Fully Automated IM Worms on the Way? 230
nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
Re:Do these things affect non-AIM apps? (Score:3, Informative)
Re:I cant take any more of this (Score:5, Informative)
Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?
Strictly speaking the Windows equivalent of 'root' is the hidden 'LocalSystem' account.
Re:I cant take any more of this (Score:2, Informative)
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
I work in the IT department at my college, and in the last week, have encountered two machines infected with this worm. Easily detected as it may be to the expert user, it is a rootkit, hiding from detection. If I had not recognized it, it would have been undetected, as the automated scanning tools did not report it.
Re:Infection (Score:5, Informative)
"Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
FTA "'We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything,' Wells said."
User education won't help if propagation occurs without any action by them.
Re:The sky is falling! ( again ) (Score:4, Informative)
Any worm that requires the user to click on a link on order for the worm to propagate. The scary thing about this class of worms is that it installs a rootkit without activity from a user, so the only rate-limiting step in the infection cycle would appear to be buddy lists. So, you're on someone's buddy list... you get infected without taking any action. Then, boom, all your buddies are belong to them. &c.
Educated users know better than to click just any link they see -- we depend on that to limit propagation. But it doesn't apply here.
Re:Do these things affect non-AIM apps? (Score:5, Informative)
I doubt it, because any malicious program that wants to alter OS X's settings is going to have to prompt you for an administrator password (unlike Windows). Besides, it's likely that any such worm will target official IM clients rather than third-party apps.
IM worms go undetected (Score:5, Informative)
Re:I cant take any more of this (Score:4, Informative)