Blog Away. RSS Worms Are A Phony Threat
Sanchos paper discusses several potential developments in "bot worms," which have certainly been the most troublesome threat on the Internet for several years. The sexiest claim is that worms will begin to utilize RSS to update themselves and spread new malware.
Specifically he suggests that worms will modify the feed list for the RSS reader to trick it into downloading updates and other malware. As he says, there are no standards for such operations, so a worm would have to write custom hacks for one or more specific readers. Since there is, as of yet, no dominant reader out there, its not clear which reader it should attack.
But all that may change with IE7, which comes with a built-in RSS reader, the final form of which isnt completely set. Presumably there will be some sort of feed list and it will be possible for it to be modified programmatically. Since every version of Internet Explorer achieves unprecedented popularity theres every reason to believe that IE7 will too, although its less of a sure thing that IE7s RSS reader will hit a home run. Not every new IE feature gets used. (Remember "channels" in IE4? They were surprisingly a foreshadow of RSS itself, especially inasmuch as they were XML-based.)
The proposed technique strikes me as novel, but not especially useful from a malware perspective. Its also worth pointing out that Sancho is not describing a new method of infection. All he is describing is a way that systems which are already 0wned can download code from external systems.
If the worm is already running on the system, the cats out of the bag, the horse out of the barn and all that. It can already download code from whatever site it wants. There is a fair point to make, as Sancho makes, that a users personal firewall might be set to allow the RSS reader to download data from the Internet, but a worm directly downloading might not. But this is a smaller hole than he claims, since its not so hard for an existing worm to launch an instance of Internet Explorer to download content.
Sancho also warns that the feed would still be active if the worm were removed, but once again we shouldnt go into conniptions over this. If the content is just downloaded, its not being executed, even if its read by the reader.
One of the suggestions Sancho makes is that anti-virus scanners start scanning HTTP so that they can find malware in an RSS feed as it is read. This is not a bad idea, but hell have to explain to me what difference it would make, since an "old-fashioned" anti-virus program that didnt scan HTTP would still see the malware when it hit the file system. The only way around this is if the feed store is on a network drive or some other location not monitored by the anti-virus. This is possible, but its going to be a rare edge case.
Its ironic that one of the reasons for RSS itself is to avoid many of the problems that developed in the SMTP mail system. You cant stop people from sending you spam or mail worms, but if you dont want an RSS feed anymore you can just unsubscribe, and that includes any hypothetical hijacked feeds. This alone should put things in perspective.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.