Slashdot Mirror
Worm With Rootkit Package Loose On AIM
Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"
So, I use GAIM, and I never use the Chat rooms. Should I worry?
"'The rootkit is designed to not be detected, and that is the scary part.'"
ummm isn't that the definition of a root-kit?
"Check out these great new pics of us!! LoLz :)"
Summary of TFA: "You might have seen this trick before. A friend points you to a link to an .exe file. You click on it and, ignoring the security message which pops up, attempt to run it. Bad stuff happens. BUT WAIT! Now bad stuff includes a 'root kit', too! Doesn't that sound scary and hacker-y?"
Help poke pirates in the eyepatch, arr.
"The rootkit is designed to not be detected, and that is the scary part."
/. by their summaries. Check the definition of root kit before writing such a summary. One would hope that at least story submitters are more competent than the average journalist - but then again, this is /. :-)
You can often judge the quality of the articles linked to by
The rootkit is designed to not be detected
... most rootkits are designed to be detected?
So
I suppose that anyone in the computer tech/repair shop industry might appreciate tools like Rootkit Revealer right now.
Hopefully Microsoft's project that hasn't been released yet will show up soon. They also have a few hints to detect rootkits installed on a system including two Slashdot links.
Hooray for AOL.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
This is actually pretty old news, one of my friends got this a few weeks ago (he's not a geek, and he called me because I build this custom pc for him). It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers). The trojan was called directX.exe, found in windows/system32 folder. My suggestion: don't click on a link from a friend before 1) you know what it is 2) and make sure that it doesn't say that your downloading a video file, when it's obviously a batch or exe file. This virus is not really a big deal, you just have to have half a brain to deal with it.
public class null extends java applet { System.out.print ("Tabula Rasa"); }
or "Administrator", rootkit designers don't even need to escalate privelages. I can't wait for Vista :|
Considering the rootkit is spread by users clicking links and has NOTHING at all to do with the protocol, I'd have to go ahead and have to say yeah, it can spread via any client that lets you click on links and I'd also have to say RTFA
Monstar L
"The rootkit is designed to not be detected, and that is the scary part."
As opposed to those root kits that are designed *to* be detected? Damn it, thinking again instead of being scared into buying something. Really need to work on that...
Frequently Messenger type programs get worms that do NOT require the user to click, thus making the virus that much more worm-like since it doesn't require user intervention. Windows XP had several of these vulnerabilities, and so did MSN Messenger 6. Did you ever wonder why Microsoft forced upgrades sometimes? It's because a critical bug was found in their JPG processing code for instance, and the mere presence of MSN 6 and an infected buddy messaging you automatically, because they got infected automatically, meant you got infected too. It came through a malformed .jpg or .png Avatar picture that on most Messengers is set to download and display upon arrival of any message from that person, even a message sent by a virus.
Saskboy's blog is good. 9 out of 10 dentists agree.
I'll bet that there are a lot of people that would just click on through for what ever the carrot is, screen savers, free porn, or whatever...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Not sure how you have a rootkit on a system (Windows) that doesn't have a "root" user per se... Presumably it's so called because it gets admin privs, but they aren't needed for much on Windows. It's not even that tough to remove, and I've seen it starting a few weeks ago. Much ado about nothing on C|Net is what this looks like - AIM worms aren't anything new, especially not when you work with college students.
I recognize people by their sigs. Is that a bad thing?
The bigger point is that malware need only become better at social engineering to convince most people not to ask. If the worm sent two messages -- one with the link and a second one with a friendly confirmation ("Hope you liked that link. See you later."). This could easily convince many people that it was a trusted link from a trusted source. By the time they actually talk to the friend (if they do) and mention it, the friend will deny sending anything, the infected person will check their PC, find no evidence of an infection and just be puzzled by the exchange. But it will be too late.
Yes, some people might still ask or be suspicious. But infectious malware needs only to succeed with a very small % to create a very large and valuable botnet.
Two wrongs don't make a right, but three lefts do.
As opposed to the usual kind and gentle root kits, I suppose?
Isn't that part of what makes a root kit?
quidquid latine dictum sit altum videtur.
One worm does not a trend make.
Isn't this the actual point of any worm/virus/etc. To not be detected so as to be able to do what it's supposed to do. Haven't these things been doing this even before the 90's... really since the beginning.
This is just more typically stuff. User gets something that looks like it came from someone they know and they click on the link like the dumbass user that they are. This despite the fact that they are *always* told to never just click.
They'll never learn and as such, things like this will continue to happen. Stuff like this became not news to me a *long* time ago.
All I have to say is, ad nauseam.
http://www.jayloden.com/VirusClean.htm
This tool is updated almost daily. 100% effective, I can vouch for it. You can become infected if you click the link on non-AIM clients, but it won't spread to everyone else on your buddylist.
Honestly that has bugged me the most about not only trojans like this, but spam in general. Why go after the distributer, go after the source. There'll always be another spammer or script kiddie up for takeing the last guys place.
Make it unprofitable for businesses to use these tactics and the tactics will go away, or at least be less prevelent.
Don't know something? Look it up. Still don't know? Then ask.
"A very nasty bundle is downloaded to your machine" when you click on the worm link ...
Why with anyone write a chat program where you can install (and obviously run) a program just by clicking on a link?
Besides that, in Windows isn't there a way to run programs (like chat) as an innocuous (nobody) user limited only to that user's home directory and with limited write capabilities?
What gives?
How many people still use .com files anyway?
Yahoo.com, Google.com, Fark.com, News.com.com... Windows stores Internet shortcuts in files with the .url suffix, but even when you have "hide file extensions" turned off, Windows still hides the .url suffix, making it nearly impossible to distinguish Google.com from Google.com.url in icon view and difficult in any other view. The little arrow in the corner doesn't mean much, as the Google.com file could contain an icon with the arrow already drawn inside.
180solutions is not a perpetrator and you can't implicate them in this scheme. If someone spray-painted "HAHA I RULE, SINCERELY, JOE SMITH 212-555-5555" on your house would you immediately call the cops asking that they arrest Joe Smith? Let's not forget what Joe Jobs are.
Now 180solutions could invoke the terms of their affiliate agreement and freeze payments to the scumbags that install this software on the sly. Of course that's no consolation to the consumer that gets stuck with that adware/spyware on his machine.
Forcibly installing 180solutions' software is no different legally than forcibly installing Firefox the next time someone visits your website with an unpatched version of IE. Both are immoral and should be illegal, but the software authors can't be faulted for producing software that may be installed without the user's consent by way of an IE vulnerability.
For more information, click here.
Well this is true, it could just as easily be spread via email or something, but the relation to AIM is that once the virus (trojan, whatever you want to call it) gets into your system, I believe that it sends out messages to all of your contacts with the link, propagating itself.
.COM or .EXE files.
0 80.exe (It has since been removed -- the link is dead)
At least this is how several other IM viruses have been spread. I noticed that just this weekend I got several IMs from people that I haven't talked to in years (but who apparently still have me on their lists) which were nothing but links to
One of them was being hosted at this address:
http://home.earthlink.net/~two4tea/mc-110-12-0000
And I didn't get the other URL that was going around. I downloaded the file and opened it up in a hex editor just out of curiosity (I'm on a Mac so it wasn't possible to execute anyway), but there didn't seem to be any obvious text strings or anything.
What I wonder is how the file got up on that web site to begin with; it seems rather farfetched to believe that a virus could find out that someone has a Earthlink web page and upload itself, then send out that link, which makes me think that the person spreading the virus probably planted it there after somehow gaining access to the account, and then letting the version of the virus which points to that URL out. When the linked file is removed the virus stops propagating, but by then has already spread and nabbed a few unwary users. Unless the program has the capability of 'phoning home' to get the URL of the latest location to send out to everyone, that is. The file was a few hundred KB, so I suppose it's entirely possible that it has that capability; you could fit quite a bit of code into something like that.
Not really my area of expertise, but perhaps someone who knows something more can elaborate on how these things work?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Or... just tell people not to download crap from 'teh interweb'.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
The worm also places several spyware and adware applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, the company added.
So, would you like some spyware with your virus at no extra charge? I know this is fairly common, but does this imply that the people that make the viruses are the same ones that make the spyware we have grown to know and love? It seems that the line between "spyware" and "malware/viruses" gets more blurry every day.
"Eddies," said Ford, "in the space-time continuum." "Ah," nodded Arthur, "is he? Is he?"
Actually it's more like the old adage about taking candy from strangers. "Here, eat this! You'll like it!"
Most people just don't make the mental connection that they could click on a link -- something they do pretty often and usually without incident -- and cause serious harm to their computer.
I vote that it's more ignorance (to a certain degree self-imposed, because a lot of people could understand a lot more about their computers if they wanted to, but simply choose not to) than a lack of ability or mental capacity.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It looks like the begin of the end. When enought people come to there senses they might start looking for alternative OS's!
Oh, you mean alternative OSs like LINUX for which NO rootkits exist?
> ...the ones that pop up the message "Would you like to download and
> install a rootkit".
I expect that would work fairly well.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Yes, as long as you don't value what's in your home directory.
Slashdot anagrams to "Sad Sloth"
If you bother to upgrade to newer versions of windows, SP2 will ask you if you want to open or download the file, which is usually called something like http://12.234.426.43/picofme.jpg but it tells you this is an executable, so if you are still dumb enough to run it after it tells you "Hey! I'm an executable hiding as a jpeg", then you deserve to be infected and so do your friends.
"I Wish I Was Gay Just to Piss Off the Homophobes!" - Kurt Cobain
Right then, well, "System Restore" is a feature of Windows XP that snapshots the status of a whole bucketload of system settings, DLLS, etc... each time you update software, and at other times determined by the system, these snapshots are taken. You can go into system restore and revert to your system status from yesterday, last week, or just before oyu installed something, and it generally works very well (meaning quickly, reliably, and doesn't erase your data.) It doens't make a mess, either.
It was a very surprisingly well done feature, I can't actually believe it came from MS
Some windows viruses do run under WINE. However, they do not affect the system to the extent that windows viruses affect windows systems. They RUN, but mostly nothing else happens other than wasting CPU cycles.
/. before.4 30222&from=rss
I think this was posted on
http://os.newsforge.com/article.pl?sid=05/01/25/1
And your hoping for competence???
In the case of AIM, I am pretty sure you have to click a link. And I stand by my opinion, regardless of what the moderators think :)
Downloaded it. So now I have a file that appears to be meaningless binary gibberish. (AKA "Application/OCTET-STREAM") How does one 'run' such a file? I can't seem to find a Makefile, or any other way to compile it. I guess I don't quite get what is dangerous about it?
silly AOL, will they ever listen?
I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.
It's 2005 and you only tried FDisk? There's a number of free boot record editors that could have fixed anything. There is no rootkit that I know of that is based out of the MBR the way the old Pakistani virus did to Apples. If I have a customer who needs data recovered off a rootkit infected computer I put it in as a slave in a WXP or W2K system.
When I was working on developing a Snort rule to detect links to .pif attachments in MSN messages, I was surprised to learn that Microsoft would quietly discard any messages which contained a link to suspicious executables. It even blocked links to fake .pif files I hosted myself, so it wasn't a URL blacklist.
Why won't AOL do the same with AIM? This is a very effective measure to help stop this type of attack. I work at the resnet for my university, and these types of worms are very annoying to help students deal with. Using Snort last year, I was able to see that over 1/3 of all students who received a particular "OMG click this link!" email clicked it, became infected, and started to spew messages to the infected file.
Blocking the messages before they even arrive is by far the most effective way to stop this infection vector. I'm hard-pressed to think of a reason why this is a bad idea.
I tried to login as root on my windoze box but it wouldn't let me. Does that mean I have already been infected (or should that read rooted)?
*I* pressed the shiny red button and noth@#$@#$##)(*)()_(NO CARRIER
Mumia Abu-Jamal is *laughably guilty*. Check the evidence.
This looks like the same worm a friend of mine got a few weeks ago. I loaded it up in VMWare and discovered that it installed, among other things, the "FU" rootkit.
I took a rootkit class at this year's Black Hat Training from the guy who wrote FU. He pointed out that it's more of a proof-of-concept rootkit. It does allow you to hide files, registry keys and drivers from both user-mode and kernel-mode processes, but, it really doesn't go out of its way to hide itself from every possible angle, so detection (and thankfully, removal) wasn't that bad.
I was able to whip up a little app to fix it from within Windows. But had the worm's author actually expanded on FU's techniques and done a better job of hiding the rootkit, recovery would not have been as nearly as easy. (Just imagine how much fun would it be to talk a novice through Windows XP's Recovery Console!)
Once the worm authors start to get better at exploiting the potential of rootkits, we've definitely got a much better problem on our hands. The old "1. get infected, 2. run anti-virus to disinfect, 3. repeat" cycle just won't work anymore. Good luck even finding a well-implemented rootkit once it's in your kernel, let alone trying to clean it up while it's effectively able to veto every action you take.
(Yet another reason why no Windows user should run as an Administrator.)
"Power corrupts, and absolute power corrupts absolutely." -- Lord Acton
IE: The worm is a compact, surreptitious BT/Kademlia client.
:p
Took me a second to realize that "IE" meant "id est" and not Internet Explorer. And "id est" means "that is," not "for example," also known as e.g. (exempli gratia).
Handy cheat sheet:
i.e. = id est = that is (not commonly captitalized, or puncuated as an acronym like IE)
e.g. = exempli gratia = for example
There's your pendantic lesson of the day
That'll happen about the time stupid assholes quit recklessly dishing out mod points.
For anyone curious, WoW runs fine in a limited user account as long as that account has write privileges to the executable folder and files to allow updates. It also doesn't require any HKLM settings to run, so you don't need to even run the installer on your system, you just need the files it unpacks. (I used VMware to run the installer.)
I'm not sure games that require arbitrary patching of files on someone else's (Blizzard's) schedule are all that much easier to implement in any other OS, though. A separate copy of all the game files for each user would be prohibitively large, but giving all players write access to the executable directory allows any single user to bork the whole thing if they feel like it. (Not an issue if only one user has access to play that game, but.) The only other option with current security and file-system models is to have a privileged updater executable, and then you'd have to be trusting some updater application from Blizzard with root privs on a regular basis. Either that, or Blizzard would have to get its updates approved for addition to the distribution's package repository every time they wanted to update their game.
I'm already not a big fan of the way adding software to Linux and Windows systems requires full root privs as a matter of course. Most software only needs rights to write to one specified directory and add an entry to a list of installed software; why the heck should I have to give the installer full control of the system?
Personally, I like when they pop up like that.
And with firefox, you get to touch a mouse, but with a woman, you get to touch a cat. (meow)
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.