Thursday 16 September 2010

An Evening with Samy, creator of the Samy MySpace Worm

Last night I was out talking security, drinking beer and eating curry with Samy Kamkar, following his presentation at an OWASP Chapter event in Leeds. Samy was responsible for writing and delivering the infamous Samy MySpace Worm in October 2005, which was one of the fastest growing malware infections to date.

Samy Kamkar
Samy delivered an excellent and fresh presentation at the OWASP Leeds Chapter meeting, highlighting several areas of new research and frankly new concern for us all. But I’ll save that for another blog posting once I’ve investigated it further, however you can read a little about one issue he discussed, which was highlighted in a recent BBC News report “The Web attack knows where you live

What I found particularly interesting about his presentation aside from the vulnerabilities and clever exploits, was you got to see how his mind ticks, his thought processes in finding and exploiting vulnerabilities. We aren’t talking just a single vulnerability that is being taken advantage of here, but a whole jigsaw of different vulnerabilities, with many obstacles to be conquered before the final end game of successful exploitation. For those who wish to try to understand why certain people are so driven to hack, it is often for the thrill of the challenge. Some people like the challenge of Sudoko puzzles, crossword puzzles, video games, but there are some who just like breaking programming code and IT systems. Individuals like Samy don’t do it for personal gain or with thoughts of malice, he just does it for the sheer fun of it, in his own words “this is just a hobby to me”.

As far as I can tell when he created the Samy Worm he didn’t set out to hurt anyone or profit from it, he certainly didn’t have any grievances against MySpace at the time, nor did he even attempt to do anything anonymously, it was just a kid playing around with the new social media of the day and web code, and asking himself the question what if.

I asked Samy about the MySpace Worm, specifically about at what point did he think the situation with the Worm spreading go out of control. He told me after he launched the code he saw few signs of it being successful, and he went to bed only expecting a few hundred infections the next day at the best, but by the end of the next day, a million people’s MySpace accounts were infected with his code (Worm). The Worm displayed the text “but most of all, Samy is my hero” at the end of a victim’s profile, and when another MySpace user viewed an infected profile, their own profile was infected due to a MySpace web code cross-site script (XSS) vulnerability which the Worm exploited. The Worm code would also automatically send a friend request to Samy, leaving Samy with a million MySpace friends. There is a full account of what happened in Samy’s own words at the time still available on the Internet -

A MySpace Samy Worm Infected Profile
Aside from the Samy text you can see,
there is script code you can't see which executes

Samy went on to say it was a good six months before he was arrested and charged. In a scene reminiscent of the film Hackers, he talked about how he and his friends were arrested at gun point, and how he was banned from using a computer for two years, but fortunately avoided an actual prison sentence.

Samy is still only 24, and even though he only does security for a hobby, you are left with the distinct impression you will hear a lot more about Samy in future years. The same type of relentless problem solving thought processes, attention to detail, and the utter determination it takes to discover and successfully see through the exploitation of complex vulnerabilities, actually maps well onto the successful business persons mind.

No comments: