How to Write an RFID Worm
A worm is a program that self-propagates across a network,
exploiting security flaws in widely-used services. A worm
is distinguishable from a virus in that a worm does not
require any user activity to propagate. Worms usually have
a payload, which performs activities ranging from deleting
files, to sending information via email, to installing
software patches. One of the most common payloads for a
worm is to install a backdoor in the infected computer,
which grants hackers easy return access to that computer
system in the future.
An RFID worm propagates by exploiting security flaws in online RFID services. RFID worms do not necessarily require users to do anything (like scanning RFID tags) to propagate, although they will also happily spread via RFID tags, if given the opportunity.
RFID tags are generally too small to contain an entire worm. Therefore the tag will contain only enough of the worm to enable it to download the rest from a computer connected to the internet.
The RFID tag can either include binary code to download and execute the worm, or shell commands which do the same. Shell commands generally require less space than binary code and they are also more portable. Examples of what can be done using shell commands can be found here. However, some weaknesses may only allow binary code to be executed.Worms may target any part of the RFID middleware to propagate. Some database systems provide SQL commands that execute shell commands on the database server. These commands can be abused to download and execute the worm. An example for SQL Server is shown in Example 1.
An example of the shell commands that a worm would execute is shown in Example 2.
Web-based components may also be susceptible.
Server-side includes may allow shell commands to be
executed, which can be abused to download and execute the
worm in the same way.
Any part of the middleware that is written in C or C++ may be susceptible to buffer overflows, which can be used to inject binary code that handles propagation. We have not developed a worm using buffer overflows, but the buffer overflow example that executes shell commands could be used to create a worm, by having it execute one of the previous shell commands.