Microsoft Instant Messenger Virus Sweeps Net

Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

could be a lot worse, likely will be soon

[immanis]

I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.

It worked too. Got to log into MSN as the CTO of our company, just to make a point.

As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.

Not so sure the story is accurate.

[einhverfr]

The page appears to post a hidden form with your email information to the page. I suspect that it may be a contact gatherer for spammers (a new low...) though it could have done much more.

FormMail.pl is the perl script which recieves this information. It is pretty interesting...

One shoe drops

Well, this is one of a number of Damoclean swords hanging over the Net. A couple of other widely predicted "what if..?"s have already come to pass: Nimda was the first successful implementation of one, attacking through multiple vulnerabilities; others would include yesterday's SNMP freakout, the separate possibility of routing protocol attacks, yadda yadda, oh look... you all read bugtraq|incidents|nanog, et al., and know the score, and are presumably not very vulnerable. (Although one especially interesting aspect of this and other worms is that it defeats the security posture that says "take yourself out of the top 10% of easy sites to break into [by, eg., ONLY implementing the SANS top 10/20 fixes] and the kiddies will pass you by". If you're vulnerable, you WILL be hit. ) "But I haven't got anything worth taking, why would anyone want to crack me?" *sigh*...

The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.

Don't believe me? check out the IIS curve at Netcraft . What happened after Nimda and Code Red? IIS usage INCREASED.

Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)

Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.

Re:Well, that's one less effectual site for vector

[JDizzy]

Somebody mod this parent as "funny", or "underated" because the authore has a point, the slashdot effect should sufic to kill any of the infection sites, and with a high degree of impact.

Erlang Virus Propagation System

"A fully coordinated worm, where the worms explicitly coordinate their attack on the network, is a theoretical possibility but has not been seen in practice due to the difficulty in coding and coordinating the worms."

Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.

An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.

As I recall, there was a story on /. some time ago about the impossibility of removing viruses from a computer network without shutting the network down under certain conditions.

Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!

Re:Not a Messenger flaw

[rhavyn]

Hmm ... or maybe it's because that problem with Linux went away a long time ago. A default workstation install of Red Hat Linux 7.2 has zero open ports and a firewall that blocks access to all ports under 1024.

Now, obviously if someone sets up a server and doesn't patch, that person is an idiot (and that is true no matter what OS he/she is running). Unfortunately for your argument, we're talking about an instant messenger client and a web browser, not things that are likely to be installed on a server. The fact is, you can't exploit my Linux system via Mozilla/Konq/Galeon/Netscape, yet every other week, a new way to exploit Windows using IE pops up.

So, in conclusion, your argument is completely irrelevant to the topic at hand ... there has never been an exploit like this released against Linux, there is an exploit like this released against Windows about once a month ... I think we can safely start saying it's Microsoft's fault at some point.

Re:Not a Messenger flaw

[lessthan0]

And next week, when the next batch of critical security flaws is revealed, follow the Microsoft DIR cycle...

1. Download the patch.
2. Install the patch.
3. Reboot.

Plan to do this every week on all your critical servers, work machines and home PCs. Just do this every week forever, or as long as you run a Microsoft OS and be done with it.