Instant-Messaging Attacks On the Rise

Ant writes "CNET News.com and ZDNet News report that security attacks over instant-messaging (IM) networks became more prevalent in 2005, according to a new study. MSN experienced the largest number of IM security incidents in both 2004 and 2005, while year-on-year incident growth rates were largest on AIM."

Obvious

[heavy+snowfall]

Obvious, they go to where the easy targets are. As a plus: When you infect a computer connected through AOL the chance of discovery and subsequent removal is smaller. How many granny's on AOL run a firewall+spybot+antivirus etc?

Re:Obvious

[dc29A]

Obvious, they go to where the easy targets are. As a plus: When you infect a computer connected through AOL the chance of discovery and subsequent removal is smaller. How many granny's on AOL run a firewall+spybot+antivirus etc?

I doubt it's only AOL. How many non AOL average Joes use a firewall, antivirus and antispamware? The vast majority of home computer users don't give a damn about or are totally clueless about computer security.

That and everyone and his mother running with a root account so once you get a user clicking on a "OMG COOL PICTURE HERE CHECK IT OUT" spam, their PC is a newborn zombie.

Re:Obvious

[Pneuma+ROCKS]

The problem with companies like AOL, EarthLink, etc, is that they give a false sense of security to their users, claiming that they will be protected from everything. Not a day goes by I don't see their stupid TV commercials and feel sick.

If people want to be really safe using the web, they need to be conscious about their computer and their security. This is a major drag for average users, but there's no other way. Even if the programs that access the web were 100% safe, there are ways of attacking users by exploiting their ignorance and gullibility. Teaching people to be more security-aware makes it a lesser problem to have insecure applications.

Re:Obvious

[ozydingo]

Didn't you see their new ad? The new and improved AOL blocks all spyware, foils all hackers, and does you up the butt all with a single mouse click!

Re:Obvious

[heavy+snowfall]

- My grandma doesn't use AOL.
- She uses linux, user account.
- iptables, ids.

I was talking about your average grannies in FL. (Their neigbours are probably the spammers exploiting their boxes..)

Simple Fix

[jimbolauski]

FTA:
    "We recommend that customers do not click on attachments or links in IM without confirming their validity with the person who sent them"

When is a patch going to come out for this problem, it seems to have been plaguing the net for quite some.

Re:Simple Fix

[randyflood]

What is interesting to me is the number of new users to IM services fall for Bots that chat with them using a perl script or whatever. Now some of the worms using IM are chatting with the users first in order to work better:

http://news.com.com/New%20IM%20worm%20chats%20with %20intended%20victims/2100-7349_3-5984845.html

Re:Simple Fix

[meringuoid]

"We recommend that customers do not click on attachments or links in IM without confirming their validity with the person who sent them"

When is a patch going to come out for this problem, it seems to have been plaguing the net for quite some.

Once AOL start requiring (for 'technical' or even 'security' reasons) a set-top box to place on top of the monitor. This will track the location of the user using an inbuilt digital camera. Every so often it will cause a popup message containing suitably spammy text and a linked executable. If the user clicks it, the box deploys its payload: a hollowpoint between the user's eyes.

Think of it as evolution in action.

Re:Simple Fix

[Phisbut]

When is a patch going to come out for this problem, it seems to have been plaguing the net for quite some.

We've been trying to patch human beings for quite a while now, but they just don't seem to stand still. We'll get to it though.

Am I the only one who hasn't noticed it?

[peragrin]

I have not seen any such attacks when using my normal IM software. I am constantly connected to AIM but I never recieve such problems. It might have to do with the fact that I use Fire/iChat, or Kopete/Gaim.

Maybe because my IM client doesn't download and run activeX ads I don't have such problems. The AIM client for Windows doesn't like running in restricted user modes or restricted IE settings on any machine i have installed it on.

So I would say it's not so much IM problems but more of the same IE/ActiveX security issues that continually plague the world that uses that crap.

Re:Am I the only one who hasn't noticed it?

[arachnoprobe]

I think it also depends on your buddy-list. The demographical variation in a buddy-list of your average John Doe or Grandma Doe should be very different from someone posting here on slashdot.

Re:Am I the only one who hasn't noticed it?

[peragrin]

A good point. even though my AIM screenname is readily availbe on many webistes and forums, I have to accept messages first.

Re:Am I the only one who hasn't noticed it?

[SnprBoB86]

Your assumption that these security are IE/ActiveX related is completely flawed.

I am a WinGaim user and I have seen a large number of infected AIM profiles and away messages as well as received quite a few "click this" type IMs. The vast majority of these attacks are social attacks. Generally, the malware inserts a "click this" type link that tries to get you to "look at my pictures" or something like that with a link to pictures.gif.pif.

For IE 6 or FireFox users running on Windows XP with Service Pack 2, this results in a dialog indicating that you are about to run an application that came from an untrusted and unsigned source. STILL users click "run" on this dialog.

IE/ActiveX is not to blame. Hell, I wouldn't even blame Windows because Windows tags the incoming file as untrusted and prevents it from running without USER PERMISSION (this is the escentially same as chmod +x, just not a serious pain in the ass for when you are downloading something you trust)

Re:Am I the only one who hasn't noticed it?

[SnprBoB86]

Only partially true.

IE 6 with SP2 shows "Run" instead of "Open" for executable and then WINDOWS (not IE) displays the prompt I am discussing.

FireFox simply disables "Open" instead of displaying run, but then shows the download manager which reads "Open" regardless of the file type and if you click that prompts you "Open Executable File?" and even has a "Don't ask me again" check box. You press "OK" (not "Run") to continue.

Upon further testing... I have discovered that FireFox DOES NOT cause the WINDOWS prompt. Apparently, FireFox fails to attach the secondary data stream to the NTFS node of the file like IE6SP2 does. This means that if I do "Save to disk" (in FireFox) or "Save" (in IE) then go and double click the file in explorer (regardless of its file extension) the file downloaded with FireFox will simply run where as the IE downloaded file will prompt me for permission for a program to execute. The IE behavior is clearly superior in that it works without the presence of IE.

Beware the IM come on

[Saint37]

I've seen messages which are supoposedly coming from women who want to "chat". These are most of the time spam. I ignore them, but i think this is a common tactic that is probably used by hacks.

http://www.stockmarketgarden.com/

Just don't use their client

[endrue]

It is too bad that people are not aware of applications like gaim, trillian, etc. You get all the benefits and fewer risks (not to mention that you avoid all the bolted-on crap that comes with all the default clients).

We use MSN Messenger at my work and everyone uses the MSN client. Has anyone seen this embarrasment? There is so much crap tacked around the buddy and message windows that it is almost unusable. I am trying to move people over to trillian and it is not hard. Once they see a nice clean UI, they want to use it.

I guess its time to start educating the masses!

Re:Just don't use their client

[Xrikcus]

Most people I know (and I mean most, including the geeks - one ex hardcore linux user) prefer the msn client to gaim and so on. They've used gaim and similar clients, they've made the effort, and gone back to the msn client.

I'm not really sure why... but that is the case.

Re:Just don't use their client

[endrue]

of course there is allways http://meebo.com/meebo too.

Re:Just don't use their client

[minerat]

The problem isn't just with their client (albeit that's the viral spreading half), it's that people are downloading applications by clicking on links. How does a different content protect people from receiving the payload?

Re:Just don't use their client

[endrue]

Your point is valid, however people will click links on webpages and in emails as well. By switching to a generic client you are bypassing the security hassles (i.e. the things that cannot be helped) and you are left with the user having to be responsible just like they have to be on every web-based medium.

Re:Just don't use their client

Well, most people I know think the MSN client is a crufty, bloated piece of shit.

The plural of "anecdote" is not "data".

Re:Just don't use their client

[Ced_Ex]

Does your work use straight MSN?

No. My work uses the homosexual MSN.

More lesbians that way.

Re:IRC, you say?...

[ZiakII]

Rly? ... cuz my m8 got 0wned by this hacker on AIM. Posted about it on his myspace account if u wanna read it. u think i should tell him 2 go 2 IRC? r ther no hackers there? I'll tell him i heard its saf3r, k? cuz I heard they can get ur IP number on AIM & not on IRC, that true 2?

OMGZ I just pwned some guy yesterday mebe it was u?, haha what a n00b he told me his IP was 127.0.0.1 and I used some 1337 program to pwn his comp and now I have full permission to do it, I think I'll start deleteing his files. LOLZ!

IM virus protection

[192939495969798999]

I'm not susceptible to IM viruses, ever since my friend X_Cindy_X_12345 IM'd me with this link to a special program I had to install. It prevents any kind of issue with the(##*@JN#IN#F____+++ NO CARRIER

Mobile phones

[Rob+T+Firefly]

This is going to cause more and more of a problem not just for Joe Average PC user, but for the growing numbers of people with IM capability on their mobile phones and other devices, where using a clean third-party client is not an option, and where many plans still charge by the message.

Re:Funny IM Exploit Story

you lying sack of shit

It's easy enough to see why...

[Torinir]

IM applications are hot attack vectors.

1. Most instant messenger applications are client dependant. You need YIM/AIM/MSNM clients to talk to others on those IM networks, unlike client independant networks such as IRC.

2. IM programs store contact lists much like a standard email client. Easy to read, exploit and spread.

3. Most IM programs enjoy a high degree of popularity. Higher user counts = faster spreading.

It's probably why I avoid IM programs like the plague.

Re:It's easy enough to see why...

[minerat]

While it may be a hot attack vector, I don't see why it's an infection problem in the corporate world. Everything depends on the user being able to download & execute the payload. If it's a home user, there aren't may protections in place to save them. In a corporate environment, downloads should be filtered to begin with. This prevents the vast majority of spyware encountered while browsing the web from being installed. It would also prevent users from downloading viral payloads linked to them though an IM application (I'm assuming external IM is allowed - whether or not that's a good idea is another debate). A security vulnerability directly related to a flaw in the official clients allowing instant victim to victim infection without contacting a 3rd party would bypass this security, but I don't recall having seen anything like that with the current from of IM viruses. My point is that any company with a half decent security plan should already be blocking IM viruses' primary infection vector because in that context it's the same as spyware.

Re:Why pussy sucks.

[BigDaddyNyth]

You should get a new girlfriend named Miranda, http://www.miranda-im.org/

Phishing

[AviLazar]

I still get a lot of these. Someone will message me, with PISS poor english...claim they are from the US and abroad (or in one instance...a girl from England who lives in the US but is visiting her family). Sends me some model pictures and talks to me...within hours telling me how she loves me and thinks there is something special...it usually lasts about two weeks---hey I do get bored playing CS -- and at least I am keeping those clowns busy.

It's amazing, and there is really nothing we can do about these idiots except hope people won't be stupid enough to send them money. In the end, it is the old scams "I am from war torn country, send me account number so I give you 10 million..."

Microsoft market leader.. again!

[naelurec]

MSN experienced the largest number of IM security incidents in both 2004 and 2005

So they have over 50% of the market on IM security incidents .. go Microsoft!

Just curious, what is their marketshare for IM? I tried looking it up w/o success.

Security Policy

[guitaristx]

I had a large hand in developing a security policy for my workplace regarding instant messaging. One of the key points in the policy is that all IM software is to be configured to automatically reject unsolicited IMs (i.e. "Only accept messages from people in my buddy list"). Not a great solution if malware infects a user's computer, hijacks the IM client (or just the username/password), and propagates to all of that person's IM buddies. However, most of the IM-based malware also has some portion of its payload distributed via the file-sharing mechanisms, which is also addressed in our security policy: "All file transfers must be initiated by user action. A remote user may not read or write any file to or from a [my company] computer; i.e. a computer may not behave as a peer-to-peer file-sharing server ." If you close those two doors, you stop a big portion of the problems.

Re:Security Policy

[ichimunki]

All file transfers must be initiated by user action.

This seems overly broad. How do you automate internal file transfers with a policy like this? Do you have no operational systems that need to provide data extracts to analysis systems or the like? Or do you allow automated transfer in documented and approved situations?

Sweet

[somethingprolific]

Hey, this is an interesting article. Anyone who wants to discuss it hit me up on UIN 5050554. Oh wait... nevermind. I forgot that someone jacked my password and changed it last year! I had a low number you skank! Anyway, if you have my password, please place it on my desktop in a text file at 153.145.2.302 Thanks

Re:IRC, you say?...

[Cyberax]

Almost everyone knows that 127.0.0.1 is a loopback address.

But it is not widely known that ANY 127.x.x.x address is loopback. So you can have a lot of fun asking to attack, say 127.3.44.165 :)

How to keep out IMs?

[DrVomact]

I am the "admin" for my family network (4PCs, connected via router, 1 WPA-PSK secured wireless connection to the router) and I try my best to keep things running smoothly and securely. A couple of months ago, my 15 year old daughter downloaded a virus via the MS IM thing. I had to restore her system from backup--that virus was eeeeevil. To her credit, she's been very careful since then, and I actually trust her not to do it again (her mother is a different story...). However, it bugs me that I don't have any control of what comes in via IM. For example, you can't just turn off the IM port--the damn things will use any open port, including 80. There's no way to exclude particular IM clients or senders...no control at all. (I'm just a control freak when I'm in sys admin mode...really). So what to do?

Multi-protocol clients?

[aconkling]

FTA:

FaceTime said that exploits can jump networks through IM "consolidation" applications, such as Trillian or Gaim, which let people combine contacts from multiple IM networks on one list.

Can anyone attest to or refute this? This kinda surprises me. Do these attacks get in through the browser, the protocol, or the client specifically? I can see them hopping protocols if they're getting down into the browser or OS (and then working back up to another protocol), but I can't imagine that these hackers hacking Gaim or Trillian since they have less marketshare (analogous to the paucity of viruses on Mac OS/Linux). Does this stand to reason?

Always Had Attacks

[Archades54]

Instant messenging has always had great amounts of attacks..on the english language