Trend Micro: RSS Is Worm Bots Next Target

An anti-virus research engineer warns that the growth of RSS and the coming Internet Explorer 7 browser refresh will provide a lucrative target for bot worm attacks.

Security researchers at Trend Micro Inc. have pinpointed RSS (Really Simple Syndication) technology as a lucrative target for future bot worm attacks.

David Sancho, senior anti-virus research engineer at Trend Micro, warned that RSS feed hijacking will become commonplace when Microsoft Corp. ships Internet Explorer 7, a browser refresh that will feature built-in RSS support.

In a white paper titled "The Future of Bot Worms," Sancho said the IE7 release "will open some interesting possibilities to worm creators."

"The easy way of taking advantage of the popularity [of RSS] is to hijack the existing configured feed clients to automatically download new copies of worms and other threats to the infected computers. This is accomplished by pointing the already-configured client to different and malicious Web content," Sancho wrote.

"The way this would work is checking if the system has any automatic feed download configured. If it does, it would just add or change an existing one to point to the malicious Web site," he added.

Sancho predicts that RSS feed hijacking attacks will serve as a passive download point that could easily bypass personal firewalls and other security barriers.

"The download would still be working even if the worm is detected [and] deleted. To get rid of this properly, there should be a cleaning tool that deletes the configuration in the feed client," he added.

/zimages/6/28571.gifRead more here about Microsofts instructions on Working with RSS in Vista.

The anti-virus researcher recommends that companies should consider deploying a method to scan HTTP traffic.

Sancho also warned that worm bot authors are finding ways to quickly exploit known vulnerabilities. The Nimda worm, for example, was unleashed 366 days after the vulnerability was reported while the recent Zotob worm only took 4 days to create.

"Automatic updates are just not an option anymore," Sancho declared, urging PC owners to patch home systems immediately as the updates are made available on the Microsoft Web site. "The security of our home systems is at stake just by being connected to the Internet."

In corporate settings, he suggests that IT administrators deploy software and hardware systems that specifically defend against worm bot threats.

"Detecting and blocking the network packets that the worm uses to exploit the vulnerability is by and large the best prevention to not get hit by this kind of malware," Sancho said, urging businesses to use IDS (intrusion detection systems) and specific network anti-virus systems.

He also predicted that polymorphic shellcode exploit attacks will become a new technique in worm attacks.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.