Fully Automated IM Worms on the Way?

nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

Jabber!

[caluml]

We need to use Jabber. It will prevent against things like this. Oh wait. It won't. Still, use Jabber anyway, for it is Open Source goodness.

Re:Jabber!

[Short+Circuit]

I was actually going to suggest the same thing. AFAIK, it's not IM protocol that are insecure to the point of allowing worms to propogate, it's the client. Jabber is a standardized protocol, allowing for a multitude of different clients.

Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network.

Re:Jabber!

[ashyanbhog]

me just upgraded from Windows experience to Linux, me thinks me safe from this attack, what you say?

Re:Jabber!

[Mayhem178]

Why not take it a step further? Everyone bust out your virtual machines, plug in that second monitor, install your favorite Linux distro, and chat to your heart's content. Let's see that little "automated worm" (redundant term in the extreme) execute now, yar har har!

Of course, I'm not being totally serious. Though I can think of a few reasons to do this, unrelated to the article, of course. Either way, I'm not too worried about it.

Re:Jabber!

[VxJasonxV]

It's not the client as much as the OS.

PSI/Windows can be easily compromised by sending a user to an "image" with a .com file extension.
PSI/Linux cannot.

Re:Jabber!

[Shakrai]

PSI/Linux cannot.

It can if your running as root and as clueless as the typical Windows user.

That's still one of the biggest problems on Windows. Why, when Microsoft can force people to adopt new "standards" just by releasing a new version of Word, they can't force software companies to create software for Windows that doesn't rely on the assumption of administrator privileges is beyond me.

Would it be so hard to say that you only use the administrator account for installing shared (amongst all local users) software? The Windows version of a ~ directory is already in place (documents and settings). What's stopping MS from implementing a Unix-style security model?

Re:Jabber!

[TWX]

"Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network."

On top of that, the likelihood of a community-created response to the worm or vulnerability is pretty high when the project is a popular open-source one. I'd expect the same of GAIM, for example. I've also noticed that those who run open source are more likely to actually take care of their computers before they're hit rather than after too. The attitude probably helps spur people to open source in the first place.

Re:Jabber!

[Misch]

What's stopping MS from implementing a Unix-style security model?

Your mom. Litereally.

I understand users/groups/file permissions. I assume you do too. What about your parents?

Re:Jabber!

[Dolda2000]

It's a rather widely known fact that they are going to do that in Vista. Programs are supposed to be installed in the user's home directory, and new users will not have admin privileges by default.

Re:Jabber!

[lgw]

Why, when Microsoft can force people to adopt new "standards" just by releasing a new version of Word, they can't force software companies to create software for Windows that doesn't rely on the assumption of administrator privileges is beyond me.

Thay can and they are. It's called Vista. I suspect that it will be such a big mindset change for customers and software developers that MS will back off just enough to ruin it before Vista goes retail, but at least it's being attempted. Longhorn server may actually get it right.

Re:Jabber!

[Shakrai]

I understand users/groups/file permissions. I assume you do too. What about your parents?

What would they need to know? There's a separate password to access the "administrator" account. When you buy the computer (presumably preloaded with Windows) you set that password and create accounts for everybody in your family. From that point on you only use that password to install software for everybody to use.

It shouldn't even be required to use that password to install software for just yourself. If I go out and buy Sim City 4000 and I only want to be able to use it on my user account, then why should I need admin rights to install it? This would be the same behavior as --prefix on Unix -- but a lot more user friendly.

You'd still have the problem of social engineering (download our new screensaver!!!!) but it would be a lot easier to tell people to never enter that password when prompted by a website then it would be to block access to bad scripts or ActiveX controls.

They will try it in the next version of Windows apparently. I don't see what's stopping it from being in XP SP3 (or why it wasn't in SP2 for that matter). That would be even better because it would give software publishers time to get used to the model before Vista is released.

Re:Jabber!

[MurphyZero]

Your parents really do understand user/group permissions. Remember, they are the ones who told you that you had to be 16 to drive (vary by state) 18/21 to drink (depends on state/time in history) while they used to drink and drive. They are also the ones who told you that while you lived in their house you lived by their rules. They also had to live with these rules (probably tougher) when they were kids. It was always for your protection. Therefore, they should easily understand that it is just for their protection. That is, of course, if they didn't leave home at the first opportunity to get away from all those rules. They may be the type to say "I make the decisions on safety now, I'll do what I want." Those people won't understand at all. But then they don't wear seatbelts and drive 100 mph, it's just the way they are.

Re:Jabber!

[VxJasonxV]

"Would it be so hard to say that you only use the administrator account for installing shared (amongst all local users) software?"

Yes it would.
Why?

Why do you need two accounts for a single user?

Re:Jabber!

It's not just this. A lot of programs require you to be an administrator to run them. If you have to give the end user an admin password in order to do their work some will enter it any time that they are prompted.

Re:Jabber!

Are you joking? Have you experienced NTFS file permissions? Needlessly complex, and when you inherit permissions, they are inherited from the location you create the file, rather than the place where the file currently is...

Re:Jabber!

What's stopping MS from implementing a Unix-style security model?

While it is not the same as the User/Group Unix security model, Microsoft does have a very rigorous security model. There is just one major catch: Users do not want to use it, because their software is not compatible.

If you have Windows, you can very easily set yourself up to run as an account without administrator priveleges. Though you may run into problems. For example, your favorite shareware program will not install, because its installer assumes that everybody runs as an administrator and has full permission to modify stuff in Program Files. Your IM client might not work, because it spits logs to a directory in Program Files, assuming you have permission. Another random program spits data into registry keys under HKEY_LOCAL_MACHINE. Your little brother complains that their game written in 1996 does not run anymore. And your n00b mother complains that they cannot change the desktop pattern without getting a password dialog.

After dealing with this nightmare for a while, you throw your hands up and click the checkbox "User runs as administrator"

Microsoft themselves would love it if this problem went away. For a long time, making sure that apps run under non-administrator accounts has been a requirement to get your app as "Designed for Windows", as well as something that they bend over backwards to support in their own programs. That doesn't change the fact that these other programs are a major concern.

Re:Jabber!

[ball-lightning]

I understand users/groups/file permissions. I assume you do too. What about your parents?

Not at first. After their credit card #'s had been stolen enough times, you'd be surprised what a person can learn...

Re:Jabber!

[kmmatthews]

Yeah, I guess its too complicated for OSX to implement Unix style users/groups, too.

Oh, wait.

Re:Jabber!

My Dad never understood it, bless his heart. But Mom? Mom understands users/groups/file permissions. There are files, nay directories, that I cannot get into. 83-years young and still hacking away at code.

Re:Jabber!

The Windows permissions scheme easily outdoes the unix style one. That needless complexity is power with fine control. Your inability to appreciate the power over access control it gives you is a fault in you, not the technology.

Re:Jabber!

[grassy_knoll]

What's stopping MS from implementing a Unix-style security model?

Your mom. Litereally.

I understand users/groups/file permissions. I assume you do too. What about your parents?

I was going to moderate this, but had to comment instead.

You do realize that OS X is built on BSD, which has the traditional Unix file permissions? My mother, sister, father, stepmother and girlfriend have no problems coping with file permissions.

Command line unix might be obscure to the majority of the public, but OS X proves that, with the right interface, it's not a problem.

Re:Jabber!

[Short+Circuit]

I wouldn't blame this one on Microsoft, I'd blame it on OEMs who, in order to sell more machines, "simplify" the Windows security model by making a renamed Administrator account (HP_Owner, anyone?) the default.

The same guilt should haunt anyone creates a desktop-destined Linux distribution that "simplifies" the Linux security model the same way.

Re:Jabber!

[arminw]

...Your mom. Litereally...

Not really. As long as there is even ONE software program that mom wants to use that won't run properly without her having admin access, she will get that access. MS should once and for all tell developers that if their programs needs admin access after the initial install, they will NOT be allowed to run. Then you tell mom that if she is ever asked for an administrator password, to call you. I hope they will do this for VISTA, but I'm not going to hold my breath that that will happen.

Re:Jabber!

[petermgreen]

It shouldn't even be required to use that password to install software for just yourself.
shouldn't be but knowing the apathy of windows software vendors probablly will be. Even running as non-admin is an achivement for some software vendors!

Re:Jabber!

[porneL]

What's stopping MS from implementing a Unix-style security model?

Your mom. Litereally.

Apple managed to do it despite all moms.

Re:Jabber!

[drsmithy]

Why, when Microsoft can force people to adopt new "standards" just by releasing a new version of Word, [...]

Here is t he flawed assumption that leads to:

[...] they can't force software companies to create software for Windows that doesn't rely on the assumption of administrator privileges is beyond me.

Because they can't. If they could, they would have half a decade or more ago. Despite what posters on Slashdot might have you believe, every new version of Office doesn't require extensive user retraining or break every existing document.

Would it be so hard to say that you only use the administrator account for installing shared (amongst all local users) software?

Yes. It's intrusive andnon-transparent. Hell, people gripe about having to type in a password every now and then running OS X, you think they'll be happy having to switch accounts to install stuff ?

The Windows version of a ~ directory is already in place (documents and settings).

Just to *really* drive this point home, Windows NT has been multiuser since the day it was released (back in 1993) and even DOS-based Windows has had the necessary APIs and disk/registry structures to support "multiuser aware" application installs since about 1997.

There is *no-one* to blame except developers for any applications released in the last 6 - 7 years that _requires_ administrator privileges to run.

What's stopping MS from implementing a Unix-style security model?

Windows NT has always had a security model far superior to the "unix style" one.

DEATH TO MICROS

I love all worms, rootkits and virii... shows what crap the microcomputer world has turned into. vm/370 forever!

Re:DEATH TO MICROS

it is viruses you insensitive clod.
In Soviet Russia the world turns crap into microcomputers

Different from other open ports?

[spencerogden]

How is this any different any other services attached to a port on your computer? Whenever a listening program has an overflow vulerability there is the potential for "A fully automated worm." Granted there is a lot of IM software out there, but there have been plenty of ports and services on Windows that have been exploited in a fully automated way in the past. At least IM software is a _bit_ more heterogeneous than Windows.

Re:Different from other open ports?

[trezor]

Basicly it says "People are using IM. Buffer overflow in IMs is like any other buffer overflow also bad".

May I say "Duh"?

Re:Different from other open ports?

[ColaMan]

At least IM software is a _bit_ more heterogeneous than Windows.

In this case it doesn't really matter.
Consider a exploit that can get the buddy list out of MSN for example.
Now as most IM's only have one client used by the bulk of people, it becomes trivial to send a copy of the exploit to each person on your list and have a high proportion of them become infected, to progress outwards to friends
  geometrically (unless you have no friends)

This is a hell of a lot more sucessful than your usual pick-a-random-ip-and-hope-it's-exploitable method.

Re:Different from other open ports?

[xtracto]

I think an important point to note is the number of users (more than 195 million users acording to Wikipedia [i know, i know... maybe it was better to get the number from my ass]).

And yet worse, unlike other software which keep open ports, Messenger software has the slight property that its users does not know a lot about computers to take precautions.

About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!

Re:Different from other open ports?

[cowscows]

It's not entirely different, but it's still interesting. Partially because a lot of people are running IM clients. Also interesting is the fact that an IM client generally has a built in list of other vulnerable machines, via a buddy list. Having this list of people could be pretty handy if the worm can manage to spread through the IM protocols themselves, since it could allow infections to spread without relying on sending out masses of random traffic looking for vulnerable machines. That could just make this sort of thing that much more efficient and harder to detect, because the offending traffic might not look all that different than normal IM chatter.

But then again, I don't know much specific about how this all is supposed to work, so I may be wrong.

Re:Different from other open ports?

[Tim+C]

In most cases, those services you mention should never have been exposed to the internet in the first place. IM services, in contrast, generally have to be to be of any use; you can't just hide them behind a firewall.

Re:Different from other open ports?

The problem with IM programs is that to function with NAT, they modified the protocol to allow no open ports on the client and everybody commutes through a relay server with just outbound conections to it.
Moreover, this outbound conection could be done to a "HTTP" interface, making it hard for low layer firewalls to notice a difference between IM program and a web browser.

Re:Different from other open ports?

[Crayon+Kid]

Why on Earth would an IM application, which is essentially a "client" application, maintain open ports, listening, service-style?

And if there really is some essential functionality that depends on such open ports, wouldn't one hope they were implemented FTP-style ie. open them randomly and tell the other party what they are via outgoing connection?

And if the above is true, how can a remote host cause a crash? It shouldn't be allowed to connect to my IM client just like that. There shouldn't be anything to connect to in the first place! The IM app should only connect to the IM central server and to accepted hosts in my buddy list.

The thing I see that would work is the bot prompting me to accept him in my buddy list and _then_ screwing my IM client. But that's quite different from all this "open port" business that people talk about, and can only be fixed by fixing the IM clients.

Re:Different from other open ports?

[dkone]

"geometrically (unless you have no friends)"

haha, it finally pays off. err.... wait a minute.

Re:Different from other open ports?

[dadragon]

About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!

I can guarantee you that around these parts it will probably bs MSN who gets it first. It is by far the most used IM protocol in my circle of influence. Followed by Yahoo, and ICQ.

Re:Different from other open ports?

[js3]

for peer to peer communications, but you're right it isn't even a big issue. most IMs don't open ports, so what's the big deal?

Re:Different from other open ports?

[Niten]

I'm not sure that comparison is completely accurate... for a worm to spread using a Windows service, it must first find another computer on the network or Internet that has the necessary security vulnerability. Then it must be able to make a connection to that host's open port(s) through whatever NATs and firewalls may lie between the two computers.

NATs and firewalls, a road block for most computer worms, are also a problem for IM systems. Centralized systems like AOL's AIM get around the issue of computers not necessarily being able to receive inbound connections directly from one another by routing IMs through AOLs servers. So a "real" IM worm has a much greater potential for reproduction than a typical OS vulnerability-based worm, because:

1. The worm can find potential hosts with greater ease using the victim's buddy list, and
2. Such a worm could propagate through firewalls and NATs by crafting attacks as instant messages

As a sidenote, it's funny to see this story pop up now; just last night my roommate's computer was infected by an AIM virus (not a self-propagating worm; she clicked on a link and much fun ensued).

Re:Different from other open ports?

It doesnt have to come via a listening port.The same way bugs for web browsers are exploited or any other client based program.

A socket is opened to the remote server and data is sent to the client.
Somewhere along the line the data that is sent in takes advantage of some flaw where input is read and acted apon.

so for example there could be a bug in the way Yahoo messenger sends messages.
the client program may act apon the html sent (yes yahoo messenger uses html in messages,you may notice when you post html code to people they will only see the text)

Msn normaly will listen on some odd ports.
I am not 100% sure why it does this by default (last time i checked anyway it was port 9 and some other random ports.)
Yahoo Messenger also listens on some ports (port 80 and 5501 if i remember correctly)

chances are its for direct connections with people, ie file transfers,voice,web cam or games.

other then that i have no idea.

Re:Different from other open ports?

[drsmithy]

About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!

Settle down there, tiger. There's a *substantial* difference between applying the "market share" (really, "critical mass") logic to a product that holds ~95% of the market to one that only holds about 50% of the market. Particularly when people are typically using the "market share" reasoning with Windows to imply other important factors, like userbase demographics.

Re:Different from other open ports?

In its most common use (i.e. excluding "direct IM", for transferring images and other files), an IM client is *not* listening on a port. That's what makes this scary. Firewalls almost always only block incoming connections (the windows firewall only blocks incoming connections), but IM is an *outgoing* connection. Any worm that can travel via IM can get past a great number of firewalls (the only exceptions being those firewalls that block IM altogether; do you use IM at work?).

Re:energy is liberated through blasphemy

I stand before all the angles and saints.

This was my favorite part.

Do these things affect non-AIM apps?

[jackcarter]

I use Adium. Should I be worried?

Re:Do these things affect non-AIM apps?

[chroot_james]

You're less likely to suffer from the attack, but you're not safe. Attackers would most likely go for Windows AIM / MSN / Yahoo long before they go for an open source im client on a mac.

Re:Do these things affect non-AIM apps?

[wvitXpert]

Your safe. Not because Adium can't be compromised, but because no one cares enough to do it.

Re:Do these things affect non-AIM apps?

[Rocketship+Underpant]

"I use Adium. Should I be worried?"

I doubt it, because any malicious program that wants to alter OS X's settings is going to have to prompt you for an administrator password (unlike Windows). Besides, it's likely that any such worm will target official IM clients rather than third-party apps.

Re:Do these things affect non-AIM apps?

[nothingbutcoupons]

I use Trillian for Yahoo, MS, and AIM. Does this mean I am three times more likely to get hit by a worm, or are the worms IM-specific?

Re:Do these things affect non-AIM apps?

[Dr+Floppy]

If youre using anything other than Windows dont worry about malware, etc... Its a windows problem

Re:Do these things affect non-AIM apps?

[TheGSRGuy]

The worms don't spread, but if you're dumb enough to click the link(s) and run the files, then it will infect you.

People need to practice safe surfing habits and just stop clicking every stupid popup window, link, and executive they see.

Re:Do these things affect non-AIM apps?

[chroot_james]

What you said is wrong. How do you think some worms reach 90% of the Internet in less than 10 minutes?

Re:Do these things affect non-AIM apps?

[Malc]

Unless it exploits another remote or local security hole that hasn't been patched.

Besides, your statement about Windows is rather generic and so incorrect. I logon as a normal (i.e. limited) user, so unless there's an unknown security hole (every exploit known so far uses a known security hole and I patch quickly) then my whole system will not be compromised. My local account might be affected, but that concept applies to OS X too.

Re:Do these things affect non-AIM apps?

I'm not logged in as a sysadmin but looky here:

C:\WINDOWS>copy con test.txt
fdsf
^Z
                1 file(s) copied.

Besides, you may exploit an OS X server but you can't do much with the nobody account.

EOT.

Re:Do these things affect non-AIM apps?

[ThaFooz]

I logon as a normal (i.e. limited) user, so unless there's an unknown security hole (every exploit known so far uses a known security hole and I patch quickly) then my whole system will not be compromised. My local account might be affected, but that concept applies to OS X too.

What you're saying is technicaly correct, but I'd have to agree with the OP. Limited accounts are not the default in Windows (so most people don't use them), and there are a lot of apps out there that either require Admin privleges to run or are not properly designed for multi-user environments.

Re:Do these things affect non-AIM apps?

[TheGSRGuy]

What I meant is that on non-AIM clients, the worm doesn't really spread. Trillian doesn't support the weird scripting that AIM does via the aim: links. You can enable it, but I find it to be rather lackluster. I guess that's a good thing, in this case.

Re:Do these things affect non-AIM apps?

[chroot_james]

That might be true, but you're assuming the exploit happens at a particular point. What if it's the way the im client handles network packets. You don't have to worry about anything with aim scripting there. It's just like attacking anything else. If you can gain control of the client in someway, you can start sending bad data to other people. I stand by my point that if you're not using Windows aim/msn/yahoo, you're probably not going to be a target. Virus writers go after the most common things because it's easier to get the virus to distribute itself.

Re:Do these things affect non-AIM apps?

[Malc]

Either you're trolling or there's something wrong with your system. Here's what happens on my MCE 2004 system (and yes I know, it defaults to creating users with too many privs):

C:\WINDOWS>copy con test.txt
fdsf
Access is denied.
                0 file(s) copied.

C:\WINDOWS>

Re:Do these things affect non-AIM apps?

[Malc]

Apps that require Admin privs are not generally a reason for logging on as a member of the Admins group. I have a few, and although annoying I just right-click and do runas. Actually, I just modify the shortcut to them to prompt for different credentials. The downside? An exploit targetted at them could break my system. The up side? Those that are potentially most dangerous (e.g. MSN Messenger, IE, Outlook, etc) all run properly as a limited user.

Re:Do these things affect non-AIM apps?

[wvitXpert]

Should I be gratefull or offended that my post was modded funny even though I had no intention of it being funny? :)

OMG!!!

This would mean that people wouldn't be able to instant message each other!

OMFG wut 2 do? u r about 2 c wut i mean cuz the end is near!

Re:OMG!!!

[voice_of_all_reason]

Hey, if kids can't use the internets anymore, they'll start -- *groan* -- going outside again. And pestering the rest of us. You don't want that, do you? //and get them off mah lawn, too

Evolution baby

[Biking+Viking]

Interesting. In humans, a virus may be able to adapt to antibiotics or vaccines over time and continue to survive. Looks like it can happen with computer viruses too.

Re:Evolution baby

[stinerman]

Ahh... not so fast.

These viruses seem to be intelligently designed. ;-)

Re:Evolution baby

In humans, a virus may be able to adapt to antibiotics

I would love to see you attack a virus with an antibiotic.

Re:Evolution baby

[meringuoid]

In humans, a virus may be able to adapt to antibiotics or vaccines over time and continue to survive. Looks like it can happen with computer viruses too.

Not quite. Biological viruses evolve. Computer viruses, however, are products of intelligent design, for certain values of 'intelligent'.

Computer viruses aren't a force of nature. Behind every one of them is a malicious programmer.

Eventually, I imagine we'll see polymorphic and self-modifying code reach the point where it can evolve in the same way as biological viruses, but that's probably quite a way off. The nearest I've heard of to that is viruses programmed to alter their appearance to avoid detection.

Re:Evolution baby

[Biking+Viking]

Intelligence is such a relative term isn't it?

Re:Evolution baby

[psbrogna]

Depending on what you circle with your pencil as "The System," I would say that computer viruses do evolve... better or more sophisticated ones get written over time and the best ones prevail. If you consider the human coders as an extension to the digital organism then the resulting aggregate entity is evolving. Semantics aside- the evolution is occuring. Haven't I read somewhere that even humans have distinct organisms embedded internally on a low level that cause effects, possibly even genetic effects?

Re:Evolution baby

[somersault]

err. They need intervention from humans to adapt just now. And it's obvious that people have been writing new viruses for ages. Why do I always feel like a troll? And in response to the other comment.. yes, they were designed.. but whether it was an intelligent decision to design them.. pfft :p

Re:Evolution baby

[meringuoid]

I would say that computer viruses do evolve... better or more sophisticated ones get written over time and the best ones prevail. If you consider the human coders as an extension to the digital organism then the resulting aggregate entity is evolving. Semantics aside- the evolution is occuring. Haven't I read somewhere that even humans have distinct organisms embedded internally on a low level that cause effects, possibly even genetic effects?

You may be thinking of mitochondria. They have their own DNA quite separate from that of the cell nuclei, and live their lives embedded in our cells providing chemical processing services.

The thing is, though, they aren't intelligent.

It may be interesting, from an epidemiological viewpoint, to consider the various hackers of the world as mutagens, features of a virus's environment that will cause it to change in some way, in the same way that a radioactive source might induce mutation in a biological creature.

However, the crucial difference is that the hackers are intelligent. They have an aim in mind when they alter the virus; mutation in nature does not. A hacker can alter a virus drastically, making a huge change to it all at once in order to achieve some enhancement he has in mind. Evolution must proceed by small steps, each one an improvement or at least not significantly detrimental.

So, be careful not to push the analogy too far. Computer viruses have a good deal in common with biological viruses, but not that much. We're dealing here with intelligent design, not evolution; don't confuse the two.

Re:Evolution baby

Virus do not get immune to antibiotic... antibiotics have no effects on virus (antibiotics usually affect metabolism; virus have no metabolism, they exploit the host metabolism).

Re:Evolution baby

[theStorminMormon]

I don't think the distinction between intelligent design and evolution - in this context at least - is as clear as you'd like to think it is. You contend that the difference is that computer programmers are intelligent. You write:

"However, the crucial difference is that the hackers are intelligent. They have an aim in mind when they alter the virus; mutation in nature does not."

But the crucial factor here is not intelligence - it's free will. If a human agent is considered independent, then there is a causal disconnect between the purely biological forces of evolution and at least some of the behavior of that human entity. But that's a might big "if".

If the human is considered from a deterministic model - meaning that every aspect of human behavior can be explained as a product of genetics and non-independent interaction with the system, then the human being becomes indistinquishable from the system. And in that case the virus is a product of evolution by extension. Then again, by the same argument fashion is also a product of evolution.

In any case, the determinist vs. compatabilist vs. free-will advocate argument is millenia old. We're not going to resolve it on Slashdot today. (unless someone quotes Wikipedia).

-stormin

Re:Evolution baby

yes programs dont evolve organically per se but they can be made to simulate this

I.e. Evolutionary programmaing ( genetic alogs. artificial life etc ) , although these are usually used to solve fairly specific problems or data mine.

I do think though that if a hacker was clever and patient enough he could certainly create a virus that "evolved" .... it is not a matter of technology ( unless we are waiting for a prog language specfically created for artificial life )
          for instance it would have to have a mutation rate that is , every fourth or so time it went to another PC/server/account/ whatever the code would slightly change , then the most important part is that when two copies of this virus "met" each other that they would "exchange" code and produce and offspring virus.

This would be one way... another. more accurate simulation of nature would be that instead of the "virus" simply copying itself onto a computer, it copies an entire "population" of similiar viruses all with slightly different code. Only the most "fit" viruses infecting the computer would "win" out that is get to spread to other computers.

determining what constitutes a "fit" viruses would be the most difficult part though I think....

sorry for the rambling but this was an interesting thought experiment

Re:Evolution baby

Computer viruses aren't a force of nature. Behind every one of them is a malicious programmer.

Um...

1) Natural selection is a force of nature.
2) The things produced by natural selection are also (by extension) forces of nature.
3) A human brain is, therefore a force of nature.
4) The things produced by human brains are also (by extension) forces of nature.
5) Computers, and computer viruses, are therefore forces of nature. :)

Re:Evolution baby

[fbjon]

But just imagine.. one day someone will release a virus in the wild, that we never will get rid of. It will replicate itself and modify itself continuously, changing its attack vectors, so that any efforts to stop it will eventually fail. Almost eradicating it will not be enough. I wonder, just how far off is it?

We would have to develop immune systems for computers.

Re:Evolution baby

[meringuoid]

Damn. Extended phenotype. grr. Got me there. In which case the actual evolution is not taking place on the internet at all, and the viruses themselves are not actually the interesting structures. We're looking at the egg and missing the chicken. The evolving entities are memes, evolving in the minds of hackers...

So, a memestructure known as 'Virus A' arrives on the computer of Hacker 0. He reverse-engineers it; now it is resident in the brain of Hacker 0. There it breeds furiously, producing countless offspring with random mutations. These are subject to natural selection in the environment of the hacker's brain, because the hacker knows what makes a virulent virus and what makes a feeble failure. In this phase the virus is benign, a bit like malaria not harming the mosquito; Hacker 0's brain does not crash.

Eventually a mutant form of the virus arises in the brain of Hacker 0; natural selection against the constraints of Hacker 0's security knowledge has produced a fitter version of the virus. At this point Virus B is released into the wild.

It's an interesting lifecycle. Like many infectious agents it behaves differently depending upon the host in which it finds itself. Once a population is isolated for a long while (in the brain of a hacker) it may diverge and eventually form a new species, possibly replacing the ancestral population once re-released... The analogy with biological evolution is certainly quite strong.

Unfortunately, I've implicitly reduced all human thought to the rapid reproduction and mutation of meme-structures, and originality to the production of an unusual mutation. Maybe this is true, but it's probably taking reductionism too far, like explaining the working of a car in terms of quark-gluon interactions. Treating a virus hacker as an malevolent intelligent mind intent on causing mayhem will probably get us a more reliable model of computer virus epidemiology.

Re:Evolution baby

[MarkByers]

Behind every one of them is a malicious programmer.

Actually, the programmer is not the one doing wrong. Writing, studying and understanding computer viruses is an interesting and useful thing to do. The largest benefit is probably in the anti-virus field, but like any other abstract subject, progresses made can be translated into break-throughs in other areas.

It's the person that deliberately releases the virus from a controlled environment it into the wild that is the malicious one.

Re:Evolution baby

it's already sorta possible, just a matter of statistics. if one time the virus is copying itself and some bit gets copied incorrectly but still able to run this is just like mutation of DNA. Assuming a large enough group of computers/viruses copying itself, and enough time, if this new 'mutation' of the virus with the changed bit is more succesfull than the original, you have evolution.

Re:Evolution baby

[MaskedSlacker]

Not really. A true quantum mechanical treatment of a car would give a far more accurate description of how it behaves. It would just be far more difficult.

Re:Evolution baby

That's a totally unproven, unscientific hypothesis!

I'm sure they evolved from simpler RISC architecture worms as a result of random coding, probably originally from some packet fragments floating around on the net. Why if you connect them to nutrients, say a Windows computer hooked to the Internet, you can prove that these things are purely natural... ;-)

Re:Evolution baby

[memeplex]

Correctamundo! "...They have an aim in mind when they alter the virus" Who are "they?" The bodies and brians of the programmers? Their minds? Are "they" distinct? Do "they" have some magical fairy-dust between their synapses which gives rise to a meta-being apart from their bodies? Are you saying the hacker's "soul" has an aim in "its" mind? No. "They" are co-evolved meme-complexes. Memeplexes. Selfplexes. Technology does literally evolve by natural selection. Humans, aardvarks, and bananas are natural. Intelligence and consciousness are really quite subjective. Granted, our mastery of symbols and abstractions is NEATO. "I hate this place...this prison...this zoo...It's the SMELL...if there is such a thing..." -Agent Smith

Re:Evolution baby

[theStorminMormon]

What's interesting to me is that we even have a concept of "natural". Philosophically, we'd most likely presume a fish doesn't have a concept of wet because it is always wet. Without an opposing concept, the concept itself disappears into the paradigm.

Yet we as humans have this concept of "natural" and generally consider ourselves to be exempt from it. Silly vegetarians are the best example of this. It's wrong for people to eat animals. But apparently OK for animals to eat animals because that's "natural". But on what basis do we presume to conclude that people and animals are fundamentally different after all? (Not that all vegetarians are silly by any means. There are good ethical arguments, but your run of the mill high school / college "radical" will provide a textbook example of this strange phenomena.)

Another example is the global warming argument. Many people act as though humans are somehow the deus ex machina - we've dropped in unanounced from the rafters to save - or in this case destory - the planet. And this is not only a bad thing in the sense that we may all die, but is in fact a "bad thing" in the sense of rather naughty and immoral. But it can really only be immoral if we are ultimately responsible. And we can only be fundamentally responsible if we are somehow distinct from nature. A billion cows farting hurts the environment, but is part of nature. You don't blame the cows - they are just part of the natural ecosystem. A billion cars are some how removed from nature. How? Along the continuum from a gorilla testing the depth of a river with a stick and a fisherman using sonar to test the depth of a river or lake does the tool - and with it the tool-user - cease to be "natural"?

Where did this tendency arise to consider ourselves somehow seperate and distinct from nature? The frequent reasoning, if it can be called such, is an appeal to our "intelligence". What is implicit in this argument is that since we are intelligent we can "make up our own minds". That is, the plants, animals, birds, glaciers, stars and elements all around us are just part of a kind of Newtonian billiards table. You can't hold them responsible because their are merely conduits for causality. You hit a billard ball, it rolls in a pretedermined fashion. You can't ask "why did you roll this way?" and expect an answer any different from the fact that it got hit a certain way. You don't ask a shark "why did you eat this surfer?". It's just a more complex billiards table. Yet we alone are somehow detached, isolated, unique and above all free. Somehow we are considered not merely conduits, but origins of causality.

Perhaps it's not surprising that we humans should have this grand perception of ourselves. It is, in fact, perhaps a result of evolution. It may serve to increase our own sense of self, and thus fuel our drive for self-preservation. All the ape-men ancestors who pondered "but am I really distinct from this tree?" were eaten before they could procreate.

But what IS so surprising is that such a fundamentally critical presupposition of human thought is so rarely the target itself of criticism and analysis. The "free-will debate" is largely relegated to obscure philosophical debates, and hardly ever reaches beyond theology in terms of broader scope. And yet it seems clear to me that much of our fundamental understanding hinges on answering, addressing, or at the very least acknowledging this essential question.

Infection

[kevin_conaway]

Is it me or did the article not really explain how the users can become infected without some sort of user interaction? If not, I think the best way to combat this is user education. I know AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.

It glosses over good old fashioned buffer overflows, but not much else. Then again, what else do you need? :)

Re:Infection

[LordSnooty]

AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.

I do hope you are being humourous, they are exactly the kind of unannounced "system" pop-ups which can lead to user confusion & miseduaction at best, or system infections at worst. Think of Windows Messanger - not IM - with its "you are leaking your address onto the Internet!". Or think of web banner pop-ups masquerading as OS messages. It's no surprise the average user has no understanding of what's a real message and what's malicious.

Re:Infection

[Red+Flayer]

From the summary:

"Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

FTA "'We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything,' Wells said."

User education won't help if propagation occurs without any action by them.

Re:Infection

[kmartshopper]

Yeah, and if we just educated the public about not opening unsolicited emails, clicking blind links, going to sites with crazy URLs and all the like we could cut out 90% of the code from the AV software and... I just saved a bunch of money on my car insurance by switching to GEICO!

Re:Infection

User education won't help if propagation occurs without any action by them.

Users could learn to not use IM software.

Re:Infection

[Red+Flayer]

Ahh, but then they are no longer users, no?

In terms of security, we have to work from the assumption that people will use the software in question... so how do we mitigate damage / prevent infection?

The popularity of IM shows that it's an application not likely to go away... so how do we make it safer?

Re:I cant take any more of this

[LordSnooty]

Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?

That is a how a worm or virus should be!

[jurt1235]

No social engineering by seducing (l)users to click on a link. Real virus multiply themselves!
So what is the issue with this?

Re:That is a how a worm or virus should be!

[dascandy]

The issue is that you can't spell. It's virii or viruses, both of which are acceptable for the OED. You could consider rewriting the sentence to "A real virus multiplies itself!" of course.

Re:That is a how a worm or virus should be!

[SmurfButcher+Bob]

> You could consider rewriting the sentence to "A real virus multiplies itself!" of course. ...unless you're in Soviet Russia.

Re:That is a how a worm or virus should be!

In Soviet Russia, virus multiply *itself*!...

No, that's not quite right...

In Soviet Russia, itself multiply virus!...

Hmm.... Oooh, I have it!

In Soviet Russia, sentence rewrite YOU!

Re:That is a how a worm or virus should be!

[elemental23]

So what is the issue with this?

That viruses (or worms, as I believe this would be) are generally a bad thing to have around in the wild.

Re:That is a how a worm or virus should be!

[jurt1235]

I did research the multiple of virus before determining to use virus instead of virri. According to wikipedia under virii, there is no official multiple of virus in latin. Virii should be the multiple if you follow the rules. The gues of the latin experts is however that virus is an exception in the very regular latin language. So for this one word you are wrong. For the rest: I am not a native english speaker, so there are enough other spelling errors which you can nag about next time.

Re:That is a how a worm or virus should be!

[jurt1235]

You are right. I was aiming for funny as moderation, somehow it became interesting.

Very infectious.

[Poromenos1]

If you take into account the Small world phenomenon, this means that these worms will infect everyone in the world in at most six or seven hops.

Re:Very infectious.

[Minwee]

Wow. Just think of how many times Kevin Bacon would get hit by that.

Re:Very infectious.

[saskboy]

"will infect everyone in the world in at most six or seven hops."
Obviously they'll name this looming IM worm threat the Kevin Bacon Virus.

Re:Very infectious.

[EnronHaliburton2004]

And more importantly, if I leave my IM client open and unpatched, will it hit Kevin Bacon even harder?

Actually, software liability would work better

If, for example, Microsoft could be held accountable for security problems in their software, such problems would quickly disappear.

And that will happen - whether it's 5 years or 50, people will eventually demand quality software with real warranties.

Re:Actually, software liability would work better

[imablonde]

How about the MS EULA would only be enforceable if the code were in functioning condition? Hmm, that would straighten things up in short order!

There will be bugs flying in the windows as long as people don't use screens!

Hell, even a blonde knows that!

Workplace

[GoodOmens]

Its a shame that AIM is so widly used in the workplace even though is so vunerable
I know our IT department frowns upon it but walking around you still see it used ....
Its only a matter of time until something like this came out that has the potential to severly damage both corporate and private networks ....

Re:Workplace

[skiman1979]

Well if your IT department doesn't want it used, they could always block port 5190 at the firewall. Alternatively, let users use GAIM or Trillian to avoid issues with the actual AIM software.

Yeah, but...

[voice_of_all_reason]

Can it find Sarah Connor?

Booo!

[kkovach]

Wooooo! Fully automated! Ahhhhh! *runs and screams* Run for your life!

Wasn't Halloween yesterday?

- Kevin

The Disease is Awful

[putko]

This particular payload is awful -- automated rootkit install.

Maybe one day we'll get a series of destructive worms that will render hardware unusable (e.g. no boot, disk overwritten, fan turned off and processor cranked up to do permanent damage, boot flash cleared) -- resulting in successive waves of hardware replacement.

I talked to a guy at a computer store about the aftermath of a worm that cleared the bootflash -- they sold so many new computers!

At that point, I figure Micr$oft will be in big trouble; after you buy your fifth motheboard in a row (and try to recover your data) after "Bukk@keB1ll" versions A through X hit you, you'll consider getting a Mac so you can get work done.

Re:The Disease is Awful

[antifoidulus]

If you take nature at as a model(tenous at best) then actually the MOST virulent viruses are the least likely to cause pandemics. Why? Because they burn out so fast the victims aren't nearly as likely to spread them. Take ebola for example, it's a horrible virus but it killed it's victims so quickly it never spread very far outside of Africa. That is why they are concerned about the fact that the bird flu this time around is killing LESS people, gives it more of a chance to mutate and become wide-spread. Remember the Spanish Influenza that killed so many people only had a fatality rate of around 5%.
No, the sneakier viruses won't ruin your box, they will just sit there and gather information. I would much rather have my email and personal documents destroyed then had them read. Even if you read them then destroy them, I know they have been compromised and can take whatever steps deemed neccessary to mitigate my risk. The most sinister viruses would just read and transmit them without me ever knowing.....

Re:The Disease is Awful

[condorhauck]

A good point, but wouldn't you think that if everyone moves to the "safer" platforms, then those platforms are no longer safe. One of the reasons that Microsoft and AOL are such big targets is because they have a big user base. If Apple were to get all the windows users that wanted to get away from the dangers of windows, then a lot of the virus writers out there would probably start looking to the "safer" platform so their work would get more attention.

Perhaps I am wrong, but I think that the virus authors are looking to get the most bang for their buck, and if everyone spanned out to the other platforms, that bang would start being on those platforms. Then you would start to see a lot more vulnerability there as well.

Re:The Disease is Awful

[ZachPruckowski]

At the bare minimum, that would re-introduce social engineering, as you would be prompted for your admin password (and sometimes the account password too) everytime you wanted to make a change. Period. Which makes Mac a good bit safer from this at least. I mean, a Mac could wind up with AIM getting modified in such a way that it could spread the virus, but without the admin password, I don't think the virus can do a lot to you.

Re:The Disease is Awful

[makomk]

That's easy.

1. Send copy of self to everyone on friends list
2. Destroy computer
3. Carnage!

Seriously, I reckon a self-propagating IM worm with a destructive payload could probably take out most of the population of said IM network that was online at the time of launch. Add (say) a 5-10% chance that any given PC won't be destroyed (in order to leave some to reinfect the network), and possibly a time delay between steps 2 and 3, and you'd be talking really nasty.

Just my $0.02

Re:The Disease is Awful

My brother got a Macintosh from one of my other brothers, it was stuck with a password and everything... 15 minutes I had hacked the thing (OSX) and reset all the passwordds on the computer.

Just because its Macintosh or Linux and has a better security model doesn't mean it is invulnerable. What if the worm ran in userspace and poped up a dialog box that looked exactly like a regular OS window asking for username and password?

Windows Systems get infected because by and far most of the users on it are simply ignorant about computers, they click on every freaking thing thinking that thay have won a free cruise or iPod or DVD player. Although yes, a better security model would help it don't help when the user opens the freaking door and lets it walk in.

Re:The Disease is Awful

[ZachPruckowski]

I'm not saying Macs would be immune. Or that they can't be hacked. I'm saying that against this particular hypothetical virus, you get some degree of protection in that you suddenly are prompted to enter your admin password. Which is harder to socially engineer. I mean, I can say "Hey, I need your bank account number to wire you your winnings" or "We need your AOL password to reactivate your account", but saying "Enter your administrator password so we can send you an iPod" doesn't sound too good. Sure, they can lie, and say they're installing a game, and stupid people might buy it, but at least we're back to where we started.

Re:The Disease is Awful

This particular payload is awful -- automated rootkit install.

So just like what you get if you listen to a Sony music CD then? :-/

Re:The Disease is Awful

[cr0sh]

However, computer viruses have an ability that biological viruses don't:

Near-instantaneous worldwide communication.

I can easily foresee the creation of a virus that does nothing but spreads, quietly and innocuously. Via rootkits and other methods (polymorphism, etc), it could spread and likely not be detected over the course of the infection. Each virus infection would have a counter, so that once the n-th infection has occurred (where "n" is some large number - say 1 million), that virus would send out a quick signal over the internet which all the other viruses are listening for, at which point they all wake up and say "game over", formatting the drive (at night, at next power-up, at low-activity time, etc), or do other malicious damage.

In a way, it is kinda like a countdown virus "bomb" - the host that is being infected in this case is the network itself, with the nodes being infected analogous to the cells of the host. Basically a virus that "liquidates" the nodes which make up the host network. Such a virus infection might wake the world up big-time, especially if it took down some large server farms or company-wide PC networks. Why it hasn't occurred yet is anyone's guess. Likely, it is because there is no profit-motive behind it, yet.

If you wanted to be paranoid, you might suppose that it actually has already started, we just haven't noticed the infection, nor has the countdown reached the requisite number of infected machines...

Re:The Disease is Awful

Oh shit, THAT isn't going to help me sleep at night...

Re:I cant take any more of this

[ObsessiveMathsFreak]

The editors usage of the term rootkit is correct, and proper. You may as well argue that the usage of 'cockpit' for the pilot seat and control area of an airplane is incorrect. From the relevent wikipedia article.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).

Rootkit is no longer a term restricted to gaining "root" user access. The term now stands for any suite of hack and/or programs (the "kit") that enables the malware to disguise its presence in the OS in a more sophistocated manner than simply having obscurely named .exes and registry entries.

Furthermore, in my entirely humble and sincerely personal opinion, the term is an appropriate, apt, and succinct way of decribing these types of malicious programs, both in distinguishing them from the less deeply embedded malware types, and in emphasising the increased security threat these programs pose.

The sky is falling! ( again )

[grasshoppa]

Gee, wiz, a "fully automated" worm using a different attack vector.

Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?

And IM services are hardly a new vector. If anything, this story should be about how long it has taken these people to figure out that services like AIM and ICQ are used by people with little or no computer knowledge, who will randomly click on things. You know, sorta like email. That's the real new nugget out of all of this, and hardly worth the two pages of ads to read about.

Re:The sky is falling! ( again )

[kkovach]

Now that you mention it, I do remember feeling a little prick in my arm, turning around and seeing some weird guy behind me with a syringe right around the time of Code Red!

Next day, I was infected! I should have put 2 and 2 together! Damn!

They used "fully automated" 5 times in that article. Stood out like a sore thumb.

- Kevin

Re:The sky is falling! ( again )

[Red+Flayer]

"Let me ask you something, what *doesn't* constitute a "fully automated" worm? "

Any worm that requires the user to click on a link on order for the worm to propagate. The scary thing about this class of worms is that it installs a rootkit without activity from a user, so the only rate-limiting step in the infection cycle would appear to be buddy lists. So, you're on someone's buddy list... you get infected without taking any action. Then, boom, all your buddies are belong to them. &c.

Educated users know better than to click just any link they see -- we depend on that to limit propagation. But it doesn't apply here.

Re:The sky is falling! ( again )

[jfengel]

Let me ask you something, what *doesn't* constitute a "fully automated" worm?

Unfortunately, we've long since stopped being clear on the distinction between "worms", "trojans", and "viruses". (Actually, I'm not entirely clear on the differnce between worms and viruses myself. Wikipedia draws a distinction between the two.) But many things that are called "worms" require some sort of user intervention in order to run.

For exmaple, the "Loveletter" worm is called a worm, and it wasn't fully automated: it depended on the user to click on a file. The social engineering aspect was that people didn't expect a .vbs file to do any harm.

It's become increasingly hard to get users to assist that way, so the propagation is a little slower. Virus checkers scan email attachements, and even Microsoft Outlook no longer just runs any attachment that comes into the mailbox. There are dead ends wherever a user is smart enough not to run the attachment, and even if you could con the user into running the attachment the worm may have to wait hours or days for the user to get around to it.

A fully automated worm, on the other hand, propagates without the help of users on any unpatched system. So it spreads fast, very fast.

IM viruses are not a new vector, but as other vectors are gradually plugged it sounds like the next one in line. The Windows OS is a great vector because there's so much of it around, but IM tools are also pretty common. Sure, users will randomly click things, and there's only a little you can do about that, but if you can exploit a security hole automatically, your worm will get everywhere it's gonna go in hours. Sweet, if you like that sort of thing.

Re:The sky is falling! ( again )

> Gee, wiz, a "fully automated" worm using a different attack vector.

How many services does the average windows user have turned on?
(probably a fair number).
How many of those:
    - Are visible from outside the firewall / router?
    - Are listed somewhere that is readily accessible?
    - Actively make new connections through the firewall?

The infection speed of this could be fantastic.
Email is very slow... people need to download, read through all their other email, open this email, and click it.

This system can list potential systems as a buddy, and then recieve a notification of when the target comes online. Talk about a buddy-pounce.

Re:The sky is falling! ( again )

[urbaneassault]

Not to argue semantics, but that *is* the definition of a worm. A worm requires no user interaction and it self-propagates, while a virus requires that the user do something (open attachment, click on shiny objects, run "awesome" screensavers, etc).

Re:The sky is falling! ( again )

[MarkGriz]

Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?

"Pay no attention to that man behind the firewall. I am the great and powerful Code Red"

Re:The sky is falling! ( again )

[ceoyoyo]

Close... a virus embeds itself in other programs. So not usually shiny objects, screensavers, etc. but maybe that copy of Office you swiped, or that last program you compiled and sent to all your customers.

A trojan is a program specifically designed to spread an infection (the shiny objects, awesome screensavers and Britney nekid .coms).

Re:The sky is falling! ( again )

[aqfire]

Which is ironic because you not only had time to read it, but you also bothered to post about it. ;)

Re:The sky is falling! ( again )

[grasshoppa]

Which is ironic because you not only had time to read it,

This is slashdot, good sir. I resent your implications.

Re:The sky is falling! ( again )

For exmaple, the "Loveletter" worm is called a worm, and it wasn't fully automated: it depended on the user to click on a file. The social engineering aspect was that people didn't expect a .vbs file to do any harm.

My personal definitions are:

Trojan - Legitimate application that can be used by the user, but also includes hidden functionality that the user is not aware of and that the user would not want occuring. Such as applications designed to open ports on the machine to allow data to be snooped or other spying. These trojan applications are generally things that users find "neat or cool" and readily install on their systems. A lot of spyware falls under the "trojan" heading. (Think "Bonzi Buddy" style applications.)

Virus - Designed to infect a system and attach to existing executable files. The idea being, that when you run program X (that has been infected), the virus activates and then either fires a payload or looks for another few files to infect. There were viruses that lived in the boot sectors and would spread from disk to disk if an infected floppy was left in the drive. Later viruses in the DOS-era started leaving themselves running in memory (TSRs), which gave them larger windows to infect additional files. Spreading from machine to machine relied on the user being careless and moving infected executable files between machines. (Or booting the machine from an infected floppy.)

Worms - Automated spreading between machines. No user intervention required. There is a bit of a grey line as to where worms leave off and viruses pick up. Worms typically rely on weak points in the system rather then lapses in security methods.

Of course, nothing is ever that simple and clear-cut. Some of the more successful worms are a combination of all 3 types. Using social engineering as a trojan horse to get inside the initial circle of systems. Then using virus-like spreading methods or worm-like methods to spread to additional systems.

Re:The sky is falling! ( again )

[cbiltcliffe]

Any worm that requires the user to click on a link on order for the worm to propagate.

That would make it a trojan, not a worm.

This is news?

lol
Seriously, it was only a matter of time, and I bet that this really isn't the first example of such activity.
I for one welcome the day that my instant messenging software was added to the list of software I have to periodically get security updates for :/

Problem with older hardware, operating systems

With new hardware and operating systems supporting NX (no execute), wouldn't the effects of a buffer overflow be minimized? I may be crazy, but I thought that this was the entire point behind NX.

Re:Problem with older hardware, operating systems

[jrockway]

NX doesn't help anything. It's trivial for an attacker to overwrite the return address with one that points to code that's in an executable section. For example, instead of injecting his own code to 'rm -rf /' (which NX might stop), he can just call the execv (that's already in the program and executable) and feed it 'rm * -rf'. This does require a bit more work, but it's pretty simple to inject text into an IM client (just send the user a few IMs -- "rm" "*" "-rf" -- and your strings are in the program).

I'm sure Windows has even more damaging system/library calls than execv.

Re:Problem with older hardware, operating systems

[Homology]

NX doesn't help anything. It's trivial for an attacker to overwrite the return address with one that points to code that's in an executable section.

That depends on what the OS does with the NX bit, and what other preventions are in place. On OpenBSD the NX bit is just another piece of a puzzle to make the OS harder to exploit. Incidentally, on OpenBSD it's not trivial to overwrite the return adress the way you suggest.

What is this?

What is going on here? Who is in charge? I want to make a complaint.

I have the solution...

[0110011001110101]

Simply IM me at w0rMzH0seTer and I'll give you all the details...

Re:I have the solution...

[FuriousBalancing]

Watch out, he's lying! I just tried IMing him, and he wasn't even online.

Re:I have the solution...

[0110011001110101]

i'm personally and professionally offended...

You probably typed an "Ohh" where you should have used a "zerOhhh"

duh

Re:I cant take any more of this

[Darkon]

Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?

Strictly speaking the Windows equivalent of 'root' is the hidden 'LocalSystem' account.

Re:I cant take any more of this

[platyduck]

According to the Slashdotter's god, Wikipedia:

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).

I work in the IT department at my college, and in the last week, have encountered two machines infected with this worm. Easily detected as it may be to the expert user, it is a rootkit, hiding from detection. If I had not recognized it, it would have been undetected, as the automated scanning tools did not report it.

Re:Sounds Like...

OSS or alternative clients like GAIM, Miranda or Trillian are not as widespread, but make it into headlines a few times every year because of security issues, i.e. the last few releases of GAIM patched some vulnerabilities. Maybe it's time to re-emerge this Gentoo as hardened ...

I for one welcome our new hacker overlords (well folks, please but your names below)

Why does the OS let software be invisble?

[G4from128k]

This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? I really want to know.

It seems to me that a well designed OS should NEVER let a piece of code be invisible. There should be some part of the OS that knows what is running, what invoked it, what file it came from, etc. A well designed OS would know the provenance of every segment of code. This information should be read-only to anything outside of this protected monitoring function. Thus ALL running code would be visible to the user and anti-malware software. And if you add hash-code locks on installed software, then malware wouldn't be able to masquerade as some other normal bit of code or damage anti-malware apps. Malware could still hide in a user-downloaded software, but the tracking function would aid the detection and removal of any unwanted code.

Is there ever a good reason to let software be invisible?

Re:Why does the OS let software be invisble?

[Grey_14]

It's not actually hidden to the OS, it's hidden to the user, and yes, there are many good reasons to let software be invisible to a user, I agree though that there should be an easier way to audit processes as the super user.

Re:Why does the OS let software be invisble?

[LiquidCoooled]

So, you want to create a Function entry point to return a table of ULTIMATE_PROCESS information.
What do you think happens when some miscreant (with root access) replaces that jumppoint in memory with one of his own UTLIMATE_PR0CESS function?
Remember, we are not talking about ROM systems here, all system commands are loaded into RAM.

Consider a much simpler situation:

You use the dir command to list the contents of a folder.

Somebody could replace that command on disk with a dodgy one that runs the original dir command, but filters its results and hides all files starting with "hax0r_".

The only real way to be able to check and identify if a system has been rooted is to examine from the outside.
Keep a boot cd handy.
Currently however, rootkits have bugs and limitations in their scope and do not cover every track, hence rootkit detection is semi feasible for now (in Windows at least).

The most sneaky bit of malware I have heard about recently is the semirootkit included inside some Sony protected CDs.
Have a read here for an investigation (this story may explode in the next few days - it looks really telling).

Re:Why does the OS let software be invisble?

[Tim+Browse]

The most sneaky bit of malware I have heard about recently is the semirootkit included inside some Sony protected CDs. Have a read here for an investigation (this story may explode in the next few days - it looks really telling).

You missed the explosion! :-)

Never mind, it'll be duped in a day or two...

Re:Why does the OS let software be invisble?

[SSalvatore]

That's the beauty of rootkits. They modify the normal operation of an OS; yes, even one that does not allow "invisible processes" (to give it some same). Here is a short and informal explanation (where there is probably an accuracy compromise for simplification purposes):

At a user level, to "see" a process, you would open the task manager (Windows) or use the PS command in Unix. But you must note that these are merely applications that ultimately make a call to a OS level API and request this information; then they display whatever this API returns them.

The OS level API is just a piece of code that will have access to the internal OS data structures that hold the information for the processes. This code would piece together a response with the processes names, etc. and return this "list".

So, what would happen if I go and modify the code that pieces together this list of processes and omit the "worm.exe" process everytime? Well, that's pretty much a rootkit virus strategy.

The result is that you wouldn't be able to see the process anywhere. Any program that uses this OS API call would not see the process, be it ps, the Task Manager or an Antivirus.

So . . . why not providing every program with a direct access to the running processes structures so that they can "see" all the information there and "figure out" by themselves whether there is a virus or not.

Well . . . that's a disaster from a security standpoint since it would provide an avenue for viruses to exploit. And this "direct access" is never direct, it is always through another OS API that may in turn be modified to hide the virus . . .

So . . . why not scanning the disk?, I mean, the virus must be stored somewhere if it will run.

Well . . . file access is done by an OS call that may be modified to hide the virus.

So . . . why not doing an OS module that performs an CRC check and make sure that the OS APIs have not been modified?

Well . . . this too can be modified not to include the file that you infected in the first place.

So . . . why not making OSs "unmodifiable".

Well . . . how would you then install it in the first place? (that is pretty much a modification) or install security updates? (that's another modification).

So . . . Well . . . ad infinutum.

I think I made my point.

Anyways, the bottom line is that you can only do all those modifications *if* you have privileges to modify system files. You have to have "root" access for that. So once you have broken the security of an OS to the point where your virus can modify OS system files, you are pretty much doomed.

Ideally, the solution is a secure operating system, where regularly you run your user programs with an account whose privileges do not include modifying OS files and any processes that you start cannot breach that security (again *ideally*). You would only use the root account to do OS installs and updates (if the virus gets you while you are at it, you are doomed again, so shut down AIM!).

That's why Windows is so dangerous, because the normal XP user is running with an Administrator account (similar to having root privileges), so any application that is infected can potentially cause a root-level infection.

And then, no matter how much you program securely, the missing piece as usual is education. At some point, even in the ideal OS, the user would have to log in with the root account to do OS changes or at least explicitly authorize in some manual way the modification of system files (that would be my choice just to make things easier to learn for everyone in the real world).

Re:Why does the OS let software be invisble?

[LiquidCoooled]

Boom, I was distracted for maybe 12-18 hours yesterday.

This is exactly how dupes occur though, I consider myself a reg and thought I kept up with everything, shows how hard it must be for the editors.

Its always strange coming back from holiday and realising all the topics and threads that have gone by.

Anyway, thanks for pointing it out to me.

Re:Why does the OS let software be invisble?

That's up there with the evil bit from RFC 3514...

Re:Why does the OS let software be invisble?

[Dylan+Zimmerman]

This is what BSD's immutable flag is for. You set it on a file, and nobody can change the file. Not even root. You need to go into single-user mode to unset the flag, and to be in single-used mode, you need physical access to the machine. Thus, set the immutable flag on the kernel and the core APIs.

When you need to upgrade something, reboot into single-user mode, apply the patch, set the flag again, reboot into normal mode. It's kind of circuitous, but it works.

Isn't this about who controls the Spice?

[butterwise]

When dealing with a worm, always remember: You must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration.

Re:Isn't this about who controls the Spice?

[flosofl]

And always walk without rhythm!

Re:I cant take any more of this

Ahh.

So you must be the dude in our engineering dept. that is a unix g0d that takes showers at work because he's too cheap to pay for his hot water.. How ya doin Ron? How's the hot water downstairs?

Re:Sounds Like...

by the time you manage to re-emerge your gentoo system you will have to do another update because everything will be out of date :)

Re:energy is liberated through blasphemy

[grub]

Re:energy is liberated through blasphemy

woo, I don't need that second cup of coffee this morning. Thanks!

lol

So,

Any developers out there looking to create a mod_msn_chroot ?

A rootkit doesn't need the OS to "let" it...

[Rocketship+Underpant]

"This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? ...It seems to me that a well designed OS should NEVER let a piece of code be invisible."

The point of a rootkit is that it alters the behaviour of the OS. Sure, a pre-rootkit kernel wouldn't have let just any code run. But once the rootkit gets in (one way or another), it alters the OS's behaviour. Just like the Sony audio CD rootkit (mentioned in a previous Slashdot article) alters the behaviour of Windows to keep certain kinds of files invisible.

OSS IM transparent filter?

[jaylee7877]

I've been looking for some time for a OSS based transparent filter that would scan for viruses/malware on IM ports. It would alleviate a lot of these problems, anyone seen or heard of anything like that?

Re:I cant take any more of this

It's never a good idea to annoy any UNIX admin or engineer anywhere, ever. We're all watching, always.

Muahaha. hah.

Wow another vector.

[caffeinex36]

Another vector. Big deal....move along...nothing more to see here. g2g..just got an IM from "37337Hax0r 06" gotta see what this dude wan...shi.uh.oh........

IM worms go undetected

[rizzo420]

i think a bigger part of the problem, and hopefully this will open their eyes, is that thus far, the big anti-virus companies (symantec and mcafee) will not include IM worms in their definitions. this means that even if you have the most up-to-date windows security patches, and the most up-to-date anti-virus software, you can still be infected by the IM worm. i don't understand why they won't include them as they are, in my opinion, just as dangerous and propogate on their own just like normal email viruses. i deal with the "AIM virus" on a near-daily basis. i keep sending people to download AIMFix. this guy is getting some serious hits to his site, and he's not getting paid for it... these are real viruses, since the definition of a virus is that it gets onto your computer and propogates on it's own. this just doesn't use traditional means (email, network ports). even if you uninstall instant messenger, it's still there waiting to send itself to everyone on yoru buddy list.

Re:IM worms go undetected

[jayloden]

Thanks for the plug :)

I've been somewhat disappointed with how badly the mainstream antivirus companies have handled most of the IM outbreaks. There are vunerable clients out there, mass spreading worms that install rootkits, disable AV programs and Internet Explorer, and through it all I feel like the AV companies are barely even there.

I'm not an antivirus expert, and I'm not a programming genius by any means. The guys at Symantec and McAfee and F-Prot et al are trained to deal with this stuff. They have the best tools and the best brains to throw at removing this malware. I'm just zis guy, you know? I've learned a hell of a lot in the past couple years by maintaining AIMFix, and I'll keep doing it as long as there's a need for it, but it never hurts to have some help!

I'm more than glad to keep doing what I do as long as it's helping people out there, but at the rate things are going these worms are simply going to get too hard for me to remove, much like CoolWebSearch was for Merijn and CWShredder. I welcome the opportunity to learn new things and become a better programmer, certainly, but I'd also love to see the major AV companies get in the game and start laying out the smackdown on these malware authors, since they have the resources to do it, and I just have a few spare hours a week to throw at them.

On a related topic, to all Slashdot readers:
If you run into any new virus variants, have information you'd like to share, or if you're a Win32 programming guru (C++) interested in helping out, feel free to shoot me a note through the contact form on my site.

-Jay

Re:energy is liberated through blasphemy

The Saxons feel left out, you insensitive clod!

Re:I cant take any more of this

[jav1231]

Oh brother. This is largely splitting hairs, people. In the general sense, admin equivilents are about as root like as they come. You're comparing two different systems so being precise is an impossibility.

Partial cheap solutions: low-profile + firewall

[davidwr]

A cheap albeit incomplete solution, one which will make the virus-writers work much harder:

1. Encourage people to use non-high-profile clients. It's a lot easier to "take over the world" if 90% of the people are using the same client with the same vulnerabilities than if 30% are using client A, 20% each are using clients B, C, and D, and the remaining 10% are using a variety of other clients.

2. Put a firewall between the application and the network. Again, don't have 90% of the world use the same firewall. It's best if at least part of the firewall sits in front of the OS, i.e. a hardware firewall or a "host-OS-based" firewall in virtual/emulated-hardware environment.

Here's what I see happening in a few years time, when virtualization becomes the norm:

1) everyone has a hardware firewall built into their cable/dsl/whatever box
2) PCs boot into a hypervisor, see #4 below
3) apps run in different security contexts, each having the network, memory, and disk-access privilages that they need and no more. For example, Solitaire will have no disk or network access. A Web browser will have very limited disk access and outgoing-only network access only over certain ports. A "local-only" web browser will be available for reading local html files.
4) The user will be encouraged to run certain applications like web browsers in a "lock box" which will in reality be a virtual machine, with its own firewall mechanism. Multiple VM implimentations or VM-hardening-products will be available so no single VM-related exploit will be shared by "90% of the world." The user will be able to "reset" his lock box at any time, erasing any viruses and malware that have infected it but which haven't "escaped" the VM environment.

Yes, the user can still be infected and yes, he can still be contagious, but instead of "everyone" being vulnerable only a part of the world will be. Furthermore, if people use the VM-lockboxes, they can "cure" themselves quite easily from the most common problems. They'll still need security software for the really nasty stuff, and they'll always need a "boot CD" or equivalent to do a full scan of their system for rootkits and such.

Remember: The goal isn't to wipe out viruses - that's practically impossible. It's to reduce your risk and decrease your recovery time.

Here's an example of how #4 can reduce exposure for web browsing:
Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from:
IE under Windows VM
Opera under Windows VM
Opera under {pick one of many} Linux VMs
Opera under {pick one of many} BSD VMs
Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs
{insert other web browser here} under {insert operating system here} VM.

The VM would be bare-bones, just having essential services - including a built-in firewall - and a "screen" that just displayed the web browser. The user wouldn't necessarily see he was under a VM if he was merely browsing. If the web-browser screen output were "exported" to the "main" OS a la X, so much the better, assuming that didn't introduce security holes of its own.

Re:Partial cheap solutions: low-profile + firewall

[harl]

A Web browser will have very limited disk access and outgoing-only network access only over certain ports.

After you send the page request you're going to firewall the answer? That's a little rude.

IMO a web browser should never need disk access unless I'm explicitly saving a file to a location of my choosing.

Re:Partial cheap solutions: low-profile + firewall

[davidwr]

RE: outgoing-only access:
That's to establish the two-way connection.

RE: disk access web browser requirements:
The user may opt to turn on disk caches, enable bookmarks, and store user-specific settings.

Re:Partial cheap solutions: low-profile + firewall

[westlake]

Encourage people to use non-high-profile clients

DOA

100 million or so users run the AIM client. How many do you think will switch?

Re:Partial cheap solutions: low-profile + firewall

[djflipstarx]

Here's an example of how #4 can reduce exposure for web browsing: Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from: IE under Windows VM Opera under Windows VM Opera under {pick one of many} Linux VMs Opera under {pick one of many} BSD VMs Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs {insert other web browser here} under {insert operating system here} VM. Windows-2010? Oh, it'll just include IE under Windows IM with no instructions on how to install other browser-VM combos. The slashdotters and people with a decent knowledge of computers will figure out how to install a browser-VM combo, while 90% of the rest of computer users will still get infected.

Re:Partial cheap solutions: low-profile + firewall

Web browsers need arbitrary read and write access. Ever sent an attachment using webmail? It's also necessary for a variety of other things... all of which could be replaced by, say, an FTP client and only accessing a settings directory, but at a cost to usuability that no-one wants to pay. Likewise with VMs - your web browser VM needs read access to all your other VMs so you can upload files from them. The only truly self-contained apps are games, and even these generally prefer to run as close to real hardware as possible for optimal performance and anti-cheat measures. And they almost all need the network - Solitaire doesn't but add online high scores and you have another route through the firewall.

Something like NoScript for firefox is perhaps the best option for controlling browser disk access, but not that many people are even willing to accept the hassle of running NoScript.

Newsflash...

[Jack+Earl]

This is really so hard to believe? IM software is no different than any other network facing software, so the same types of exploits are going to work against this just as they would against Ethereal, Apache, RDP; anything.

Just because you are only using the program to chat doesn't make it any different than anything else network facing. All any network application does is send data back and forth, it's what that program does with the data that makes it unique.

First line of defense...

Well, at least with virtually every IM client, you can block messages from everyone that's not on your buddy list.

I do use AIM (with DeadAIM) because so many folks use it, and AdiumX on my Mac. I don't expect anyone to IM me at random, so I'm simply going to block IMs from anyone not on my list.

Re:First line of defense...

[ZachPruckowski]

I don't expect anyone to IM me at random, so I'm simply going to block IMs from anyone not on my list.

That's not a solution the public will implement. I want to get IMs from people I just met who aren't on my buddy list yet. And I want to IM someone who probably doesn't have me on their buddylist.

Re:First line of defense...

what if the exploit came in the message that they sent you? you would of already been infected.

Re:First line of defense...

[detlev409]

That's no solution at all. The AIM virus is spread by contacting people on the victim's buddy list. How many people on your buddy list don't have you on their buddy list? If a virus could be spread simply by receiving the IM, your plan is useless

Re:I cant take any more of this

[ZiakII]

Don't be so quick to judge a lot of people I know bicycle to work and then take a shower once they get there.... me being one of them, its good exercise =x

from AIMS "security central"

[caffeinex36]

Q: Can I get a virus through AIM? How do I safely share files with AIM? A: Viruses can't be transferred through an Instant Message itself, but it is possible that files attached to an IM may contain viruses or trojans. Also, links sent in an IM may point to webpages that contain viruses and trojans. Even if you know who is sending you a file or a link, you should use caution in opening it. Some viruses/trojans can send harmful links that appear to be from a buddy you know. You should always use good virus protection software, such as McAfee VirusScan, for automatic scanning of all attachments. See AOL Keyword: AOL Virus Protection Center for more information or visit McAfee's Website.

Re:I cant take any more of this

[WWWWolf]

Erm... rootkits (the definition of which I usually think includes "set of tools/OS patches that hide specific files/processes from the sight of users") have just about nothing to do with "root" account as such. I don't know why the heck they're even called that - maybe it was "the k1t that you install after you get r00t".

If you want to call them "kernel modules and userland tool replacements for hiding files and processes", that's just fine with me, but also call them that on Unix as well then, too =)

Unless there's an exploit of course

[davidwr]

ANY network-facing application with an exploit should be presumed vulnerable to an automated attack until proven otherwise.

ANY network-facing application should be presumed to be exploitable until proven otherwise.

ANY application should be presumed to be network-facing until proven otherwise.

Alternative IM system without an IM client...

[Deven]

I might as well take this opportunity to plug my open-source "IM" system (CMC), Gangplank, which doesn't require an IM client.

Gangplank was written to support the standard TELNET protocol, meaning any standard TELNET client can be used to connect to the system. Despite not using a custom client, the server supports remote character echo, full (RFC-compliant) TELNET protocol support, Emacs-style line editing, input redrawing when output occurs, and a full input history buffer -- all in a nonblocking, single-process server driven by a select() loop. The system lacks some features (like file transfer), but it is well-suited for a community of people to communicate with each other via text messages. The server is fast and efficient, and it should be able to support thousands of users on a single server. (I've never been able to test the limits of the server, but it uses negligible CPU time...)

And to stay on topic, using a TELNET client should protect you against "IM worms" since there are a wide variety of independent TELNET client implementations on various operating systems, TELNET has been around for decades and standard clients are probably fairly well debugged by now...

So?

[Gibsnag]

Uh, hands up who didn't see this coming? No-one?

Its a service used by a large amount of computer illiterate people, has ports open to the net and an easily accessable list of other users to attack. Seriously, what makes this news that someone is exploiting it? Kinda obvious tbh.

Re:Grammer Time...

Grammar, you moron.

What about voice services?

[jsveiga]

Wouldn't it be possible to send a specially crafted audio stream to VoIP programs such as Skype to explore eventual vulnerabilities on the audio codec routines?

I know it sounds far-fetched, but you know, jpegs were once safe too. Skype had its vulnerabilities (even on Linux), but were there any on the audio codec?

I hate these "must-have-a-firewall-passage" kind of programs, and I've so far managed to keep them out of my network, but now I'm trying hard to convince my boss not to install Skype on a CAD user's PC "because a customer wants to talk with him"!! CAN'T HE USE A PHONE??!

Re:I cant take any more of this

[codeshack]

Of course, quoting that (or any) Wikipedia article is trivial, since you might have just changed it to say that.

Damn you, Wikipedia!

I'll use it when it supports ASCII Video Chat...

[randyflood]

This would be really cool if it supporte ASCII based Video chat! Ofcourse that would probably require specialized clients and all...

Yeah, so?

[Pig+Hogger]

When you sail in a colander, you should not be surprised to see water leaking through.

problems:

1) telnet is insecure. there is no way i would ever open up the telnet ports on my machines. i dont care if you tell me that inside the telnet port is a stash of delicious candies. dont go there girl!

2) It uses "emacs style line editing" not vi style, which would clearly be the superior choice

result: you fail it!

Re:problems:

[Deven]

1) telnet is insecure. there is no way i would ever open up the telnet ports on my machines. i dont care if you tell me that inside the telnet port is a stash of delicious candies. dont go there girl!

Wow, a knee-jerk reaction if ever I saw one. Yes, TELNET is an insecure protocol -- everything goes over the wire in cleartext. That means that someone with the ability to snoop on your packets could get your login and password and use it to sign onto your account on the server. It's a risk, but only one of impersonation. If it's a small private community chat system, what's the real incentive to break into your account? Are people really so eager to impersonate you?

It doesn't mean they could use it to sign into your system account, unless you're dumb enough to use a secure password on an insecure system. Here's a hint: don't do that.

I'd love to support a secure protocol like SSH on the server, but that's easier said than done. As I said, it's a single-process server. I haven't been eager to try to implement the SSH protocol from scratch -- it was a lot of work implementing TELNET from scratch. Also, encrypted traffic would be much more computationally-expensive -- the current server is very efficient, but an encrypted server would probably be able to handle only a fraction of the user load possible with the TELNET protocol on the same hardware.

Still, SSH support is on my wishlist.

And if anyone has any ideas for securing the TELNET protocol better, I'm interested to hear them. (One option would be to have a custom client implementing a superset of the TELNET protocol...)

2) It uses "emacs style line editing" not vi style, which would clearly be the superior choice

There's no reason it couldn't use vi-style, it's just that I happened to prefer emacs-style, so that's what I implemented. The server is open-source -- feel free to add vi-style line editing yourself. Or you can try to convince me to write it, but I don't really have the time or inclination right now...

Re:problems:

[jcuervo]

And if anyone has any ideas for securing the TELNET protocol better, I'm interested to hear them. (One option would be to have a custom client implementing a superset of the TELNET protocol...)

Suggestion: telnet-ssl.

Re:problems:

[Deven]

Suggestion: telnet-ssl.

Yes, in principle, I could tunnel TELNET through SSL. I'm not sure if that would actually be easier than implementing SSH in some fashion.

Also, how common is SSL support in TELNET clients?

Deven

Re:I'll use it when it supports ASCII Video Chat..

[Deven]

Gee, I didn't know there was such a demand for ASCII-based video chat. Feel free to write the client for that yourself...

I didn't say that the system won't ever have a client of its own -- one of these days, it will. However, I'll make sure that it continues to remain usable from a plain TELNET client, at least for the basic functionality that is already supported. Obviously, fancier features will likely require a client. If you want the fancy features, you take more risk of a security hole. If you want tried-and-true, you can stick with the traditional TELNET client and be sure that you're pretty safe...

There's always trade-offs. My system certainly isn't perfect, but at least it doesn't require a user to install a client. I'm not aware of any other IM system that actually targets TELNET as a client protocol. (Yes, I know that you can make certain systems work with TELNET clients, but it's not the preferred client, and not designed to be a powerful, user-friendly interface.)

Missed opportunities

[subl33t]

Sometimes I pray for an actual competent anarchist malware writer. Someone who can get the rootkits installed and wait a while for the infection to spread. THEN tell all the infected machines to fry the MOBO and/or the MBR on the HD.

Only then will you see Microsoft and Joe Sixpack get serious about security.

I speak from experience when I tell you that educating users will not solve the world's computing ills. Some users can't/won't be educated.

Re:Missed opportunities

[Dan_Bercell]

Do you just ignore all the new security features in the new version of Windows, or do you not understand them?

Re:Missed opportunities

[subl33t]

Did you actually read the post you replied to, or did you not understand it?

For the benefit of the relatively clueless I'll elaborate...

I work in the AUP dept for an ISP.

A typical conversation with a typical XP user goes something like this:

US: do you have to logon to Windows with a password?
THEM: no
US: have been able to do Windows Updates recently?
THEM: what?
US: is the XP firewall active?
THEM: i have no idea

This is the Joe Sixpack user I was referring to. He buys a shiny-new computer, plugs it in, then meanders across the internet while logged in as an admin.

Now who is responsible for educating this user on safe computer practices? That is debatable, but Microsoft isn't doing enough to stress the importance of creating new Windows user accounts with limited privileges, especially for brand-new users.

Malware like the kind I described would finally force MS and the user to say: OMFG! We have to learn this security thing now!

Things will have to get worse before they get better.

Re:Missed opportunities

[Dan_Bercell]

Yes I did read your post. You were basically saying that the avg Joe is a retard and will NEVER care nor want to care about security as long as he can read email, chat on IM and surf for porn, all while his 10 years old daughter downloads every P2P application on the Internet so she can download the newest Britney Spears video, and his 15 year old son uses the same P2P apps to download Bangbus episodes.

That being said MS has locked down Windows Vista fairly well, but are now trying to 'make it work for the avg Joe' so they can do all of the stuff mentioned above and be safe.

I've worked in a ISP call center for 3 years while in college, then and currently working as a consultant, so I know where your coming from. One thing I learnt when I got off of my 3 year cubical is that people will never change. When I worked for the call Center I assumed I just got all the idiots calling in, now I know that its normal to not care about computer security, you can show them, walk them through what to do, but most of the people dont care.

Solution: Dont allow people to log in as Administrator or make it hard to do so (ie, hide it in some odd place only accessible by modifying the registry and rebooting many times. Best way to help people not screw up in the Computer industry is to make it hard for them to do so.

Buffer overflows

[Pig+Hogger]

Buffer overflows.

Again.

Any programmer who let a buffer-overflow bug slip through should be sacked. On the spot. And his boss, too. As well as the numbskull bean-counter who declined the ressources to do proper checking, and the marketoid who ordered the work done by last monday should be be drawn and quartered.

Re:Buffer overflows

[Fearless+Freep]

I'm amazed that people still right software using tools that allow such problems

Re:Buffer overflows

[MattWhitworth]

I'm surprised strpcy, strcat et al still exist.

Re:I'll use it when it supports ASCII Video Chat..

[randyflood]

I did some research and I think you could do it with this live-cd:

http://ascii.dyne.org/?info=description

-I haven't tried it, but I'm guessing that there is probably a telnet client on there.

-Ftp push technology is supported, to publish your hascii feed on your online webserver: that is implemented using a simple C code which wraps execution of your unix ftp client.

-It can output to an HTML page with a meta-refresh tag so that it is constantly updating the image.

So, then theoretically, people could even view your webcam with lynx!

P.S. I was mostly kidding about the ASCII webcam feature. But it would be pretty funny to support this, now wouldn't it...

Re:I'll use it when it supports ASCII Video Chat..

[SmurfButcher+Bob]

No, your ASCII video is useless against this worm onslaught.

The only way we'll get through this is when people smarten up, and start using an XML based IM.

Gaim not connecting right now

[matt+me]

Gaim isn't connecting to MSn right now. Has it already happened?

I just got some of these..

From some people I know. (of course, I (a) am not a bonehead, and (b) am running linux), so it didn't affect me.

But, here's what I saw about it: If others have seen the same thing, I would appreciate info about it:

1) The IM message is:amazing...look http://myspace2k.100free.com/picture22.com
2) The file you get from there is 107008 bytes long, and has a md5sum of a922f6a495c6f62e065a0713fc3ddf75 (that server's been giving the same thing since 9AM or so this morning, just checked it a few minutes ago).
3) Infected computers seem to reconnect to AIM, and also make a connection to 72.20.22.86 port 5238, which as of an hour or so ago, was accepting connections..
4) Neither McaFee, Grisoft, clamav, or trendmicro detect the picture22.com file as being malware: And I'm not really looking forward to infecting a machine on the net myself to see what happens after it's deployed.

I'm not sure where to go next to help these people clean up..

Anyone else got this one? Or know where's the best place for discusssion?

Re:I just got some of these..

[imwizrdry]

This link is still up and propagating picture22.com.

IMlogic (IM security company) has been tracking picture22.com and the relationship to the Sdbot worm. Many of the IM worms simply send out URLs over AIM, MSN, or Y! via infected clients. Those URLs don't necessarily download copies of themselves, but rather will point to other malware. Classic blended threat strategies. Many carry IRC with them in the payload and then connect to various servers to get remote controlled.

http://www.imlogic.com/im_threat_center/threatdeta il.asp?iThreatID=2146&mr=top3&hr=top3

Social engineering to get people to click on URLs is nothing new. But IM offers up two unique features: 1) you're getting messages from trusted people on your buddy list (who are infected), and 2) the worms have the context of who their broadcasting to because everyone is connected via presence. This is very different from email. The messages you get from an infected user can even be personalized to you ("Hey Jack, click on this: //url//"). I've heard of security savvy engineers clicking on these links and then clicking the dangerous Open button.

Symantec says an email worm can travel around the worm in 4 hours while an IM worm can travel around the world in 4 minutes. Scary.

Re:I'll use it when it supports ASCII Video Chat..

[Deven]

I knew you were kidding, so I'm surprised you even bothered to research it. Of course, I've seen even stranger things, like feeding the video from a TV tuner into an ASCII translation. Incredibly, the example I saw was much more watchable than you would expect, considering the circumstances...

In any event, I don't have a webcam, so it's all moot. And supporting an ASCII webcam would be more of a joke feature than anything. Gangplank is a serious system -- it's designed to perform a basic communication function for its users, and perform it well. What it lacks in bells and whistles, it makes up for in simplicity, efficiency and stability. Convincing people to use it, that's another thing...

AIM backdoors

I shouldn't say this but there are already backdoors in AIM. They will backdoor your system after you click on a sound and open your "drives" for sharing without your knowledge.It's a glitch where you can fake the link and cause them to run an exe instead of the wave file. Anyone that connects has full acess.

That depends on what happens

[davidwr]

100 million or so users run the AIM client. How many do you think will switch?

100 million use AOL client. Of those:
90 million see bad press about killer virus
70 million see press recommending specific alternatives
40 million get 0wned and have to repair their computers, 40 more million know someone who did.
10 million corporate users get it banned by their IT people.

Now what was the question again?

Then again you may be right, if IE's 80+% market share in the face of bad press and constant infections is any example. :(

Re:energy is liberated through blasphemy

=8^[)] I love you! ::cheek pinch::
http://www.hasbro.com/candyland/

Perl to the rescue

[RAMMS+EIN]

Fortunately, the client I use (sirc) is unpopular, low on features, and written in Perl. Good luck trying to exploit that.

oblig. bash

[WillDraven]

prettykittikat: Im going 2 the club 2night
Syric 2005: im going 2 lern 2 tipe 2nite 2
prettykittikat: what?
Syric 2005: Exactly

Re:I'll use it when it supports ASCII Video Chat..

[narcc]

Not quite what he ment...

en.wikipedia.org/wiki/ASCII_art
www.geocities.com/SouthBeach/Marina/4942/ascii.htm
www.asciiartfarts.com/

Re:Lego Evolution baby

[memeplex]

Furthermore, Let's get the timeline rolling right now: Start building a Lego robot factory out of... Legos. Don't forget to incoporate building-block manufacturing and recycling units. (This oversight plagued the first few versions of the project. Lego cannibalism is not pretty.) If you fail to do so, I will begin to fade away like Michael J. Fox in Back to the Future.

Help! Reality check needed!

[Hosiah]

OK, why would you not use a hard-coded buffer for a chat program? Simply allocate 256 characters (that'd fill about ten lines in a chat; more than enough), then keep reading and discarding characters until you get EOF. Am I missing something? I've never written a chat program, I'm rusty as heck on C/C++ in general, been a while. But don't I remember that this is very easy to avoid? What concept am I missing?

Re:Help! Reality check needed!

[lachlan76]

Most IM clients have more than text. Display pictures, custom emoticons, video conferencing, etc. etc. Each of these are an avenue for attack.

If the software is written in C++ then it should be using std::String anyway, which is safer.

Responsibility:

[BlackMesaLabs]

I'll be the first to say "Thanks sony!" wow.. they really do innovate in new areas!

Why most "Instant Messaging" sucks

[Sloppy]

In order to lock you into using a single implementation of the client (so they can show you ads or whatever), they obfuscate the protocols. And it works; there tends to be few options for the client software.

Without competition within the network, there is no incentive to spend money auditing the code. And without openness, nobody else is going to do it.

And on top of that, you get homogenious networks where everyone has the same vulnerability. That's asking for trouble. You've got to be insane to run that stuff.

Contrast that to Jabber. Good luck writing a Jabber worm that goes anywhere, considering everyone is using a different client. (And someone can write their own client, totally overflow-proof in a language like Python or perl, in maybe an hour?) Your only hope is to find a bug in in some commonly-used library like zlib or something, but over the years, that stuff just keeps getting cleaner and cleaner.

Whatever happened to...

[slappyjack]

..just checking your damn email every couple of minutes? Also, with the slight delay, maybe - though probably not - people will start typing in semi-coherent sentences again.

If you REALLY neeed to have a conversation with someone in real time, pick up the goddamn phone.

Fucking IM.

Yup, it's here.

[porneL]

Imagine system that can spread malicious code world-wide. System that can bypass all firewalls, antivirus software and locked-down accounts. System that can install any code without much suspition. Imagine Windows Update.

Re:energy is liberated through blasphemy

Interesting use of anagrams.

Its origin can be traced

[Newton+IV]

If AOL logs all IM conversations or at least who-messaged-whom type of data, the origin of any worm that spreads via buddy lists can be traced to a single account.