Slashdot Mirror
Fully Automated IM Worms on the Way?
nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
Is it me or did the article not really explain how the users can become infected without some sort of user interaction? If not, I think the best way to combat this is user education. I know AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.
:)
It glosses over good old fashioned buffer overflows, but not much else. Then again, what else do you need?
No social engineering by seducing (l)users to click on a link. Real virus multiply themselves!
So what is the issue with this?
My wife's sketchblog Blob[p]: Gastrono-me
If you take into account the Small world phenomenon, this means that these worms will infect everyone in the world in at most six or seven hops.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
At least IM software is a _bit_ more heterogeneous than Windows.
In this case it doesn't really matter.
Consider a exploit that can get the buddy list out of MSN for example.
Now as most IM's only have one client used by the bulk of people, it becomes trivial to send a copy of the exploit to each person on your list and have a high proportion of them become infected, to progress outwards to friends
geometrically (unless you have no friends)
This is a hell of a lot more sucessful than your usual pick-a-random-ip-and-hope-it's-exploitable method.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
I use Trillian for Yahoo, MS, and AIM. Does this mean I am three times more likely to get hit by a worm, or are the worms IM-specific?
Nothing But Coupons - Your no-frills site for online coupons and discou
A cheap albeit incomplete solution, one which will make the virus-writers work much harder:
1. Encourage people to use non-high-profile clients. It's a lot easier to "take over the world" if 90% of the people are using the same client with the same vulnerabilities than if 30% are using client A, 20% each are using clients B, C, and D, and the remaining 10% are using a variety of other clients.
2. Put a firewall between the application and the network. Again, don't have 90% of the world use the same firewall. It's best if at least part of the firewall sits in front of the OS, i.e. a hardware firewall or a "host-OS-based" firewall in virtual/emulated-hardware environment.
Here's what I see happening in a few years time, when virtualization becomes the norm:
1) everyone has a hardware firewall built into their cable/dsl/whatever box
2) PCs boot into a hypervisor, see #4 below
3) apps run in different security contexts, each having the network, memory, and disk-access privilages that they need and no more. For example, Solitaire will have no disk or network access. A Web browser will have very limited disk access and outgoing-only network access only over certain ports. A "local-only" web browser will be available for reading local html files.
4) The user will be encouraged to run certain applications like web browsers in a "lock box" which will in reality be a virtual machine, with its own firewall mechanism. Multiple VM implimentations or VM-hardening-products will be available so no single VM-related exploit will be shared by "90% of the world." The user will be able to "reset" his lock box at any time, erasing any viruses and malware that have infected it but which haven't "escaped" the VM environment.
Yes, the user can still be infected and yes, he can still be contagious, but instead of "everyone" being vulnerable only a part of the world will be. Furthermore, if people use the VM-lockboxes, they can "cure" themselves quite easily from the most common problems. They'll still need security software for the really nasty stuff, and they'll always need a "boot CD" or equivalent to do a full scan of their system for rootkits and such.
Remember: The goal isn't to wipe out viruses - that's practically impossible. It's to reduce your risk and decrease your recovery time.
Here's an example of how #4 can reduce exposure for web browsing:
Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from:
IE under Windows VM
Opera under Windows VM
Opera under {pick one of many} Linux VMs
Opera under {pick one of many} BSD VMs
Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs
{insert other web browser here} under {insert operating system here} VM.
The VM would be bare-bones, just having essential services - including a built-in firewall - and a "screen" that just displayed the web browser. The user wouldn't necessarily see he was under a VM if he was merely browsing. If the web-browser screen output were "exported" to the "main" OS a la X, so much the better, assuming that didn't introduce security holes of its own.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
ANY network-facing application with an exploit should be presumed vulnerable to an automated attack until proven otherwise.
ANY network-facing application should be presumed to be exploitable until proven otherwise.
ANY application should be presumed to be network-facing until proven otherwise.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So, a memestructure known as 'Virus A' arrives on the computer of Hacker 0. He reverse-engineers it; now it is resident in the brain of Hacker 0. There it breeds furiously, producing countless offspring with random mutations. These are subject to natural selection in the environment of the hacker's brain, because the hacker knows what makes a virulent virus and what makes a feeble failure. In this phase the virus is benign, a bit like malaria not harming the mosquito; Hacker 0's brain does not crash.
Eventually a mutant form of the virus arises in the brain of Hacker 0; natural selection against the constraints of Hacker 0's security knowledge has produced a fitter version of the virus. At this point Virus B is released into the wild.
It's an interesting lifecycle. Like many infectious agents it behaves differently depending upon the host in which it finds itself. Once a population is isolated for a long while (in the brain of a hacker) it may diverge and eventually form a new species, possibly replacing the ancestral population once re-released... The analogy with biological evolution is certainly quite strong.
Unfortunately, I've implicitly reduced all human thought to the rapid reproduction and mutation of meme-structures, and originality to the production of an unusual mutation. Maybe this is true, but it's probably taking reductionism too far, like explaining the working of a car in terms of quark-gluon interactions. Treating a virus hacker as an malevolent intelligent mind intent on causing mayhem will probably get us a more reliable model of computer virus epidemiology.
Real Daleks don't climb stairs - they level the building.
I was going to moderate this, but had to comment instead.
You do realize that OS X is built on BSD, which has the traditional Unix file permissions? My mother, sister, father, stepmother and girlfriend have no problems coping with file permissions.
Command line unix might be obscure to the majority of the public, but OS X proves that, with the right interface, it's not a problem.
A Human Right