With the arrival of the Yamanner virus targeting Yahoo Messenger on June 13, industry analysts and security software vendors say the era of what might loosely be called Web 2.0 threats has arrived.
While there have been few high-profile manifestations of such threats, including Yamanner and a similar attack that shut down News Corp.s MySpace social networking site in October 2005, it appears inevitable that more AJAX worms and other variations on the theme will appear.
"Theres a developer education issue that needs to be figured out before we get too far into the use of AJAX, to make it safer for everyone," said Andrew Jaquith, an analyst with Yankee Group, in Boston. "Its early in the game now, but these are likely to be the avenues that malware writers will be looking at and the most popular AJAX implementations will be the first targets."
Interestingly, some of the earliest adopters of AJAX technology have been companies that have traditionally avoided high-profile attacks, such as Apple and Google, along with more frequent malware targets such as Microsoft and Yahoo. It will be incumbent on those firms to ensure that their applications have been thoroughly tested against Web 2.0 threats, Jaquith said.
Other analysts agreed, but tempered the opinion with the idea that the employment of AJAX and other Web 2.0 development strategies will not become a security problem on a scale much greater than todays already challenging environment.
Security software vendors are also keeping a watchful eye on the development of Web 2.0 threats. Creating new methods for harvesting e-mail and IM contact lists will remain one of the primary goals of the programs, vendors said, as malware writers continue to focus on finding information that can be sold to spammers and virus creators at a profit.
The use of AJAX by Web site and online application developers to move from more static, synchronous Web sites to asynchronous sites that largely update themselves will create widespread opportunities for malware writers to exercise their craft, said Paul Henry, vice president of strategic accounts at Secure Computing, in San Jose, Calif.
"Its inevitable that as software becomes more sophisticated it opens up additional opportunities for black hats," Henry said. "With the money being put behind this sort of malicious activity, its fair to say that the black hats may also stay one step ahead for a while."
Even more disturbing than hacked IM systems or e-mail accounts could be the effect of Web 2.0 threats on hosted online business applications. Also typically cutting-edge AJAX adopters, many software-as-a-service providers could find themselves assailed by such attacks.
Centrally managed Web-based business applications, including online security tools, would seem a lucrative target for cyber-criminals.
"If someone were able to figure out how to attack an application like that, the malware could be spread on the internal server farms and become a serious hassle," said Patrick Hinojosa, chief technology officer at Panda Software, in Glendale, Calif. "A non-client-side application is doubly problematic in that on the desktop we can have applications that control behavior, while on a Web-based app thats a lot harder to do."
On the other hand, one of the major advantages promised by hosted applications is the ability to fight attacks by managing the tools centrally, whereas desktop-oriented applications must often be updated on a device-by-device basis.
"The simple truth is that any technology that enhances development capabilities will benefit both good and bad programmers," said Shane Coursen, senior technical consultant for Kaspersky Lab, based in Woburn, Mass. "Any approach that establishes itself as a successful proof of concept is whats of greatest interest to the malware writers."