Instant-Messaging Attacks On the Rise

Ant writes "CNET News.com and ZDNet News report that security attacks over instant-messaging (IM) networks became more prevalent in 2005, according to a new study. MSN experienced the largest number of IM security incidents in both 2004 and 2005, while year-on-year incident growth rates were largest on AIM."

Obvious

Obvious, they go to where the easy targets are. As a plus: When you infect a computer connected through AOL the chance of discovery and subsequent removal is smaller. How many granny's on AOL run a firewall+spybot+antivirus etc?

Simple Fix

FTA:
    "We recommend that customers do not click on attachments or links in IM without confirming their validity with the person who sent them"

When is a patch going to come out for this problem, it seems to have been plaguing the net for quite some.

Re:Simple Fix

When is a patch going to come out for this problem, it seems to have been plaguing the net for quite some.

We've been trying to patch human beings for quite a while now, but they just don't seem to stand still. We'll get to it though.

Funny IM Exploit Story

A friend of mine was bothering me the other day. He runs Linux and thinks he's impervious to most virus attacks. Anyway, I opened up the binary of a Linux program I wrote that simply displays "LOL" over and over again, copied and pasted it into an IM window to him. Lo and behold, his computer started sending me back "LOL" as an instant message, over and over again!

So, the moral of this story is that even if you run Linux, you're still susceptible to IM worms and attacks. My friend certainly was.

Am I the only one who hasn't noticed it?

I have not seen any such attacks when using my normal IM software. I am constantly connected to AIM but I never recieve such problems. It might have to do with the fact that I use Fire/iChat, or Kopete/Gaim.

Maybe because my IM client doesn't download and run activeX ads I don't have such problems. The AIM client for Windows doesn't like running in restricted user modes or restricted IE settings on any machine i have installed it on.

So I would say it's not so much IM problems but more of the same IE/ActiveX security issues that continually plague the world that uses that crap.

Beware the IM come on

I've seen messages which are supoposedly coming from women who want to "chat". These are most of the time spam. I ignore them, but i think this is a common tactic that is probably used by hacks.

http://www.stockmarketgarden.com/ [stockmarketgarden.com]

Just don't use their client

It is too bad that people are not aware of applications like gaim, trillian, etc. You get all the benefits and fewer risks (not to mention that you avoid all the bolted-on crap that comes with all the default clients).

We use MSN Messenger at my work and everyone uses the MSN client. Has anyone seen this embarrasment? There is so much crap tacked around the buddy and message windows that it is almost unusable. I am trying to move people over to trillian and it is not hard. Once they see a nice clean UI, they want to use it.

I guess its time to start educating the masses!

Re:Just don't use their client

Most people I know (and I mean most, including the geeks - one ex hardcore linux user) prefer the msn client to gaim and so on. They've used gaim and similar clients, they've made the effort, and gone back to the msn client.

I'm not really sure why... but that is the case.

Re:Just don't use their client

Does your work use straight MSN?

No. My work uses the homosexual MSN.

More lesbians that way.

Why pussy sucks.

A new girlfriend insisted on installing MSN, AIM, and Yahoo Messanger on my home xp machine this weekend - I can't stand that shit. Now there's like four freaking toolbars and constant door slamming sounds emminating from my computer. Talk about a reason to switch to linux at home...

57%?

MSN had a 57 percent share of the attacks, AOL had 37 percent and Yahoo had 6 percent

I do not use msn. But we (myself and my friends in yahoo chat rooms) were annoyed beyond limit by attacks. There are fake sites asking you to enter yahoo passwords and so on. I can imagine what hell msn users must have gone through.

IM virus protection

I'm not susceptible to IM viruses, ever since my friend X_Cindy_X_12345 IM'd me with this link to a special program I had to install. It prevents any kind of issue with the(##*@JN#IN#F____+++ NO CARRIER

Mobile phones

This is going to cause more and more of a problem not just for Joe Average PC user, but for the growing numbers of people with IM capability on their mobile phones and other devices, where using a clean third-party client is not an option, and where many plans still charge by the message.

It's easy enough to see why...

IM applications are hot attack vectors.

1. Most instant messenger applications are client dependant. You need YIM/AIM/MSNM clients to talk to others on those IM networks, unlike client independant networks such as IRC.

2. IM programs store contact lists much like a standard email client. Easy to read, exploit and spread.

3. Most IM programs enjoy a high degree of popularity. Higher user counts = faster spreading.

It's probably why I avoid IM programs like the plague.

Phishing

I still get a lot of these. Someone will message me, with PISS poor english...claim they are from the US and abroad (or in one instance...a girl from England who lives in the US but is visiting her family). Sends me some model pictures and talks to me...within hours telling me how she loves me and thinks there is something special...it usually lasts about two weeks---hey I do get bored playing CS -- and at least I am keeping those clowns busy.

It's amazing, and there is really nothing we can do about these idiots except hope people won't be stupid enough to send them money. In the end, it is the old scams "I am from war torn country, send me account number so I give you 10 million..."

OMFG

MSN experienced the largest number of IM security incidents in both 2004 and 2005

*shock*, *SHOCK!*

Large part of the problem

A significant part of the problem is the user base for these chat clients. AIM/MSN/YAHOO attract teens and college students who are not as knowledgeable as they should be when it comes to viruses, etc that can be distributed through IMs. Teens (the general masses) click just about anything and everything...the fact it is from a friend only increases the chances they will click a link.

Novice users will most likely have to fall victim this sort of thing before they are able to prevent it from happening. I don't see this problem going away anytime soon.

Microsoft market leader.. again!

MSN experienced the largest number of IM security incidents in both 2004 and 2005

So they have over 50% of the market on IM security incidents .. go Microsoft!

Just curious, what is their marketshare for IM? I tried looking it up w/o success.

ICQ

Something to be said for still using ICQ. It has a simple interface, supports what I need (text messages to co-workers mostly), and with the increasing popularity of the other services, I haven't had any spam/pR0n offers in months.

A precursor chat to the IM attack...

sxybtrfly99: So you like my personality, I can send you a photo.
manstud45: Yeah, U R totally cool, I really like chatting w/U. Can IM me the pic?
sxybtrfly99: Sure, right away. I have something I have 2 tell U. ;)
manstud45: It's kool, Im sure I can handle it :)
sxybtrfly99: I sent U my photo. Bi the way, did U ever see the movie "The Crying Game"?
manstud45: What is this?!?!? WHAT HAVE YOU DONE??? MY PC IS ALL MESSE

Come on people...

I am connected to AIM and MSN all day every day and I have NEVER had a problem with any sort of attack. If you ask me, this falls under the same realm of thought as spyware: use caution. If the site looks/sounds the least bit untrustworthy, don't go to it. Practice safe browsing habits and you will be fine. Same goes with IM, don't accept file transfers from users you don't know. Or better yet, don't talk to users you dont know. Problem solved. I watch where I go on the internet and who I talk to and that's extremely more efficient than hoping any spyware/antivirus program will take care of it all for you. I do suppose this is pointed towards the more casual computer user, but still people, trust your instincts.

Sweet

Hey, this is an interesting article. Anyone who wants to discuss it hit me up on UIN 5050554. Oh wait... nevermind. I forgot that someone jacked my password and changed it last year! I had a low number you skank! Anyway, if you have my password, please place it on my desktop in a text file at 153.145.2.302 Thanks

Easy way to protect yourself

First of all, one of the best protections is to simply only chat with people that you know. I personally only allow people that are on my buddy list IM me. If anyone else really needs to IM me, they can just email me or what not and request that I add them. That way I cut back on the overall risk of being contacted by someone and catching a virus.

The second smart tip is just not accept attachments unless you know exactly who they are from, what it is, and its a smart idea to not open the full direct connection, just allow the transfer of the one file.

People just need to exercise common sense. Remember when your parents used to tell you "Don't take candy from strangers." The same principle applies here. If you don't know who someone is, why do you need to be clicking links or downloading attachments from them. And then, even if you do know who it is, try and ask yourself if the message is something that the person is known for sending. A lot of the times it won't logically fit the person.

Ahh well, everyone just needs to be on the lookout.

For corporate use...there's no question....

You dump public IM services and use an in house only app. Being an IBM BP, we happen to have Lotus Sametime which integrates into Notes and has a standalone client as well. Secured/encrypted communications, and if we wanted to set up a SIP gateway with another partner we could so we could have secure conversations there too.

I believe LiveMeeting is supposed to do something similar...but I am not a fan...so...

Bottom line, skip the public crap if you want to limit your exposure to these things.

GM.

Has anyone fallen as a victim of a phish?

Have any of you? Just curious. It can be from a stupid social engineering.

How to keep out IMs?

I am the "admin" for my family network (4PCs, connected via router, 1 WPA-PSK secured wireless connection to the router) and I try my best to keep things running smoothly and securely. A couple of months ago, my 15 year old daughter downloaded a virus via the MS IM thing. I had to restore her system from backup--that virus was eeeeevil. To her credit, she's been very careful since then, and I actually trust her not to do it again (her mother is a different story...). However, it bugs me that I don't have any control of what comes in via IM. For example, you can't just turn off the IM port--the damn things will use any open port, including 80. There's no way to exclude particular IM clients or senders...no control at all. (I'm just a control freak when I'm in sys admin mode...really). So what to do?

and it will only get worse

I've been dealing with AIM viruses since 2003 (I run AIMFix [jayloden.com], an IM-specific virus removal tool), and I've watched them grow exponentially. On top of that, the attack methods have become infinitely more sophisticated. Where it used to be a userland executable, usually an exe, it moved to .pif and .scr files. It started with the usual "Run" entry in the registry, then started to mess around with the shell settings, winlogon settings, services, and legacy win.ini items. The latest variants are actually including code from various rootkits (mostly the FU rootkit) to hide themselves from memory and the registry.

My prediction is that these will only grow worse as time goes on. It's far too easy to include even more sophisticated rootkit technology in with the worm code, IM is getting ever more popular, and it's effective, plain and simple. Something about the IM format makes it both easy to mimic real "conversation" ("hey, check out these pics of me drunk at New Years!"), and somehow less suspicious than similar messages sent via email.

As far as I'm concerned, rootkits are going to become the norm for Windows worms/viruses within a year or two. why bother with a simple executable that's easy to find and kill when you could make your code invisible to the running system? Frankly, I have no idea what the next step becomes for those of us writing anti-virus tools and cleaning programs. Bootable CDs that can verify the system? I don't pretend to have the answer just yet, but I can say with confidence that we'll be seeing more of this as time goes on, and I sincerely hope that the AV companies can step up to the plate in time.

Multi-protocol clients?

FTA:

FaceTime said that exploits can jump networks through IM "consolidation" applications, such as Trillian or Gaim, which let people combine contacts from multiple IM networks on one list.

Can anyone attest to or refute this? This kinda surprises me. Do these attacks get in through the browser, the protocol, or the client specifically? I can see them hopping protocols if they're getting down into the browser or OS (and then working back up to another protocol), but I can't imagine that these hackers hacking Gaim or Trillian since they have less marketshare (analogous to the paucity of viruses on Mac OS/Linux). Does this stand to reason?

Ah, but who can forget...

lol no im not a virus!

Always Had Attacks

Instant messenging has always had great amounts of attacks..on the english language

But my friend I'm chatting with told me....

"lol, no this is not a virus!"

IRC, you say?...

Thank God for IRC

Rly? ... cuz my m8 got 0wned by this hacker on AIM. Posted about it on his myspace account if u wanna read it. u think i should tell him 2 go 2 IRC? r ther no hackers there? I'll tell him i heard its saf3r, k? cuz I heard they can get ur IP number on AIM & not on IRC, that true 2?

(egad, writing like that was a terrible strain, even if only for a few sentences... how do the aolam3rz manage it?)

Re:IRC, you say?...

Rly? ... cuz my m8 got 0wned by this hacker on AIM. Posted about it on his myspace account if u wanna read it. u think i should tell him 2 go 2 IRC? r ther no hackers there? I'll tell him i heard its saf3r, k? cuz I heard they can get ur IP number on AIM & not on IRC, that true 2?

OMGZ I just pwned some guy yesterday mebe it was u?, haha what a n00b he told me his IP was 127.0.0.1 and I used some 1337 program to pwn his comp and now I have full permission to do it, I think I'll start deleteing his files. LOLZ!

Re:IRC, you say?...

Almost everyone knows that 127.0.0.1 is a loopback address.

But it is not widely known that ANY 127.x.x.x address is loopback. So you can have a lot of fun asking to attack, say 127.3.44.165 :)

Re:Thank God for IRC

Thank God for IRC?

"Hacker groups have large (compromised) server farms to experiment with propagating exploits. They hide Trojans and viruses, and control these botnets via IRC,"

You're one of them, aren't you?! ADMIT IT!!

Just remember, IRC isn't safe [pctools.com], only safer

Re:Thank God for IRC

Indeed, a strain to write and read, and now I slip into the realm of what is arguably off topic...

Leetspeak does not impress me at all, in fact, if I see someone genuinely using it, I'll just assume they are immature individuals who have yet to grow up, and consequently I treat them as such. In my opinion, Leetspeak is also a complete waste of time, my typing is bad enough without me training myself to do it incorrectly, what I am trying to get at is that leetspeak is not only arguably lame, but it is in fact counter-productive.

Many people, especially IT workers, have probably never been on a typing course, but despite this, many may be considered to be exceptionally quick on the keyboard. You see, the brain is remarkable in that forcing yourself to do something repetitively sets up neural pathways, and one finds themselves able to do the same thing that they initially found to be complicated or difficult, with almost little or no effort whatsoever, this is called "training". So, all these leetspeak people have successfully trained themselves in a skill that has absolutely no value in the workplace, but even worse, good language and typing skills, which would be useful in the workplace, have probably been sabotaged by them repetitively doing it wrong. As an example, earlier today /. linked to a White Dust Security article. I am no English teacher, but it was absolutely abysmal English, assuming that the article's author's first language is English, it would not be suprising that part of their shocking English skills (or lack there of) could be directly attributed to their "leetness" at leetspeak.

That's just one reason I don't care much for IRC, the other is that many people on IRC, seem be far to, as a Vulcan might say, "irrational".