Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm With Rootkit Package Loose On AIM

Posted by Zonk on from the aol-and-a-rootkit-ouch dept.

Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"

18 of 438 comments (clear)

  1. Only Chat room users affected? by BoldAndBusted · · Score: 5, Interesting

    So, I use GAIM, and I never use the Chat rooms. Should I worry?

    1. Re:Only Chat room users affected? by Bastian227 · · Score: 2, Interesting

      In any case, if your computer runs this executable, the computer in infected and it's game over.

      As long as the thing isn't granted admin access, I don't think it's much of a threat (based on the article's description of the worm). It may still try to spread, but the clean up would be relatively easy.

    2. Re:Only Chat room users affected? by Fordiman · · Score: 5, Interesting

      Hmmm... Probably not. However, I would suggest not downloading and running any exe files from unknown sources. Unlike the idiots usin AIM who've been hit with this.

      But you know what? I'm not going to be frightened by a worm or virus until someone writes one that works via bittorrent.

      IE: The worm is a compact, surreptitious BT/Kademlia client. There are distributions of the nasty part built for Win32, OSX, and Linux, floating on the torrentstream. The nasty part can be any size, and has constantly updated exploit code for numerous pluggable targets (for example, you, as the virus writer, could add a torrented executable for exploiting a new bug in filezilla server, or in Apache, etc.) The virus core would download this and run it on the local machine. It could even be "smart", and detect the target machine's servers before getting and running the exploit. Once the exploit is run at the target machine, it uploads the BT client virus core for the appropriate architecture, and the process starts again.

      One could use the usual tools for preventing detection and removal: polymorphic code, torrential code (code that is split on function barriers and resorted in random order on a per-spread basis), multiple copies, Knowing your Permissions (IE: run itself as user X, make user X root/admin, set permissions so that only user X can know the executable and process exist.) Persistent regression (IE: making sure that the executable is in the startup files of the OS) Trojaning, masking (encoding the executable and running itself via a decoder program) ...

      Y'all should be happy I don't write virii. I've been fighting with them so long, I think I'd be pretty good at it...

      --
      110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
    3. Re:Only Chat room users affected? by thesnarky1 · · Score: 5, Interesting

      Yes.... your friends who don't can still send you the link. If you click it, boom. I've cleaned this off of 5 systems this moonth among my friends, Two GAIM, and 3 AIM. Its a nasty virus, I might add, and I don't think the article does it justice. Yes, it prerys upon P2P, but the worst part is, most users will click that link before thinking, so its free bait. This is social engineering at its worst, and the only way to stop it is to tell your friends and family right now. No, this is not a chain letter, this is a plea for help, I can only reach so many people on my own. For instance, my away message on AIM right now deals with this article, and the virus.
      To answer the parent's question, as long as X person out there has this virus, you are affected, because they can send you the link.

      --
      Want to find other gamers to play board and role playing game
    4. Re:Only Chat room users affected? by Anonymous Coward · · Score: 2, Interesting

      First, cryptographically sign each piece of the payload. Have the worm verify each piece before running it, so your installed base isn't hijacked by others.

      Second, use TCPA hardware if it's available, to truly take control out of the user's hands.

      Third, explain all this in a little EULA that pops up when the luser clicks the link. Bury it in the middle where nobody will read it. If you do it right, you might be able to sue people for removing your worm or writing software that does so. :)

      Fourth, call it Trusted Computing.

  2. *yawn* by patio11 · · Score: 3, Interesting

    Summary of TFA: "You might have seen this trick before. A friend points you to a link to an .exe file. You click on it and, ignoring the security message which pops up, attempt to run it. Bad stuff happens. BUT WAIT! Now bad stuff includes a 'root kit', too! Doesn't that sound scary and hacker-y?"

    --
    Help poke pirates in the eyepatch, arr.
  3. Just curious by max+born · · Score: 2, Interesting

    "A very nasty bundle is downloaded to your machine" when you click on the worm link ...

    Why with anyone write a chat program where you can install (and obviously run) a program just by clicking on a link?

    Besides that, in Windows isn't there a way to run programs (like chat) as an innocuous (nobody) user limited only to that user's home directory and with limited write capabilities?

    What gives?

  4. Re:AIM client, or AIM protocol? by Kadin2048 · · Score: 4, Interesting

    Well this is true, it could just as easily be spread via email or something, but the relation to AIM is that once the virus (trojan, whatever you want to call it) gets into your system, I believe that it sends out messages to all of your contacts with the link, propagating itself.

    At least this is how several other IM viruses have been spread. I noticed that just this weekend I got several IMs from people that I haven't talked to in years (but who apparently still have me on their lists) which were nothing but links to .COM or .EXE files.

    One of them was being hosted at this address:
    http://home.earthlink.net/~two4tea/mc-110-12-00000 80.exe (It has since been removed -- the link is dead)

    And I didn't get the other URL that was going around. I downloaded the file and opened it up in a hex editor just out of curiosity (I'm on a Mac so it wasn't possible to execute anyway), but there didn't seem to be any obvious text strings or anything.

    What I wonder is how the file got up on that web site to begin with; it seems rather farfetched to believe that a virus could find out that someone has a Earthlink web page and upload itself, then send out that link, which makes me think that the person spreading the virus probably planted it there after somehow gaining access to the account, and then letting the version of the virus which points to that URL out. When the linked file is removed the virus stops propagating, but by then has already spread and nabbed a few unwary users. Unless the program has the capability of 'phoning home' to get the URL of the latest location to send out to everyone, that is. The file was a few hundred KB, so I suppose it's entirely possible that it has that capability; you could fit quite a bit of code into something like that.

    Not really my area of expertise, but perhaps someone who knows something more can elaborate on how these things work?

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  5. Spyware Included by diagonalfish · · Score: 2, Interesting

    The worm also places several spyware and adware applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, the company added.

    So, would you like some spyware with your virus at no extra charge? I know this is fairly common, but does this imply that the people that make the viruses are the same ones that make the spyware we have grown to know and love? It seems that the line between "spyware" and "malware/viruses" gets more blurry every day.

    --
    "Eddies," said Ford, "in the space-time continuum." "Ah," nodded Arthur, "is he? Is he?"
    1. Re:Spyware Included by PinkFreud · · Score: 2, Interesting

      Actually, whomever released this particular worm is likely making money off the installed spyware via a referral-type scheme.

      That's how it's usually done with malware nowadays - the authors of spyware typically don't care who is installing their crap on peoples' computers or how they're doing it. A worm author (or just someone releasing it) can sign up for an account with these spyware companies, and simply make sure the account is referenced when the spyware is installed on an unsupecting victim's machine.

      It definitely makes one possible route to trace these scumbags.

  6. Re:How to remove it. The answer. by rhizome · · Score: 5, Interesting

    I can vouch for it.

    And who are you?

    --
    When I was a kid, we only had one Darth.
  7. Re:duh by Anonymous Coward · · Score: 1, Interesting
    Actually, rootkits go out of their way to be undetected.

    Uh, no shit. That's his point, that the claim that this is a particularly scary secret rootkit is silly.

  8. Re:Who of us actually would click... by Anonymous Coward · · Score: 1, Interesting

    I prefer to keep in mind that a stranger is a potential robbery/homicide in a dark alley.
     
    That must be fun

  9. Re:Who of us actually would click... by Toasty981 · · Score: 2, Interesting

    Good point. If people never know it's there, they won't learn from their mistakes.

    Come to think of it, I do know a few people who do just what you said...reinstall their OS when things go wrong. Maybe in the long-long term, people will make an association between certain activities and having to reinstall.

  10. Re:duh by Billly+Gates · · Score: 4, Interesting

    Try explaining that to grandma? After all her antivirus software said nothing was installed right?

    Explaining about api's only makes you look incompentant if your an It professional because your not speaking down to their language to build confidence.

    I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.

    Watch as spyware makers do this in the future to prevent anyone from deleting their wares.

    --
    http://saveie6.com/
  11. Re:Who of us actually would click... by Deathanatos · · Score: 3, Interesting

    Who of us actually would click... "Check out these great new pics of us!! LoLz :)"

    The sad thing is, people do! And not only do they click the link pointing at some odd site, they download a file, and execute it!

    There was an AIM trojan similar (but not the same, I believe) that got circulated to me (by a few of my 'friends') this last week. It's text was something like, "check out these kewl pics of me!" Now, if anyone I know said "kewl" that'd instantly throw red flags. (And still, I got that same IM _6_ times that one night.) So, I take a look. The link points at some odd site, with a .php file. Now, none of the people who IM'd me that night were smart enough to set up a websever w/ PHP. The PHP file, I find, hands you a .com file (With the oh so cliché name img552.com). (Which I think was actually a full Win32 app...) At any rate, through some research, it seems you needed run it in a root user account.

    And that's just the thing. Many of these AIM virus/trojan/etc. need not just one, but several lapses of logic to work. They still manage to spread, however. When you click a link, download a virus, and then run it in a root account (although half the world runs as root...)... that's three (usually) fairly obvious lapses in your thinking.

    This isn't a hole in the computer, it's the user. Users are..., uneducated. Many /.ers know this, people don't understand how the technology they live with works. Until they do, things like this will continue to work, and people who fix computers will continue to make a living, and we'll keep having to listen to journalism repeat the same words: Don't open executables you don't recognize. (Then again, don't these stupid Windows computers hide extentions by default? We keep telling users not to open things that end in .com, .exe, etc., but all they see is cool_pic(.com!))

    But this is /., and I'm preaching to the choir.

  12. been here before by jordan · · Score: 3, Interesting
    we warned them once , we warned them twice .

    silly AOL, will they ever listen?

  13. Re:duh by Kiaser+Zohsay · · Score: 2, Interesting

    IIRC, the name "rootkit" came from the fact that you had to get root access to be able to install it. The rootkit itself was used to conceal the fact that the system was compromised, but the compromise had to happen first.

    http://www.catb.org/~esr/jargon/html/R/rootkit.htm l

    Apparently "rootkit" will be the next malware term to be misused after crossing over to the Windows world.

    --
    I am not your blowing wind, I am the lightning.