Today Anurag Agarwal posted a link to the WASC list that demonstrates a conceptual manual AJAX worm. Actually that’s sort of a misnomer since this really is just using XMLHTTPRequest and not XML but you get the idea. The link is benign, but what it does show is a very slowed down and non malicious version of an XMLHTTPRequest worm that propagates via XMLHTTPRequest only (only on Anurag’s domain and only for the files he links to).
This is an interesting take on what we’ve been talking about. Of course it’s extremely slowed down because it’s not meant to overtake anything, and it’s all manual (you can see that the URL field does not change). This is kind of interesting when you can’t XSS the page your interested in but you are able to XSS at least one page that a user will end up clicking on.
The conceptual Warhol worms that I’ve worked on really have very few user requirements save that the user views a page that’s under the control of the worm and has the appropriate technologies installed. But breaking it down into it’s core components is definitely one step to understanding the most effective virulence methodologies. XMLHTTPRequest is definitely a technology worth thinking about though, especially combined with browser bugs like internet explorer’s mhtml: issue et al. Any way to move from one system to another makes the power of such a worm far more potent.