Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pipeline Worm Floods AIM With Botnet Drones

Posted by ryuzaki0 on from the now-that's-a-worm dept.

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

17 of 196 comments (clear)

  1. i love it... by 0110011001110101 · · Score: 5, Funny
    when I get free trojans... it's so embarassing to buy them in the store...

    the internet is a wonderful place

    --
    Don't anthropomorphize computers: they hate that.
    1. Re:i love it... by inviolet · · Score: 3, Funny
      True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

      Ah, the 36-count jumbo box... I believe the name for that sized box is "The don't-have-a-Family Pack".

      --
      FATMOUSE + YOU = FATMOUSE
  2. And the lesson is... by d3ac0n · · Score: 4, Insightful

    Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

    --
    Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
    1. Re:And the lesson is... by Daniel_Staal · · Score: 3, Interesting
      Which company is that? I just want to be sure to avoid working there ever.

      Don't worry. I'm sure everyone there has installed AIM on their computers without letting the IT department know.

      --
      'Sensible' is a curse word.
    2. Re:And the lesson is... by 99BottlesOfBeerInMyF · · Score: 4, Interesting

      Many, many companies block AIM at the firewall. Ask at your next interview.

      There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.

      The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.

  3. I am sorry if I don't yawn by aepervius · · Score: 4, Insightful

    QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

    The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
    1. Re:I am sorry if I don't yawn by $RANDOMLUSER · · Score: 3, Funny
      ...downloads the image18.com file (disguised as a jpeg). Running the file...
      User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".
      Sounds perfectly sane to me.
      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  4. Simple risk mitigation by LinuxIsRetarded · · Score: 3, Informative

    1- Don't run as an administrator.
    2- Back up your profile regularly.

    If you ever get bitten by something like this, it's easy to recover from.

    1. Re:Simple risk mitigation by russ1337 · · Score: 3, Funny
      Try explain that in terms that the average user will be able to understand.
      CLICK HERE
    2. Re:Simple risk mitigation by (54)T-Dub · · Score: 3, Insightful
      1- Don't run as an administrator.
      Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

      Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.
      --

      "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
  5. Not to Worry by Aqua_boy17 · · Score: 5, Funny

    It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

    --
    What if the Hokey Pokey really is what it's all about?
  6. Re:Good thing it's AIM ... by fr175 · · Score: 3, Funny
    ... because it's a well known fact that most AOL users have higher than average internet savvy.
    Me too!
  7. And the lesson is, don't use omnipod, use jabber by spun · · Score: 4, Insightful

    It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  8. Re:Good thing it's AIM ... by russ1337 · · Score: 5, Informative
    This worm spreads by getting users to run a .com file which is disquised as a .jpg.
    I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:

    www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com

    Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

    You gotta watch yourself
  9. Re:And the lesson is, don't use omnipod, use jabbe by 99BottlesOfBeerInMyF · · Score: 4, Interesting

    ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

    Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.

    I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.

  10. Re:I love these kinds of attacks by JoeyJoeJo · · Score: 3, Funny

    Dear Penthouse, I never thought it would happen to me....

  11. Solutions by Beryllium+Sphere(tm) · · Score: 3, Informative

    Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

    Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.