Attack of the Grey Goo
Being a fan of novels in the “cyberpunk” genre, the concept ofvirtual online worlds intrigues me. Standard massively multiplayeronline games (MMOGs) seem boring in comparison to the flexibility of aworld that allows participants to create their own objects within thevirtual environment. These creations are really only limited by theuser’s imagination and the boundaries of the coding language.
Recently, I read an article about residents of Second Life stagingin-world protests against a political party that opened an office inthe world (I won’t get into the details here because this space isn’tabout politics). What really caught my eye were some of the forms theseprotests took, including users strafing the offices with virtualmachine guns and exploding pigs.
So what does any of this have to do with computer security? Well, acouple of things about Second Life are noteworthy. One is that somemiscreants were successful in creating self-replicating code (like avirus) in Second Life–commonly referred to as “grey goo”. The other isthat Linden Labs (owners of Second Life) released the source code forthe application used to access the world.
This means that someone could find a vulnerability, such as a bufferoverflow or format string error, that could allow code to be executedon the client. For instance, let’s say an attacker finds a bufferoverflow in some portion of the client code that renders objects in theworld. All the attacker has to do is create an object in the world thatexploits the overflow and executes the embedded shellcode on the clientwhen someone views it or interacts with it.
If an attacker only had a single object in the world exploiting avulnerability, then the number of users he or she is likely tosuccessfully exploit would be quite low. However, if an attackercreated a self-replicating object in the world that also exploits thevulnerability, the target base would grow significantly. This couldmake an interesting method for an attacker to build a quick botnet.
Now granted, such an attack would probably be spotted by the SecondLife staff fairly quickly and they could promptly protect users bysimply shutting down any servers where the malicious objects reside.Also, any code attackers embed in their exploits would only run in thesecurity context of the current user (but then how many Windows usersrun as Administrator?).
The purpose of this blog entry isn’t to spread FUD (fear,uncertainty, and doubt) or to discourage people from participating inonline virtual worlds. It is merely to point out that as interactivesystems become more complex, the opportunities for attackers to takeadvantage of them increases.