Worm With Rootkit Package Loose On AIM

Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"

Only Chat room users affected?

[BoldAndBusted]

So, I use GAIM, and I never use the Chat rooms. Should I worry?

Re:Only Chat room users affected?

[AnamanFan]

Assuming you're on a Windows operating system.

Use of GAIM will only prevent propagation of this worm. There are more levels at play here.

The worm is actually installed from a link you would click on from an infected IM. Nothing fancy here, it's just a simple HTML link. Clicking on this link will call up your web browser. What happens here depends on both the browser, patches, browser settings, and you. In IE, it's likely that the executable will just run it. Or, ask you to download/run said file. The latter true for Firefox or Opera as well as IE.

In any case, if your computer runs this executable, the computer in infected and it's game over. BUT, you won't be spreading the worm to others since you're using GAIM. The spreading of the worm depends on the AIM (or AOL?) client running on the computer.

That is until the worm writers also write for GAIM.

Re:Only Chat room users affected?

[Fordiman]

Hmmm... Probably not. However, I would suggest not downloading and running any exe files from unknown sources. Unlike the idiots usin AIM who've been hit with this.

But you know what? I'm not going to be frightened by a worm or virus until someone writes one that works via bittorrent.

IE: The worm is a compact, surreptitious BT/Kademlia client. There are distributions of the nasty part built for Win32, OSX, and Linux, floating on the torrentstream. The nasty part can be any size, and has constantly updated exploit code for numerous pluggable targets (for example, you, as the virus writer, could add a torrented executable for exploiting a new bug in filezilla server, or in Apache, etc.) The virus core would download this and run it on the local machine. It could even be "smart", and detect the target machine's servers before getting and running the exploit. Once the exploit is run at the target machine, it uploads the BT client virus core for the appropriate architecture, and the process starts again.

One could use the usual tools for preventing detection and removal: polymorphic code, torrential code (code that is split on function barriers and resorted in random order on a per-spread basis), multiple copies, Knowing your Permissions (IE: run itself as user X, make user X root/admin, set permissions so that only user X can know the executable and process exist.) Persistent regression (IE: making sure that the executable is in the startup files of the OS) Trojaning, masking (encoding the executable and running itself via a decoder program) ...

Y'all should be happy I don't write virii. I've been fighting with them so long, I think I'd be pretty good at it...

Re:Only Chat room users affected?

[thesnarky1]

Yes.... your friends who don't can still send you the link. If you click it, boom. I've cleaned this off of 5 systems this moonth among my friends, Two GAIM, and 3 AIM. Its a nasty virus, I might add, and I don't think the article does it justice. Yes, it prerys upon P2P, but the worst part is, most users will click that link before thinking, so its free bait. This is social engineering at its worst, and the only way to stop it is to tell your friends and family right now. No, this is not a chain letter, this is a plea for help, I can only reach so many people on my own. For instance, my away message on AIM right now deals with this article, and the virus.
To answer the parent's question, as long as X person out there has this virus, you are affected, because they can send you the link.

duh

"'The rootkit is designed to not be detected, and that is the scary part.'"

ummm isn't that the definition of a root-kit?

Re:duh

[killa62]

Actually, rootkits go out of their way to be undetected.
(Shamelessly stolen from grc.com)
"What happens is, they essentially modify the way the OS itself works. They're compromising the operating system kernel. You know, in operating system terminology we have the notion of a kernel, which is the OS core. And then you've got applications which run as sort of clients of that operating system. So a program you're running, you know, Corel Draw or Outlook or whatever, that's a client of the operating system. Well, so are the spyware scanners. So when you're running even a spyware scanner, it's saying to the operating system - in fact, for example, there are two API calls that's "find first file" and "find next file." So if you ever want to, like, do a directory listing, you'll say "find first file *.*," and it gives you the first file. And then you successively call "find next," "find next," "find next," until it returns no more files. That's all there is to it. So that's - so anything that's scanning your system is basically doing that.

Well, imagine if something altered the way the "find first" and "find next" operated, so that it was intercepting the response back to you, out of the operating system, back to any application that was asking, so that if it was about to report one of its own files, it would call - it would say, whoops, and call "find next" again on your behalf, skipping over that file. Suddenly any program running on the operating system will not see any of those stealthed, rootkitted files. They just disappear. "

link
http://www.grc.com/sn/SN-009.htm

Noteworthy tools

[nmb3000]

I suppose that anyone in the computer tech/repair shop industry might appreciate tools like Rootkit Revealer right now.

Hopefully Microsoft's project that hasn't been released yet will show up soon. They also have a few hints to detect rootkits installed on a system including two Slashdot links.

Hooray for AOL.

Old..

[Chickenofbristol55]

This is actually pretty old news, one of my friends got this a few weeks ago (he's not a geek, and he called me because I build this custom pc for him). It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers). The trojan was called directX.exe, found in windows/system32 folder. My suggestion: don't click on a link from a friend before 1) you know what it is 2) and make sure that it doesn't say that your downloading a video file, when it's obviously a batch or exe file. This virus is not really a big deal, you just have to have half a brain to deal with it.

Re:Old..

It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers).

Rule #1 when dealing with rootkits (or other break-ins)... The system can no longer be trusted. That means any and all executables on the system are suspect (including System Restore functionality) and may have been tampered with.

On a unix/linux box, that means shutting the system down and booting from read-only media that cannot be tampered with. Then you use tools that are only on the CD/DVD to investigate the system and find out what files have been changed / corrupted / hijacked. This is where tools like Tripwire come into play (or simply using fingerprinting tools like md5sum and doing a diff between two sets of signature files).

On a Windows box, you're better off with a format and re-install from CDs. Or, if you thought ahead and created a disk image using Knoppix, you could restore using that image. (Be sure that it's an image that you know is clean.)

Luckily for you, it sounds like the worm that you dealt with was apparently not very sophisticated. But how can you be sure that you've removed that rootkit from the system? And who's to say that the next one won't interfere with System Restore?

Never assume that worm writers are stupid. Don't assume you can outsmart them. However, most of the time (unless you are a specific target), worm writers are looking for the biggest return for least effort. So a worm that infects the majority of hosts is enough and they will not bother writing the code to infect the rest.

IOW, if System Restore functionality begins to have a significant impact on infection rates, you should plan on System Restore functionality being broken by future worms.

In summary:

- Backup your data files regularly.
- Boot a Knoppix CD/DVD and fingerprint your system regularly for a baseline to compare against at a future date.
- Use that Knoppix CD/DVD to create snapshot images of your currently working (and uninfected) system.
- If you're infected / invaded, assume that you haven't found everything and will need to rebuild the system from scratch.

(Yes, I've fought off a rootkit once. It was a real pain.)

Re:Who of us actually would click...

[karvind]

:(

You cheated, there was no link in your post. I have been clicking on the post for last 10 min, nothing happened.

Re:Who of us actually would click...

[macsox]

i don't know why i'm engaging on this, but i will.

the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.

my nice response to your comment is that you should try to appreciate that not everyone has the time, energy or will to learn computers to the extent that you or i have.

my mean response is as follows: i have a theory. kids start out life talking about how they want to be astronauts, or the president, or teddy bruschi.* they see a vast world of limitless possibility and imagine themselves filling up an enormous space within it. as people age, they start to realize that they most likely won't be a michael jordan or a bill gates, and their response is not to be content being a small fish in a big pond -- it's to reduce the size of the pond that is 'important'. so, i, for example, work in politics. it's easy for me to see the political world i inhabit as the most important thing locally, or even in the world, and to feel very self-important as a result. many users on slashdot see the world of tech as the pond. or their own i.t. departments. people reduce the scope of the important world, until they are a big fish. i call this, uncleverly, 'resizing the pond'.

i posit that you are resizing the pond. and, further, that you shouldn't.

</self-righteousness>

* don't know who this is? there are people who would call you an idiot if you didn't.

Re:How to remove it. The answer.

[rhizome]

I can vouch for it.

And who are you?

Re:Who of us actually would click...

[herriojr]

You're not taking into consideration that it's a message from someone on your buddy list, not a perfect stranger.

Re:Some viruses DO run on WINE

[Psykosys]

When are they going to get around to full virus support? (I'm sticking with Windows 'til then.)

IE and i.e.

[stonedonkey]

IE: The worm is a compact, surreptitious BT/Kademlia client.

Took me a second to realize that "IE" meant "id est" and not Internet Explorer. And "id est" means "that is," not "for example," also known as e.g. (exempli gratia).

Handy cheat sheet:

i.e. = id est = that is (not commonly captitalized, or puncuated as an acronym like IE)

e.g. = exempli gratia = for example

There's your pendantic lesson of the day :p