Slashdot Mirror
Worm With Rootkit Package Loose On AIM
Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"
"'The rootkit is designed to not be detected, and that is the scary part.'"
ummm isn't that the definition of a root-kit?
"The rootkit is designed to not be detected, and that is the scary part."
/. by their summaries. Check the definition of root kit before writing such a summary. One would hope that at least story submitters are more competent than the average journalist - but then again, this is /. :-)
You can often judge the quality of the articles linked to by
The rootkit is designed to not be detected
... most rootkits are designed to be detected?
So
Probably very few of *us*, if you're referring to Slashdot readers, who we shall assume have some degree of computer literacy. However, the vast majority of internet users are idiots. Simple fact.
or "Administrator", rootkit designers don't even need to escalate privelages. I can't wait for Vista :|
Frequently Messenger type programs get worms that do NOT require the user to click, thus making the virus that much more worm-like since it doesn't require user intervention. Windows XP had several of these vulnerabilities, and so did MSN Messenger 6. Did you ever wonder why Microsoft forced upgrades sometimes? It's because a critical bug was found in their JPG processing code for instance, and the mere presence of MSN 6 and an infected buddy messaging you automatically, because they got infected automatically, meant you got infected too. It came through a malformed .jpg or .png Avatar picture that on most Messengers is set to download and display upon arrival of any message from that person, even a message sent by a virus.
Saskboy's blog is good. 9 out of 10 dentists agree.
I'll bet that there are a lot of people that would just click on through for what ever the carrot is, screen savers, free porn, or whatever...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
i don't know why i'm engaging on this, but i will.
the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.
my nice response to your comment is that you should try to appreciate that not everyone has the time, energy or will to learn computers to the extent that you or i have.
my mean response is as follows: i have a theory. kids start out life talking about how they want to be astronauts, or the president, or teddy bruschi.* they see a vast world of limitless possibility and imagine themselves filling up an enormous space within it. as people age, they start to realize that they most likely won't be a michael jordan or a bill gates, and their response is not to be content being a small fish in a big pond -- it's to reduce the size of the pond that is 'important'. so, i, for example, work in politics. it's easy for me to see the political world i inhabit as the most important thing locally, or even in the world, and to feel very self-important as a result. many users on slashdot see the world of tech as the pond. or their own i.t. departments. people reduce the scope of the important world, until they are a big fish. i call this, uncleverly, 'resizing the pond'.
i posit that you are resizing the pond. and, further, that you shouldn't.
</self-righteousness>
* don't know who this is? there are people who would call you an idiot if you didn't.
go get it
Not sure how you have a rootkit on a system (Windows) that doesn't have a "root" user per se... Presumably it's so called because it gets admin privs, but they aren't needed for much on Windows. It's not even that tough to remove, and I've seen it starting a few weeks ago. Much ado about nothing on C|Net is what this looks like - AIM worms aren't anything new, especially not when you work with college students.
I recognize people by their sigs. Is that a bad thing?
The bigger point is that malware need only become better at social engineering to convince most people not to ask. If the worm sent two messages -- one with the link and a second one with a friendly confirmation ("Hope you liked that link. See you later."). This could easily convince many people that it was a trusted link from a trusted source. By the time they actually talk to the friend (if they do) and mention it, the friend will deny sending anything, the infected person will check their PC, find no evidence of an infection and just be puzzled by the exchange. But it will be too late.
Yes, some people might still ask or be suspicious. But infectious malware needs only to succeed with a very small % to create a very large and valuable botnet.
Two wrongs don't make a right, but three lefts do.
One worm does not a trend make.
Isn't this the actual point of any worm/virus/etc. To not be detected so as to be able to do what it's supposed to do. Haven't these things been doing this even before the 90's... really since the beginning.
This is just more typically stuff. User gets something that looks like it came from someone they know and they click on the link like the dumbass user that they are. This despite the fact that they are *always* told to never just click.
They'll never learn and as such, things like this will continue to happen. Stuff like this became not news to me a *long* time ago.
All I have to say is, ad nauseam.
the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.
"Hey, you don't know me, but I just KNOW you'll love what I have in this box. Go ahead, take it home and open it."
Trusting complete strangers isn't a mark of techno-ignorance, it's a mark of idiocy.
Honestly that has bugged me the most about not only trojans like this, but spam in general. Why go after the distributer, go after the source. There'll always be another spammer or script kiddie up for takeing the last guys place.
Make it unprofitable for businesses to use these tactics and the tactics will go away, or at least be less prevelent.
Don't know something? Look it up. Still don't know? Then ask.
180solutions is not a perpetrator and you can't implicate them in this scheme. If someone spray-painted "HAHA I RULE, SINCERELY, JOE SMITH 212-555-5555" on your house would you immediately call the cops asking that they arrest Joe Smith? Let's not forget what Joe Jobs are.
Now 180solutions could invoke the terms of their affiliate agreement and freeze payments to the scumbags that install this software on the sly. Of course that's no consolation to the consumer that gets stuck with that adware/spyware on his machine.
Forcibly installing 180solutions' software is no different legally than forcibly installing Firefox the next time someone visits your website with an unpatched version of IE. Both are immoral and should be illegal, but the software authors can't be faulted for producing software that may be installed without the user's consent by way of an IE vulnerability.
For more information, click here.
Actually it's more like the old adage about taking candy from strangers. "Here, eat this! You'll like it!"
Most people just don't make the mental connection that they could click on a link -- something they do pretty often and usually without incident -- and cause serious harm to their computer.
I vote that it's more ignorance (to a certain degree self-imposed, because a lot of people could understand a lot more about their computers if they wanted to, but simply choose not to) than a lack of ability or mental capacity.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
first of all, you seem to think that going to best buy is the same as buying things from people in alleys. which i have to say is a bit simplistic.
second, trusting complete strangers is a mark of being able to function in society. when you leave the house, do you need to ensure that everyone driving down the street is a friend or acquaintance? when you go to a restaurant, do you get background checks on the staff? from whom did you buy the aluminum foil to make your hat? mom?
go get it
I think part of the problem--and nothing earth-shattering here--is that people still think of PCs as a regular appliance. I know people who think of websites the same way they would think of turning on a TV show. If a friend tells you to turn on a station, nothing bad could happen to the TV. They tend to think the same of a website.
Now, the question is whether people who get infected learn their lesson...that's what I'd like to see. Anyone know of any studies or such related to that? Do people take security more seriously once it happens? You'd think so, but we all know people who went back to using IE after we install Firefox/Opera/other because the Flash games wouldn't work.
It looks like the begin of the end. When enought people come to there senses they might start looking for alternative OS's!
Oh, you mean alternative OSs like LINUX for which NO rootkits exist?
If you bother to upgrade to newer versions of windows, SP2 will ask you if you want to open or download the file, which is usually called something like http://12.234.426.43/picofme.jpg but it tells you this is an executable, so if you are still dumb enough to run it after it tells you "Hey! I'm an executable hiding as a jpeg", then you deserve to be infected and so do your friends.
"I Wish I Was Gay Just to Piss Off the Homophobes!" - Kurt Cobain
You're not taking into consideration that it's a message from someone on your buddy list, not a perfect stranger.
Maybe the vast majority of internet users should take the little bit of time to appropriately learn about computers and the internet. I'm not saying everyone who uses a computer should be system admins, but I don't think it's too much to ask that people who are going to use a computer every day have at least a basic understanding of what they're doing.
If someone were to get behind the wheel of a car and start driving, with no drivers license, having never driven before, they'd go to jail. It's the law that people have to have at least a basic knowledge about their car and how to drive. Yet, at the same time, any moron with $400 can bring home a new computer, hop on the interweb, and have their new computer pwned and DDOSing some random website in 2 minutes because they either don't understand or don't care to follow simple advice like "Use a virus checker and firewall". Obviously, computer and internet use shouldn't be regulated as heavily as driving, but if people can't be bothered to take a little time to learn how to use their computers, they deserve everything they get in my opinion.
Maybe not
And your hoping for competence???
So Windows keeps a backup of every file on the system, at any point of time?? That must waste some space. I wonder what would happen if the worm made it past the last restore point, would it restore the worm as well?
What strangers? The links come from people that have you on their buddy list.
It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers).
Rule #1 when dealing with rootkits (or other break-ins)... The system can no longer be trusted. That means any and all executables on the system are suspect (including System Restore functionality) and may have been tampered with.
On a unix/linux box, that means shutting the system down and booting from read-only media that cannot be tampered with. Then you use tools that are only on the CD/DVD to investigate the system and find out what files have been changed / corrupted / hijacked. This is where tools like Tripwire come into play (or simply using fingerprinting tools like md5sum and doing a diff between two sets of signature files).
On a Windows box, you're better off with a format and re-install from CDs. Or, if you thought ahead and created a disk image using Knoppix, you could restore using that image. (Be sure that it's an image that you know is clean.)
Luckily for you, it sounds like the worm that you dealt with was apparently not very sophisticated. But how can you be sure that you've removed that rootkit from the system? And who's to say that the next one won't interfere with System Restore?
Never assume that worm writers are stupid. Don't assume you can outsmart them. However, most of the time (unless you are a specific target), worm writers are looking for the biggest return for least effort. So a worm that infects the majority of hosts is enough and they will not bother writing the code to infect the rest.
IOW, if System Restore functionality begins to have a significant impact on infection rates, you should plan on System Restore functionality being broken by future worms.
In summary:
- Backup your data files regularly.
- Boot a Knoppix CD/DVD and fingerprint your system regularly for a baseline to compare against at a future date.
- Use that Knoppix CD/DVD to create snapshot images of your currently working (and uninfected) system.
- If you're infected / invaded, assume that you haven't found everything and will need to rebuild the system from scratch.
(Yes, I've fought off a rootkit once. It was a real pain.)
Do YOU know an average windows user that doesn't regularly run with account with Admin priveledge? I sure don't, because most applications publishers in the windows world make it more than slightly inconvenient to run with other than Admin level privledges.
So yea it's likely to be granted Admin access, and it's likely to be a threat, on the scal of the whole "nasty shit that causes unnecessary network traffic" thing.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
When I was working on developing a Snort rule to detect links to .pif attachments in MSN messages, I was surprised to learn that Microsoft would quietly discard any messages which contained a link to suspicious executables. It even blocked links to fake .pif files I hosted myself, so it wasn't a URL blacklist.
Why won't AOL do the same with AIM? This is a very effective measure to help stop this type of attack. I work at the resnet for my university, and these types of worms are very annoying to help students deal with. Using Snort last year, I was able to see that over 1/3 of all students who received a particular "OMG click this link!" email clicked it, became infected, and started to spew messages to the infected file.
Blocking the messages before they even arrive is by far the most effective way to stop this infection vector. I'm hard-pressed to think of a reason why this is a bad idea.
One of the rootkits out there puts autorun files in C:\.
If you plug it into a second W2K computer as a slave, it infects
that one. Hard-disk to hard-disk virus!
It's probably easier and cheaper to buy a whole new motherboard than just replace the BIOS.
How many people can read hex if only you and dead people can read hex?
Everything runs in circles. I remember the days when the main way you infected things was having another disk (hard or floppy) in while you booted.
I am trolling
That'll happen about the time stupid assholes quit recklessly dishing out mod points.
For anyone curious, WoW runs fine in a limited user account as long as that account has write privileges to the executable folder and files to allow updates. It also doesn't require any HKLM settings to run, so you don't need to even run the installer on your system, you just need the files it unpacks. (I used VMware to run the installer.)
I'm not sure games that require arbitrary patching of files on someone else's (Blizzard's) schedule are all that much easier to implement in any other OS, though. A separate copy of all the game files for each user would be prohibitively large, but giving all players write access to the executable directory allows any single user to bork the whole thing if they feel like it. (Not an issue if only one user has access to play that game, but.) The only other option with current security and file-system models is to have a privileged updater executable, and then you'd have to be trusting some updater application from Blizzard with root privs on a regular basis. Either that, or Blizzard would have to get its updates approved for addition to the distribution's package repository every time they wanted to update their game.
I'm already not a big fan of the way adding software to Linux and Windows systems requires full root privs as a matter of course. Most software only needs rights to write to one specified directory and add an entry to a list of installed software; why the heck should I have to give the installer full control of the system?