Pipeline Worm Floods AIM With Botnet Drones

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

i love it...

when I get free trojans... it's so embarassing to buy them in the store...

the internet is a wonderful place

And the lesson is...

Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

Re:And the lesson is...

Many, many companies block AIM at the firewall. Ask at your next interview.

There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.

The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.

Re:And the lesson is...

Which company is that? I just want to be sure to avoid working there ever.

Don't worry. I'm sure everyone there has installed AIM on their computers without letting the IT department know.

And the lesson is, don't use omnipod, use jabber

It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

Re:And the lesson is, don't use omnipod, use jabbe

ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.

I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.

I am sorry if I don't yawn

QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

Re:I am sorry if I don't yawn

...downloads the image18.com file (disguised as a jpeg). Running the file...

User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".
Sounds perfectly sane to me.

Simple risk mitigation

1- Don't run as an administrator.
2- Back up your profile regularly.

If you ever get bitten by something like this, it's easy to recover from.

Re:Simple risk mitigation

Try explain that in terms that the average user will be able to understand.

CLICK HERE [ubuntu.com]

Re:Simple risk mitigation

1- Don't run as an administrator.

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

Solutions

Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.

Good thing it's AIM ...

... because it's a well known fact that most AOL users have higher than average internet savvy.

Now I have more reason than ever to install trillian/gaim on newb computers.

Re:Good thing it's AIM ...

This worm spreads by getting users to run a .com file which is disquised as a .jpg.

I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:

www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Not to Worry

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Why this is important.

You probably understand how this works, but I'm sure you can think of someone in your family that you might want to call and warn about this. Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?

And if you don't guess who they'll call first about how their computer has gotten SLOW again.

using aim

using aim is like being kicked in the balls

Tubes Dammit!

It's TUBES dammit not PIPES!!11!

And the definition of Tubeworm [wikipedia.org] probably needs to be rewritten.

I love these kinds of attacks

I'm a student employed by the university to fix students' computers in my dorm building. Everyone will click on these links, some more than once. But why do I love these attacks? The hot chicks that will inevitably click the link. I love this job.

And Still

Microsoft insists that Users should have access to key system files...to maintain functionality.
ugh..

fuckers stole my system32 folder

lessee... /, bin, boot, debootstrap, dev, etc, home, initrd, lib, media, mnt, opt, proc, root, sbin, srv, sys, tmp, usr, var - nope, it's GONE!

The question I shouldn't ask was

do the viruses run on linux? or should we file a bug report for that?

Eh?

you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder.

I've looked everywhere - is the system32 folder in /etc or /usr/local? :)

MjM

uuddlrlrba

Boyd likened the technique to the fight combos common in martial arts video games.

Now all we need is a nice graphical interface and a joystick control system, and the fun can really begin :-)

OS specific then

At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks.

What if you don't run DOS (or any derivatives)?

Ha ha, it's a joke. I set up a linux box for my sisters kids to use, and kept an eye on the logs. One of the first things they tried to install was AIM. Ooops, too bad. Some kind ***soul was even trying to help them to do it while chatting though GAIM. Which is kind of funny as there is a plugin for AIM in GAIM.

Easy way around any AIM worm

Don't click on any links in AIM unless you asked for the link yourself. Then check the link and make sure it is from a trusted domain name. I think I'm telling the wrong crowd though. /. users should know this.

Easy (free) Live filesystem for recovery??

Does anybody have a suggestion on a *nix based livefilesystem that can be used to clean up after this mess
(drill would be yank the net cable shutdown the system and reboot using a Rom)

it of course would need proper NTFS support and an antivirus/anti#deleted#ware program and a way to update the pattern files (kind of like Puppy Multisession)

send suggestions to name at googles mail domain

This rings a bell

From the article: What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files!

The basic idea of using multiple, completely unrelated vulnerabilities and attacks to achieve total control is not exactly that new. In fact, the ideas that feel so obvious to us today were quite novel back in the turn of the century. Michael Zalewski described [coredump.cx] a worm prototype that worked in somewhat similar manner more than six years ago.

On the occasions that I get to give lectures about computer security, I try to illustrate these very ideas. The rule #1: There are no local exploits; All vulnerabilities are remote, some may just require a piggy-bag step of first delivering extra code via other holes.

Didn't pass the filter

A quick glance at the headline and stuff like this stands out: At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Excessive use of capitalized jargon like that always indicates that it's going to be a nothing story, and sure enough, that's exactly what it is. Although, if you think the fact that your PC can be compromised by something you download on purpose is news, you're probably the right target audience for this story.

Free Stuff!!

Hey, on the bright side, you get to spam your contacts without even trying! And you get new things installed everyday! :p

AIM Pipeline Worm

make sure to installing the needed and invulnerable software to avoid the attacker attack our pc

Re:Does it run

Not yet, but if we keep up the good work of Linus(http://linux.slashdot.org/article.pl?sid=06/ 04/18/2046203 [slashdot.org]), we'll have it running in no time!

Wake up please!

http://lists.freedesktop.org/archives/xdg/2006-Apr il/008012.html [freedesktop.org]
http://lists.freedesktop.org/archives/xdg/2006-Apr il/008025.html [freedesktop.org]
http://lwn.net/Articles/178411/ [lwn.net]
http://lwn.net/Articles/178409/ [lwn.net]