Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fully Automated IM Worms on the Way?

Posted by CmdrTaco on from the only-a-matter-of-time dept.

nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

8 of 230 comments (clear)

  1. Re:Do these things affect non-AIM apps? by chroot_james · · Score: 3, Informative

    You're less likely to suffer from the attack, but you're not safe. Attackers would most likely go for Windows AIM / MSN / Yahoo long before they go for an open source im client on a mac.

    --
    Reality is nothing but a collective hunch.
  2. Re:I cant take any more of this by Darkon · · Score: 4, Informative


    Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?

    Strictly speaking the Windows equivalent of 'root' is the hidden 'LocalSystem' account.

  3. Re:I cant take any more of this by platyduck · · Score: 2, Informative

    According to the Slashdotter's god, Wikipedia:

    Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).

    I work in the IT department at my college, and in the last week, have encountered two machines infected with this worm. Easily detected as it may be to the expert user, it is a rootkit, hiding from detection. If I had not recognized it, it would have been undetected, as the automated scanning tools did not report it.

  4. Re:Infection by Red+Flayer · · Score: 4, Informative

    From the summary:

    "Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

    FTA "'We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything,' Wells said."

    User education won't help if propagation occurs without any action by them.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  5. Re:The sky is falling! ( again ) by Red+Flayer · · Score: 3, Informative

    "Let me ask you something, what *doesn't* constitute a "fully automated" worm? "

    Any worm that requires the user to click on a link on order for the worm to propagate. The scary thing about this class of worms is that it installs a rootkit without activity from a user, so the only rate-limiting step in the infection cycle would appear to be buddy lists. So, you're on someone's buddy list... you get infected without taking any action. Then, boom, all your buddies are belong to them. &c.

    Educated users know better than to click just any link they see -- we depend on that to limit propagation. But it doesn't apply here.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  6. Re:Do these things affect non-AIM apps? by Rocketship+Underpant · · Score: 4, Informative

    "I use Adium. Should I be worried?"

    I doubt it, because any malicious program that wants to alter OS X's settings is going to have to prompt you for an administrator password (unlike Windows). Besides, it's likely that any such worm will target official IM clients rather than third-party apps.

    --
    He who lights his taper at mine, receives light without darkening me.
  7. IM worms go undetected by rizzo420 · · Score: 4, Informative

    i think a bigger part of the problem, and hopefully this will open their eyes, is that thus far, the big anti-virus companies (symantec and mcafee) will not include IM worms in their definitions. this means that even if you have the most up-to-date windows security patches, and the most up-to-date anti-virus software, you can still be infected by the IM worm. i don't understand why they won't include them as they are, in my opinion, just as dangerous and propogate on their own just like normal email viruses. i deal with the "AIM virus" on a near-daily basis. i keep sending people to download AIMFix. this guy is getting some serious hits to his site, and he's not getting paid for it... these are real viruses, since the definition of a virus is that it gets onto your computer and propogates on it's own. this just doesn't use traditional means (email, network ports). even if you uninstall instant messenger, it's still there waiting to send itself to everyone on yoru buddy list.

    --
    please me, have no regrets.
  8. Re:I cant take any more of this by jav1231 · · Score: 3, Informative

    Oh brother. This is largely splitting hairs, people. In the general sense, admin equivilents are about as root like as they come. You're comparing two different systems so being precise is an impossibility.