Pipeline Worm Floods AIM With Botnet Drones

← Back to Stories (view on slashdot.org)

Pipeline Worm Floods AIM With Botnet Drones

Posted by ryuzaki0 on Monday September 18, 2006 @07:58AM from the now-that's-a-worm dept.

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

42 of 196 comments (clear)

i love it... by 0110011001110101 · 2006-09-18 08:01 · Score: 5, Funny

when I get free trojans... it's so embarassing to buy them in the store...
the internet is a wonderful place

--
Don't anthropomorphize computers: they hate that.
1. Re:i love it... by smart.id · 2006-09-18 08:37 · Score: 2, Interesting
  
  I never understood this. What is so embarassing about someone else knowing that you are fucking somebody?
  
  --
  blog & fiction: jd87
2. Re:i love it... by Kesch · 2006-09-18 08:48 · Score: 2, Funny
  
  It's not that. It's that he's buying the 'Extra Small' ones. (Sorry, I couldn't help it. It was too good an opportunity to pass up.)
  
  --
  If this signature is witty enough, maybe somebody will like me.
3. Re:i love it... by sfeinstein · 2006-09-18 09:15 · Score: 2, Funny
  
  Heh. And I can't help pointing out that you are most certainly NOT A MARKETER. Can you imagine Trojan or any condom company selling "Extra Small"? Yeah, I'm sure they'd fly right off the shelves.
  
  It would have to be marketed as "Tight-fit Performance Pro" or hidden in with macho words like "Maximum Super-Shrunk Thunderbolt" or something like that!
  
  --
  "Whether or not you believe me, I'm right" -RWF
4. Re:i love it... by inviolet · 2006-09-18 09:19 · Score: 3, Funny
  
  True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."
  
  Ah, the 36-count jumbo box... I believe the name for that sized box is "The don't-have-a-Family Pack".
  
  --
  FATMOUSE + YOU = FATMOUSE
And the lesson is... by d3ac0n · 2006-09-18 08:05 · Score: 4, Insightful

Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

--
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
1. Re:And the lesson is... by OECD · 2006-09-18 08:12 · Score: 2, Funny
  
  ... and keeps our employees from IM-ing with people outside the company.
  Which company is that? I just want to be sure to avoid working there ever.
  
  --
  One man's -1 Flamebait is another man's +5 Funny.
2. Re:And the lesson is... by $RANDOMLUSER · 2006-09-18 08:19 · Score: 2, Informative
  
  Many, many companies block AIM at the firewall. Ask at your next interview.
  
  --
  No folly is more costly than the folly of intolerant idealism. - Winston Churchill
3. Re:And the lesson is... by Daniel_Staal · 2006-09-18 08:20 · Score: 3, Interesting
  
  Which company is that? I just want to be sure to avoid working there ever.
  
  Don't worry. I'm sure everyone there has installed AIM on their computers without letting the IT department know.
  
  --
  'Sensible' is a curse word.
4. Re:And the lesson is... by 99BottlesOfBeerInMyF · 2006-09-18 08:33 · Score: 4, Interesting
  
  Many, many companies block AIM at the firewall. Ask at your next interview.
  
  There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.
  
  The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.
5. Re:And the lesson is... by 99BottlesOfBeerInMyF · 2006-09-18 09:24 · Score: 2, Insightful
  
  Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.
  
  Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
  
  And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
6. Re:And the lesson is... by toleraen · 2006-09-18 09:56 · Score: 2, Insightful
  
  They see the propagation behavior as a traffic anomaly on their control panel.
  A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to /. every minute. I'm sure CNN is much higher than that.
  
  Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm.
  If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.
  
  Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns.
  How does it know who's infected? After its started its botnet spamings? That trojan has already forwarded it's link on to dozens of other people by then. You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.
  
  Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations.
  At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL? You may as well just shutdown their interface. That means downtime for at least one person, then if anyone is relying on them for information, they've got downtime. Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?
  
  The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
  Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.
  
  And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
  If IM is just like email, why not just use email? What's wrong with the phone?
  
  So this brings me back to my original reply up top. Any company with an actual IT department...would not allow this to be open. There isn't a 100% way to filter out malicious traffic. Sure, technologies like IPSs are coming along, but they're still a long way off, and rely way too much on signatures. The more possibilities you leave open for attack, the more likely you are going to be attacked. Close everything, then open up as necessary. When you have so many other options for relatively secure communications (phone/email/snailmail), why add the unnecessary risk?
7. Re:And the lesson is... by crabpeople · 2006-09-18 12:00 · Score: 2, Informative
  
  No offense but are you nuts? People should be able to IM at work? Yeah we used to have that here. Then they made me disable all messengers because people chat on them all day long.
  
  Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.
  
  What I have done to combat this problem is block instant messenger with group policy, and change the dns pointing for the web clients.
  
  "technical employees are likely to bypass security by SSH tunneling their IM communications"
  
  bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.
  
  --
  I'll just use my special getting high powers one more time...
8. Re:And the lesson is... by canuck57 · 2006-09-18 13:32 · Score: 2, Insightful
  
  Many, many companies block AIM at the firewall.
  Should that not be "Many, many companies think they block AIM at the firewall."
  Nuff said if your security people think they have it all plugged it all up.
9. Re:And the lesson is... by ktappe · 2006-09-18 15:37 · Score: 2, Insightful
  
  Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid.
  You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?
  -K
  
  --
  "We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
10. Re:And the lesson is... by djradon · 2006-09-18 18:31 · Score: 2, Funny
  
  Yeah, if an employee had the card info and the willingness to pass it on, lack of IM is not going to deter him. But there are legit reasons for wanting to block AIM. For one, your unwitting users, some of whom are probably administrators on their local machines, could be exposing sensitive information stored on their local hard drives. I'm going to send a friendly reminder to my AIM/Trillian userbase this morning:
  
  There's another AIM worm "on the loose" this morning:
  http://blog.spywareguide.com/2006/09/aim_pipeline_ worm_uses_modular.html
  Please don't click on IM links, even if they appear to come from your friends unless you know for certain that you're not talking to an automated process.
  In this particular instance, you might get a message like "hey is it alright to put this picture of you up on my egallery album?" Clicking could induce a continuing "cycle of infections" that would be unseemly given our upcoming Sarbox audit.
  Thanks!
  BTW, Does anyone know a way to block automated hyperlinking of URLs?
I am sorry if I don't yawn by aepervius · 2006-09-18 08:05 · Score: 4, Insightful

QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

--
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
1. Re:I am sorry if I don't yawn by $RANDOMLUSER · 2006-09-18 08:15 · Score: 3, Funny
  
  ...downloads the image18.com file (disguised as a jpeg). Running the file...
  User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".
  Sounds perfectly sane to me.
  
  --
  No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Simple risk mitigation by LinuxIsRetarded · 2006-09-18 08:05 · Score: 3, Informative

1- Don't run as an administrator.
2- Back up your profile regularly.

If you ever get bitten by something like this, it's easy to recover from.
1. Re:Simple risk mitigation by russ1337 · 2006-09-18 08:12 · Score: 3, Funny
  
  Try explain that in terms that the average user will be able to understand.
  CLICK HERE
2. Re:Simple risk mitigation by (54)T-Dub · 2006-09-18 08:12 · Score: 3, Insightful
  
  1- Don't run as an administrator.
  Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.
  
  Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.
  
  --
  
  "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
3. Re:Simple risk mitigation by Buran · 2006-09-18 08:47 · Score: 2, Insightful
  
  The only reason this attack wasn't launched against Linux was
  
  (3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.
  
  --
  i am a soviet space shuttle
4. Re:Simple risk mitigation by Software · 2006-09-18 09:37 · Score: 2, Informative
  
  Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.
  Yep, do it all the time. Even taught the wife how to do it. See http://blogs.msdn.com/aaron_margosis/archive/2005/ 03/11/394244.aspx for details, but the basic idea is to run a batch file when you want to be an admin. The batch file gives you admin privileges, starts a process (usually iexplore.exe file:///c:/ , which gives you a normal Windows Explorer), then takes away your admin privileges. Here's the file:
  setlocal set _Admin_=%COMPUTERNAME%\Administrator set _Group_=Administrators set _Prog_="C:\Progra~1\Intern~1\iexplore.exe file:///c:/" set _User_=%USERDOMAIN%\%USERNAME% if "%1"=="" ( runas /savecred /u:%_Admin_% "%~s0 %_User_%" if ERRORLEVEL 1 echo. && pause ) else ( echo Adding user %1 to group %_Group_%... net localgroup %_Group_% %1 /ADD if ERRORLEVEL 1 echo. && pause echo. echo Starting program in new logon session... runas /savecred /u:%1 %_Prog_% if ERRORLEVEL 1 echo. && pause echo. echo Removing user %1 from group %_Group_%... net localgroup %_Group_% %1 /DELETE if ERRORLEVEL 1 echo. && pause ) endlocal
  Instead of iexplore.exe, you can use Quicken.exe, for example. The advantages of using iexplore.exe is that you can launch other processes, such as installation programs, easily. Don't forget PrivBar, either, to show you what your current privilege level is.
5. Re:Simple risk mitigation by 99BottlesOfBeerInMyF · 2006-09-18 09:51 · Score: 2, Insightful
  
  you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.
  
  The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.
6. Re:Simple risk mitigation by tchuladdiass · 2006-09-18 12:27 · Score: 2, Interesting
  
  Simple fact is that the family uses lots of windows-only programs. The wife will come home from an accounting class, and needs to download excel spreadsheets from the college web site (which is IE centric, and has little annoyances under Firefox), these spreadsheets will then need to be used under Excel, because last time I had her use it under Openoffice something didn't quiet work right and caused probems when she sent it back to her instructor.
  The kids will often need to use MyJal to download ringtones into their Nextel's. Could probably get this working under Wine, but haven't tried yet.
  And everyone uses Pogo games, some work under Firefox but some don't.
  But slowly I'm getting everyone switched over. I've already set up a thin client (LTSP-based) system using an old cyrix system, which runs a desktop off the main server. Everyone will use this secondary system when the Windows box is "acting stupid" as they put it. So far, it is working for almost everything, but not quiet there yet.
Good thing it's AIM ... by (54)T-Dub · 2006-09-18 08:07 · Score: 2, Funny

... because it's a well known fact that most AOL users have higher than average internet savvy.

Now I have more reason than ever to install trillian/gaim on newb computers.

--

"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
1. Re:Good thing it's AIM ... by fr175 · 2006-09-18 08:10 · Score: 3, Funny
  
  ... because it's a well known fact that most AOL users have higher than average internet savvy.
  Me too!
2. Re:Good thing it's AIM ... by fr175 · 2006-09-18 08:15 · Score: 2, Interesting
  
  Now I have more reason than ever to install trillian/gaim on newb computers.
  AOL silliness aside, according to (my understanding of) TFA (and, yes, I am new here), this worm spreads by getting users to run a .com file which is disquised as a .jpg. The .com then infects the users System32 directory and the magic happens. Wouldn't GAIM and Trillian both be vulnerable to this, if they are running on Win machines?
3. Re:Good thing it's AIM ... by russ1337 · 2006-09-18 08:38 · Score: 5, Informative
  
  This worm spreads by getting users to run a .com file which is disquised as a .jpg.
  I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:
  
  www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com
  
  Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!
  
  You gotta watch yourself
4. Re:Good thing it's AIM ... by OverlordQ · 2006-09-18 10:47 · Score: 2, Informative
  
  dollars to dohnuts that that is just tracking info for what picture was downloaded where and how much. Keep in mind, just because it says .jpg/foo/bar/baz/quux doesn't mean that there's a picture instead of CGI sitting there returning the content to you
  
  --
  Your hair look like poop, Bob! - Wanker.
Not to Worry by Aqua_boy17 · 2006-09-18 08:09 · Score: 5, Funny

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

--
What if the Hokey Pokey really is what it's all about?
1. Re:Not to Worry by revery · 2006-09-18 08:35 · Score: 2, Funny
  
  It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!
  
  Senator Ted Stevens responds:
  Yes, but you see, the tubes are connected to pipes, and those pipes are connected to larger pipes, and then there are canals, and dams and reservoirs, and other things that are even more complex and convoluted. So you can see by my use of the words "complex" and "convoluted", that it's all terribly complicated. But you are right about one thing: thank God it's not a tube-line attack - I don't know if that's the right word or not - but the tubes, they are the most important part of all the Internets, because that's where we access them, and by "we", I mean me and you.
  
  Next question?
using aim by thedrunkensailor · 2006-09-18 08:14 · Score: 2, Funny

using aim is like being kicked in the balls

--
i support the right to offend.
And the lesson is, don't use omnipod, use jabber by spun · 2006-09-18 08:17 · Score: 4, Insightful

It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I love these kinds of attacks by JoeyJoeJo · 2006-09-18 08:36 · Score: 2, Funny

I'm a student employed by the university to fix students' computers in my dorm building. Everyone will click on these links, some more than once. But why do I love these attacks? The hot chicks that will inevitably click the link. I love this job.
1. Re:I love these kinds of attacks by JoeyJoeJo · 2006-09-18 08:53 · Score: 3, Funny
  
  Dear Penthouse, I never thought it would happen to me....
Re:And the lesson is, don't use omnipod, use jabbe by 99BottlesOfBeerInMyF · 2006-09-18 08:52 · Score: 4, Interesting

ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.

I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.
Solutions by Beryllium+Sphere(tm) · 2006-09-18 08:59 · Score: 3, Informative

Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.
fuckers stole my system32 folder by quonsar · 2006-09-18 09:48 · Score: 2, Funny

lessee... /, bin, boot, debootstrap, dev, etc, home, initrd, lib, media, mnt, opt, proc, root, sbin, srv, sys, tmp, usr, var - nope, it's GONE!

--

Sacred cows make the best burgers.
Re:And the lesson is, don't use omnipod, use jabbe by Buran · 2006-09-18 12:41 · Score: 2, Interesting

Social lives, mind wandering = not at work.

Funny, I thought that when I was sitting at my desk, I was at work. What I'm actually doing at my desk has nothing to do with whether or not I am at work.

Oh, and by the way, open your eyes and read this:

What's Next: Stupid Productivity Tricks

You say you don't care if people walk around for a bit? Eat your words:

"recreational Web surfing has become a kind of mental floss for workers who spend their days sucking in a stream of work-related data that now comes in at a firehose pace--it's the information age equivalent of a walk around the block."

--
i am a soviet space shuttle
But WHICH keyboard and chair? by Sloppy · 2006-09-18 14:18 · Score: 2, Insightful

Seems to me that the main problem is between the keyboard and the chair.

Yes, at some developer's desk.
Some brilliant programmer asked: What if the user of my messenger application, clicks on something? And his answer was: well, if it's a URL, download the file. [Ok, so far, so good. A little risky, but not totally stupid at first glance.]
Then the followup question was: what if the file turns out to be an executable program? And his answer was: execute it, of course! Oh, and with the same privileges as the user.
?!?! A problem between keyboard and chair, indeed.

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This rings a bell by Bostik · 2006-09-18 21:38 · Score: 2, Informative

From the article: What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files!

The basic idea of using multiple, completely unrelated vulnerabilities and attacks to achieve total control is not exactly that new. In fact, the ideas that feel so obvious to us today were quite novel back in the turn of the century. Michael Zalewski described a worm prototype that worked in somewhat similar manner more than six years ago.

On the occasions that I get to give lectures about computer security, I try to illustrate these very ideas. The rule #1: There are no local exploits; All vulnerabilities are remote, some may just require a piggy-bag step of first delivering extra code via other holes.

--
There is no such thing as good luck. There is only misfortune and its occasional absence.