Slashdot Mirror

← Back to Stories (view on slashdot.org)

Instant Messaging Vulnerable To New Smiley Attacks

Posted by timothy on from the clever-really dept.

titus writes "Security researchers Yoann Guillot and Julien Tinnes have found a way to encode malicious code into smileys and provided a proof of concept encoder to automate the process. The researchers said their discovery paves the way for IM malware that would be impossible to detect since the malicious code would be 'indistinguishable from genuine chat messages.' I've tested the proof of concept code which works very well. Time to panic?"

6 of 170 comments (clear)

  1. :(){ :|:& };: anyone? by TinBromide · · Score: 5, Informative

    :(){ :|:& };:

    There, punch that into your terminal and see the poweer of the smiley.

    --
    Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
  2. Re:obligatory xkcd by Kozz · · Score: 2, Informative

    It's a basilisk.

    --
    I only post comments when someone on the internet is wrong.
  3. Yawn.... by Anonymous Coward · · Score: 1, Informative

    I'm getting really bored at all these silly April 1st stories.

    I think for a little excitement I should go and punch Cowboy Neal in the face and kick him in the nutsack too.

    Now don't you think that would be funny?

  4. Re:Stop. Really, just stop by blackfrancis75 · · Score: 5, Informative

    Slashdot is operational 364 days a year.

    actually 364.24222 days a year .. and you call yourself a nerd?

  5. While this may well be a joke... by Wiseleo · · Score: 4, Informative

    ...in reality there are 3rd party smiley add-ons that work with IM software. You can recognize them by the "Your buddy sent you a smiley, to see it you need to install X software" type of IMs.

    That software is not exactly good for your computer either.

    For example: http://emoticons.smileycentral.com/yahoo-smileys.jsp

    And its EULA http://helpint.mywebsearch.com/intlinfo/eula/eula.jhtml

    Choice quotes from EULA

    UNIFIED REGISTRATION: As a service to our users, we may consolidate registration data for Webfetti, My Fun Cards, Kazulah, Smiley Central and certain other specified websites, services or applications accessible via the Toolbar, so that users are only required to provide registration information once, and would then be able to use the same unique ID and password to access all such websites, services or applications.

    Passwords. In order to access certain services, you may be required to accept additional terms and conditions and/or establish an account including an unique ID and password

    After reading that EULA, which references a bunch of other EULAs... that's enough to send my head spinning.

    --
    Leonid S. Knyshov
    Find me on Quora :)
  6. Re:Virus Smiles!?! by collinstocks · · Score: 3, Informative

    It is not wise to post such things... there are people who actually would paste that into a terminal despite your warning.

    The way it works is as follows: :(){ something } # this is a valid function declaration which does something
    program1|program2 # this runs both program1 and program2, and pipes the output of one to the other
    command& # this runs a command in the background (i.e. non-blocking)
    ; # this is a line break
    : # this is a valid function call

    So, it makes a recursive function which calls itself twice from within the body of the code. Since it calls itself non-blocking, there is no infinite recursion error. On the next line, it calls the function.

    So, each parent function call spawns two children, and each child spawns two children, et cetera. This can easily bring down a system that is not securely configured (that is, most systems).