Slashdot Mirror
New Worm Chats with Users on AIM
goldseries writes "CNet is reporting that a new
IM worm chats with users to get them to down load a file containing a virus. The virus replicates its self and sends its self out to user's buddy lists. The virus will reply 'lol no this is not a virus.' The virus hides users from seeing the messages sent out to members of their buddy list. Viruses are evolving; now they will even talk to you."
Anyone remember "give me a cookie?"
If Jesus wants me it knows where to find me.
I've gotten this from several people on my list in the past few days... it basically spams a message, usually the same one, every hour or so, with the same link. It just fakes the address, the real link is to: http://209.235.17.26/My_Christmas_Card.SCR
s card?my_christmas_card.scrs card?my_christmas_card.scr
(06:41:27) xxxx: This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greeting
This senders personal note: Merry Christmas!
(06:41:27) yyyy : Sorry, I ran out for a bit!
(08:42:59) xxxx: This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greeting
This senders personal note: Merry Christmas!
ELIZA type programs of various flavors have been around for decades, and ran on computers that were very slow / small by today's standards. Heck, an Eliza-style program, and even its LISP interpreter could fit in 64K, or easily on half a megabyte. And that is the runtime requirement. The code itself could easily be a minor addon to a modern day malware.
If you read some classic LISP texts, such as Norvig's book on AI using Common Lisp, or another book The Elements of Artificial Intelligence, and other classic texts, there are probably a lot of algorithms that could be used.
Turn the spread of the malware into some kind of gameplay problem and use AI algorithms to optimize the "gameplay" of the spread?
I'll see your senator, and I'll raise you two judges.
This will come in to you from another AIM-user you KNOW and who is infected. Not some stranger.
I'm surprised these AIM worms haven't yet integrated with those award-winning AI bots used to fool other humans (e.g. Jabberwacky or ALICE).
Having said that, when I asked Jabberwacky "Is this a virus?" it said "Well, I hope so." Not very reassuring..
So people can send out executable jpegs? No thanks.
I said execute bit in the filesystem.
So - the virus would come in from the mail system with the execute bit set to 0, the user would have to download the file, get its properties, and tick the "execute" checkbox.
My pics.
Note: The slashdot article says 'lol no this is not a virus.' The CNET article says "lol no its not its a virus".
Windows NT/2000/XP already have this (sorta). You can set execute privileges on files, just like in UNIX.
However, a default Windows XP install will be set up to inherit all permissions from the root of the drive, and will have the Users group set to Read, Execute, and Traverse Directories. So everything you download is by default executable, and no program I know of ever bothers to unset that. (Actually, the latest version of IE will store some metadata with executable files downloaded through it that marks the file as being "untrusted," but I think that only Windows Explorer (basically, IE itself) actually respects that metadata.)
The other thing you need to understand is that, like UNIX, you can essentially exec (on Windows, ShellExecute ) any file on the system. Unlike UNIX, though, the kernel won't actually try and interpret the file. Instead the Windows API (I think) will look up the file type and send the file off to the approriate handler. So when you call ShellExecute, you're essentially acting like the user clicked on the file in Windows Explorer. To most programs like AIM, there's no difference between executing another program and opening a file in its viewer. As far as I know, there's really no way of asking Windows "are you going to just look at that, or actually run that?"
The basic point here is that while Windows XP (and NTFS) do support an Executable flag, by default it's always on. Plus the "launch file" API will also run programs, and there's really no way to be certain that a file you're launching won't essentially be an executable.
You are in a maze of twisty little relative jumps, all alike.
On NTFS formatted filesystems, you can use the ACL to default set it so that all files saved will not have the "Execute File" permission. You just deselect "Allow" for the line that says "Traverse Folder / Execute File" for the "CREATOR OWNER" entry and "Apply onto" "Files Only" for the scope and allow propagation down.
Or, you can go into your Group Policy Object (Local Computer or Domain) and by default in your Software Restrictions Policy disallow execution unless they were in areas of the file system you designate, I.E.: "Program Files" folder. And if I remember correctly, saved files from current versions of IM programs are saved in "My Documents" outside of the "Program Files" folder by default.
Dammit slashdot...that link was supposed to be http://jayloden.com/aimfix.htm
If you want the binary only: http://jayloden.com/AIMFix.exe
"Show all file extensions" under Preferences in the Finder. OS X is pretty smart too, even if it's turned off, if you make a file like "pamela_nude.jpg.app" it will show the full extension cause it knows you're trying to be sneaky :)