When Samy meets Wiki

Wiki is a type of website that allows users to freely add, remove or edit available content, mostly without the need for registration. With Wiki being a frequently visited site for information, it also becomes an attractive target for malware authors for targeting unsuspecting victims.

Given that most pages can be changed without any user authentication, the following attack scenarios are possible:

• Legitimate hyperlinks in Wiki are modified to point to malware executables.
• Legitimate hyperlinks are modified to point to websites that install malware via drive by downloads using browser vulnerabilities.

In the first scenario, we could have a worm that installs an illegal web server on compromised machines on the internet to host further copies of the worm. Instead of spamming users the worm could then target vulnerable users on Internet Relay Chat (IRC) or popular Instant Messengers (IM). This worm could also traverse and modify pages in Wiki to point to yet a different web server hosting a copy of the worm.

The second scenario is far more alarming as innocent users who click links in Wiki could get re-directed to questionable sites and have malware installed on their systems using zero-day browser vulnerabilities.

A proof of concept that exploits the first scenario has been published which modifies every link in a Wiki page to point to a copy of the worm. To get random wiki pages for infecting, it uses this URL to get to a random topic everytime.

Most people trust Wiki links as it is a great resource for information. Unfortunately the lack of authentication or the usage of a gimpy to edit topics in Wiki, leaves it open for such attacks. Its only a matter of time before Samy meets Wiki.