Slashdot Mirror
Fully Automated IM Worms on the Way?
nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
We need to use Jabber. It will prevent against things like this. Oh wait. It won't. Still, use Jabber anyway, for it is Open Source goodness.
Get your own free personal location tracker
How is this any different any other services attached to a port on your computer? Whenever a listening program has an overflow vulerability there is the potential for "A fully automated worm." Granted there is a lot of IM software out there, but there have been plenty of ports and services on Windows that have been exploited in a fully automated way in the past. At least IM software is a _bit_ more heterogeneous than Windows.
Spencer Ogden
Is it me or did the article not really explain how the users can become infected without some sort of user interaction? If not, I think the best way to combat this is user education. I know AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.
:)
It glosses over good old fashioned buffer overflows, but not much else. Then again, what else do you need?
No social engineering by seducing (l)users to click on a link. Real virus multiply themselves!
So what is the issue with this?
My wife's sketchblog Blob[p]: Gastrono-me
If you take into account the Small world phenomenon, this means that these worms will infect everyone in the world in at most six or seven hops.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Its a shame that AIM is so widly used in the workplace even though is so vunerable .... ....
I know our IT department frowns upon it but walking around you still see it used
Its only a matter of time until something like this came out that has the potential to severly damage both corporate and private networks
Ahh... not so fast.
;-)
These viruses seem to be intelligently designed.
This particular payload is awful -- automated rootkit install.
Maybe one day we'll get a series of destructive worms that will render hardware unusable (e.g. no boot, disk overwritten, fan turned off and processor cranked up to do permanent damage, boot flash cleared) -- resulting in successive waves of hardware replacement.
I talked to a guy at a computer store about the aftermath of a worm that cleared the bootflash -- they sold so many new computers!
At that point, I figure Micr$oft will be in big trouble; after you buy your fifth motheboard in a row (and try to recover your data) after "Bukk@keB1ll" versions A through X hit you, you'll consider getting a Mac so you can get work done.
http://www.thebricktestament.com/the_law/when_to_
Not quite. Biological viruses evolve. Computer viruses, however, are products of intelligent design, for certain values of 'intelligent'.
Computer viruses aren't a force of nature. Behind every one of them is a malicious programmer.
Eventually, I imagine we'll see polymorphic and self-modifying code reach the point where it can evolve in the same way as biological viruses, but that's probably quite a way off. The nearest I've heard of to that is viruses programmed to alter their appearance to avoid detection.
Real Daleks don't climb stairs - they level the building.
The editors usage of the term rootkit is correct, and proper. You may as well argue that the usage of 'cockpit' for the pilot seat and control area of an airplane is incorrect. From the relevent wikipedia article.
.exes and registry entries.
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
Rootkit is no longer a term restricted to gaining "root" user access. The term now stands for any suite of hack and/or programs (the "kit") that enables the malware to disguise its presence in the OS in a more sophistocated manner than simply having obscurely named
Furthermore, in my entirely humble and sincerely personal opinion, the term is an appropriate, apt, and succinct way of decribing these types of malicious programs, both in distinguishing them from the less deeply embedded malware types, and in emphasising the increased security threat these programs pose.
May the Maths Be with you!
Gee, wiz, a "fully automated" worm using a different attack vector.
Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?
And IM services are hardly a new vector. If anything, this story should be about how long it has taken these people to figure out that services like AIM and ICQ are used by people with little or no computer knowledge, who will randomly click on things. You know, sorta like email. That's the real new nugget out of all of this, and hardly worth the two pages of ads to read about.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
With new hardware and operating systems supporting NX (no execute), wouldn't the effects of a buffer overflow be minimized? I may be crazy, but I thought that this was the entire point behind NX.
Intelligence is such a relative term isn't it?
You're less likely to suffer from the attack, but you're not safe. Attackers would most likely go for Windows AIM / MSN / Yahoo long before they go for an open source im client on a mac.
Reality is nothing but a collective hunch.
Simply IM me at w0rMzH0seTer and I'll give you all the details...
Don't anthropomorphize computers: they hate that.
Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?
Strictly speaking the Windows equivalent of 'root' is the hidden 'LocalSystem' account.
According to the Slashdotter's god, Wikipedia:
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
I work in the IT department at my college, and in the last week, have encountered two machines infected with this worm. Easily detected as it may be to the expert user, it is a rootkit, hiding from detection. If I had not recognized it, it would have been undetected, as the automated scanning tools did not report it.
Your safe. Not because Adium can't be compromised, but because no one cares enough to do it.
It seems to me that a well designed OS should NEVER let a piece of code be invisible. There should be some part of the OS that knows what is running, what invoked it, what file it came from, etc. A well designed OS would know the provenance of every segment of code. This information should be read-only to anything outside of this protected monitoring function. Thus ALL running code would be visible to the user and anti-malware software. And if you add hash-code locks on installed software, then malware wouldn't be able to masquerade as some other normal bit of code or damage anti-malware apps. Malware could still hide in a user-downloaded software, but the tracking function would aid the detection and removal of any unwanted code.
Is there ever a good reason to let software be invisible?
Two wrongs don't make a right, but three lefts do.
"I use Adium. Should I be worried?"
I doubt it, because any malicious program that wants to alter OS X's settings is going to have to prompt you for an administrator password (unlike Windows). Besides, it's likely that any such worm will target official IM clients rather than third-party apps.
He who lights his taper at mine, receives light without darkening me.
"This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? ...It seems to me that a well designed OS should NEVER let a piece of code be invisible."
The point of a rootkit is that it alters the behaviour of the OS. Sure, a pre-rootkit kernel wouldn't have let just any code run. But once the rootkit gets in (one way or another), it alters the OS's behaviour. Just like the Sony audio CD rootkit (mentioned in a previous Slashdot article) alters the behaviour of Windows to keep certain kinds of files invisible.
He who lights his taper at mine, receives light without darkening me.
i think a bigger part of the problem, and hopefully this will open their eyes, is that thus far, the big anti-virus companies (symantec and mcafee) will not include IM worms in their definitions. this means that even if you have the most up-to-date windows security patches, and the most up-to-date anti-virus software, you can still be infected by the IM worm. i don't understand why they won't include them as they are, in my opinion, just as dangerous and propogate on their own just like normal email viruses. i deal with the "AIM virus" on a near-daily basis. i keep sending people to download AIMFix. this guy is getting some serious hits to his site, and he's not getting paid for it... these are real viruses, since the definition of a virus is that it gets onto your computer and propogates on it's own. this just doesn't use traditional means (email, network ports). even if you uninstall instant messenger, it's still there waiting to send itself to everyone on yoru buddy list.
please me, have no regrets.
Oh brother. This is largely splitting hairs, people. In the general sense, admin equivilents are about as root like as they come. You're comparing two different systems so being precise is an impossibility.
A cheap albeit incomplete solution, one which will make the virus-writers work much harder:
1. Encourage people to use non-high-profile clients. It's a lot easier to "take over the world" if 90% of the people are using the same client with the same vulnerabilities than if 30% are using client A, 20% each are using clients B, C, and D, and the remaining 10% are using a variety of other clients.
2. Put a firewall between the application and the network. Again, don't have 90% of the world use the same firewall. It's best if at least part of the firewall sits in front of the OS, i.e. a hardware firewall or a "host-OS-based" firewall in virtual/emulated-hardware environment.
Here's what I see happening in a few years time, when virtualization becomes the norm:
1) everyone has a hardware firewall built into their cable/dsl/whatever box
2) PCs boot into a hypervisor, see #4 below
3) apps run in different security contexts, each having the network, memory, and disk-access privilages that they need and no more. For example, Solitaire will have no disk or network access. A Web browser will have very limited disk access and outgoing-only network access only over certain ports. A "local-only" web browser will be available for reading local html files.
4) The user will be encouraged to run certain applications like web browsers in a "lock box" which will in reality be a virtual machine, with its own firewall mechanism. Multiple VM implimentations or VM-hardening-products will be available so no single VM-related exploit will be shared by "90% of the world." The user will be able to "reset" his lock box at any time, erasing any viruses and malware that have infected it but which haven't "escaped" the VM environment.
Yes, the user can still be infected and yes, he can still be contagious, but instead of "everyone" being vulnerable only a part of the world will be. Furthermore, if people use the VM-lockboxes, they can "cure" themselves quite easily from the most common problems. They'll still need security software for the really nasty stuff, and they'll always need a "boot CD" or equivalent to do a full scan of their system for rootkits and such.
Remember: The goal isn't to wipe out viruses - that's practically impossible. It's to reduce your risk and decrease your recovery time.
Here's an example of how #4 can reduce exposure for web browsing:
Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from:
IE under Windows VM
Opera under Windows VM
Opera under {pick one of many} Linux VMs
Opera under {pick one of many} BSD VMs
Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs
{insert other web browser here} under {insert operating system here} VM.
The VM would be bare-bones, just having essential services - including a built-in firewall - and a "screen" that just displayed the web browser. The user wouldn't necessarily see he was under a VM if he was merely browsing. If the web-browser screen output were "exported" to the "main" OS a la X, so much the better, assuming that didn't introduce security holes of its own.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
ANY network-facing application with an exploit should be presumed vulnerable to an automated attack until proven otherwise.
ANY network-facing application should be presumed to be exploitable until proven otherwise.
ANY application should be presumed to be network-facing until proven otherwise.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Of course, quoting that (or any) Wikipedia article is trivial, since you might have just changed it to say that.
Damn you, Wikipedia!
So, a memestructure known as 'Virus A' arrives on the computer of Hacker 0. He reverse-engineers it; now it is resident in the brain of Hacker 0. There it breeds furiously, producing countless offspring with random mutations. These are subject to natural selection in the environment of the hacker's brain, because the hacker knows what makes a virulent virus and what makes a feeble failure. In this phase the virus is benign, a bit like malaria not harming the mosquito; Hacker 0's brain does not crash.
Eventually a mutant form of the virus arises in the brain of Hacker 0; natural selection against the constraints of Hacker 0's security knowledge has produced a fitter version of the virus. At this point Virus B is released into the wild.
It's an interesting lifecycle. Like many infectious agents it behaves differently depending upon the host in which it finds itself. Once a population is isolated for a long while (in the brain of a hacker) it may diverge and eventually form a new species, possibly replacing the ancestral population once re-released... The analogy with biological evolution is certainly quite strong.
Unfortunately, I've implicitly reduced all human thought to the rapid reproduction and mutation of meme-structures, and originality to the production of an unusual mutation. Maybe this is true, but it's probably taking reductionism too far, like explaining the working of a car in terms of quark-gluon interactions. Treating a virus hacker as an malevolent intelligent mind intent on causing mayhem will probably get us a more reliable model of computer virus epidemiology.
Real Daleks don't climb stairs - they level the building.
Unless it exploits another remote or local security hole that hasn't been patched.
Besides, your statement about Windows is rather generic and so incorrect. I logon as a normal (i.e. limited) user, so unless there's an unknown security hole (every exploit known so far uses a known security hole and I patch quickly) then my whole system will not be compromised. My local account might be affected, but that concept applies to OS X too.