Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm With Rootkit Package Loose On AIM

Posted by Zonk on from the aol-and-a-rootkit-ouch dept.

Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"

4 of 438 comments (clear)

  1. duh by Anonymous Coward · · Score: 5, Insightful

    "'The rootkit is designed to not be detected, and that is the scary part.'"

    ummm isn't that the definition of a root-kit?

  2. Re:Who of us actually would click... by macsox · · Score: 5, Insightful

    i don't know why i'm engaging on this, but i will.

    the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.

    my nice response to your comment is that you should try to appreciate that not everyone has the time, energy or will to learn computers to the extent that you or i have.

    my mean response is as follows: i have a theory. kids start out life talking about how they want to be astronauts, or the president, or teddy bruschi.* they see a vast world of limitless possibility and imagine themselves filling up an enormous space within it. as people age, they start to realize that they most likely won't be a michael jordan or a bill gates, and their response is not to be content being a small fish in a big pond -- it's to reduce the size of the pond that is 'important'. so, i, for example, work in politics. it's easy for me to see the political world i inhabit as the most important thing locally, or even in the world, and to feel very self-important as a result. many users on slashdot see the world of tech as the pond. or their own i.t. departments. people reduce the scope of the important world, until they are a big fish. i call this, uncleverly, 'resizing the pond'.

    i posit that you are resizing the pond. and, further, that you shouldn't.

    </self-righteousness>

    * don't know who this is? there are people who would call you an idiot if you didn't.

    --
    go get it
  3. Re:Who of us actually would click... by herriojr · · Score: 5, Insightful

    You're not taking into consideration that it's a message from someone on your buddy list, not a perfect stranger.

  4. Re:Old.. by Anonymous Coward · · Score: 5, Insightful

    It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers).

    Rule #1 when dealing with rootkits (or other break-ins)... The system can no longer be trusted. That means any and all executables on the system are suspect (including System Restore functionality) and may have been tampered with.

    On a unix/linux box, that means shutting the system down and booting from read-only media that cannot be tampered with. Then you use tools that are only on the CD/DVD to investigate the system and find out what files have been changed / corrupted / hijacked. This is where tools like Tripwire come into play (or simply using fingerprinting tools like md5sum and doing a diff between two sets of signature files).

    On a Windows box, you're better off with a format and re-install from CDs. Or, if you thought ahead and created a disk image using Knoppix, you could restore using that image. (Be sure that it's an image that you know is clean.)

    Luckily for you, it sounds like the worm that you dealt with was apparently not very sophisticated. But how can you be sure that you've removed that rootkit from the system? And who's to say that the next one won't interfere with System Restore?

    Never assume that worm writers are stupid. Don't assume you can outsmart them. However, most of the time (unless you are a specific target), worm writers are looking for the biggest return for least effort. So a worm that infects the majority of hosts is enough and they will not bother writing the code to infect the rest.

    IOW, if System Restore functionality begins to have a significant impact on infection rates, you should plan on System Restore functionality being broken by future worms.

    In summary:

    - Backup your data files regularly.
    - Boot a Knoppix CD/DVD and fingerprint your system regularly for a baseline to compare against at a future date.
    - Use that Knoppix CD/DVD to create snapshot images of your currently working (and uninfected) system.
    - If you're infected / invaded, assume that you haven't found everything and will need to rebuild the system from scratch.

    (Yes, I've fought off a rootkit once. It was a real pain.)