along with more frequent malware targets such as Microsoft and Yahoo. It will be incumbent on those firms to ensure that their applications have been thoroughly tested against Web 2.0 threats, Jaquith said.
Other analysts agreed, but tempered the opinion with the idea that the employment of AJAX and other Web 2.0 development strategies will not become a security problem on a scale much greater than todays already challenging environment.
“These are just the first examples of insecurities for Web 2.0, but JavaScript is pretty popular and it doesnt have the best reputation in regards to security,” said Peter Firstbrook, an analyst with Gartner, based in Stamford, Conn., pointing out that JavaScript is still used widely nevertheless. “We dont even have sufficient security to protect Web 1.0, so it might be misplaced to start paying too much attention to this, but it will become a bigger factor in the future.”
Security software vendors are also keeping a watchful eye on the development of Web 2.0 threats. Creating new methods for harvesting e-mail and IM contact lists will remain one of the primary goals of the programs, vendors said, as malware writers continue to focus on finding information that can be sold to spammers and virus creators at a profit.
The use of AJAX by Web site and online application developers to move from more static, synchronous Web sites to asynchronous sites that largely update themselves will create widespread opportunities for malware writers to exercise their craft, said Paul Henry, vice president of strategic accounts at Secure Computing, in San Jose, Calif.
“Its inevitable that as software becomes more sophisticated it opens up additional opportunities for black hats,” Henry said. “With the money being put behind this sort of malicious activity, its fair to say that the black hats may also stay one step ahead for a while.”
Even more disturbing than hacked IM systems or e-mail accounts could be the effect of Web 2.0 threats on hosted online business applications. Also typically cutting-edge AJAX adopters, many software-as-a-service providers could find themselves assailed by such attacks.
Centrally managed Web-based business applications, including online security tools, would seem a lucrative target for cyber-criminals.
“If someone were able to figure out how to attack an application like that, the malware could be spread on the internal server farms and become a serious hassle,” said Patrick Hinojosa, chief technology officer at Panda Software, in Glendale, Calif. “A non-client-side application is doubly problematic in that on the desktop we can have applications that control behavior, while on a Web-based app thats a lot harder to do.”
On the other hand, one of the major advantages promised by hosted applications is the ability to fight attacks by managing the tools centrally, whereas desktop-oriented applications must often be updated on a device-by-device basis.
“The simple truth is that any technology that enhances development capabilities will benefit both good and bad programmers,” said Shane Coursen, senior technical consultant for Kaspersky Lab, based in Woburn, Mass. “Any approach that establishes itself as a successful proof of concept is whats of greatest interest to the malware writers.”