Fully Automated IM Worms on the Way? 230
nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
Different from other open ports? (Score:5, Insightful)
Workplace (Score:5, Insightful)
I know our IT department frowns upon it but walking around you still see it used
Its only a matter of time until something like this came out that has the potential to severly damage both corporate and private networks
The Disease is Awful (Score:5, Insightful)
Maybe one day we'll get a series of destructive worms that will render hardware unusable (e.g. no boot, disk overwritten, fan turned off and processor cranked up to do permanent damage, boot flash cleared) -- resulting in successive waves of hardware replacement.
I talked to a guy at a computer store about the aftermath of a worm that cleared the bootflash -- they sold so many new computers!
At that point, I figure Micr$oft will be in big trouble; after you buy your fifth motheboard in a row (and try to recover your data) after "Bukk@keB1ll" versions A through X hit you, you'll consider getting a Mac so you can get work done.
Re:Evolution baby (Score:5, Insightful)
Not quite. Biological viruses evolve. Computer viruses, however, are products of intelligent design, for certain values of 'intelligent'.
Computer viruses aren't a force of nature. Behind every one of them is a malicious programmer.
Eventually, I imagine we'll see polymorphic and self-modifying code reach the point where it can evolve in the same way as biological viruses, but that's probably quite a way off. The nearest I've heard of to that is viruses programmed to alter their appearance to avoid detection.
Re:Infection (Score:5, Insightful)
Re:I cant take any more of this (Score:5, Insightful)
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
Rootkit is no longer a term restricted to gaining "root" user access. The term now stands for any suite of hack and/or programs (the "kit") that enables the malware to disguise its presence in the OS in a more sophistocated manner than simply having obscurely named
Furthermore, in my entirely humble and sincerely personal opinion, the term is an appropriate, apt, and succinct way of decribing these types of malicious programs, both in distinguishing them from the less deeply embedded malware types, and in emphasising the increased security threat these programs pose.
The sky is falling! ( again ) (Score:5, Insightful)
Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?
And IM services are hardly a new vector. If anything, this story should be about how long it has taken these people to figure out that services like AIM and ICQ are used by people with little or no computer knowledge, who will randomly click on things. You know, sorta like email. That's the real new nugget out of all of this, and hardly worth the two pages of ads to read about.
Re:Jabber! (Score:3, Insightful)
Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network.
Problem with older hardware, operating systems (Score:2, Insightful)
Re:Evolution baby (Score:2, Insightful)
Re:Different from other open ports? (Score:4, Insightful)
Basicly it says "People are using IM. Buffer overflow in IMs is like any other buffer overflow also bad".
May I say "Duh"?
Re:Different from other open ports? (Score:4, Insightful)
And yet worse, unlike other software which keep open ports, Messenger software has the slight property that its users does not know a lot about computers to take precautions.
About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!
Re:Different from other open ports? (Score:5, Insightful)
But then again, I don't know much specific about how this all is supposed to work, so I may be wrong.
Why does the OS let software be invisble? (Score:5, Insightful)
It seems to me that a well designed OS should NEVER let a piece of code be invisible. There should be some part of the OS that knows what is running, what invoked it, what file it came from, etc. A well designed OS would know the provenance of every segment of code. This information should be read-only to anything outside of this protected monitoring function. Thus ALL running code would be visible to the user and anti-malware software. And if you add hash-code locks on installed software, then malware wouldn't be able to masquerade as some other normal bit of code or damage anti-malware apps. Malware could still hide in a user-downloaded software, but the tracking function would aid the detection and removal of any unwanted code.
Is there ever a good reason to let software be invisible?
A rootkit doesn't need the OS to "let" it... (Score:3, Insightful)
The point of a rootkit is that it alters the behaviour of the OS. Sure, a pre-rootkit kernel wouldn't have let just any code run. But once the rootkit gets in (one way or another), it alters the OS's behaviour. Just like the Sony audio CD rootkit (mentioned in a previous Slashdot article) alters the behaviour of Windows to keep certain kinds of files invisible.
Re:The Disease is Awful (Score:4, Insightful)
No, the sneakier viruses won't ruin your box, they will just sit there and gather information. I would much rather have my email and personal documents destroyed then had them read. Even if you read them then destroy them, I know they have been compromised and can take whatever steps deemed neccessary to mitigate my risk. The most sinister viruses would just read and transmit them without me ever knowing.....
Re:Different from other open ports? (Score:3, Insightful)
And if there really is some essential functionality that depends on such open ports, wouldn't one hope they were implemented FTP-style ie. open them randomly and tell the other party what they are via outgoing connection?
And if the above is true, how can a remote host cause a crash? It shouldn't be allowed to connect to my IM client just like that. There shouldn't be anything to connect to in the first place! The IM app should only connect to the IM central server and to accepted hosts in my buddy list.
The thing I see that would work is the bot prompting me to accept him in my buddy list and _then_ screwing my IM client. But that's quite different from all this "open port" business that people talk about, and can only be fixed by fixing the IM clients.
Re:Why does the OS let software be invisble? (Score:2, Insightful)
What do you think happens when some miscreant (with root access) replaces that jumppoint in memory with one of his own UTLIMATE_PR0CESS function?
Remember, we are not talking about ROM systems here, all system commands are loaded into RAM.
Consider a much simpler situation:
You use the dir command to list the contents of a folder.
Somebody could replace that command on disk with a dodgy one that runs the original dir command, but filters its results and hides all files starting with "hax0r_".
The only real way to be able to check and identify if a system has been rooted is to examine from the outside.
Keep a boot cd handy.
Currently however, rootkits have bugs and limitations in their scope and do not cover every track, hence rootkit detection is semi feasible for now (in Windows at least).
The most sneaky bit of malware I have heard about recently is the semirootkit included inside some Sony protected CDs.
Have a read here [sysinternals.com] for an investigation (this story may explode in the next few days - it looks really telling).
Re:Jabber! (Score:5, Insightful)
Your mom. Litereally.
I understand users/groups/file permissions. I assume you do too. What about your parents?
Re:Why does the OS let software be invisble? (Score:5, Insightful)
At a user level, to "see" a process, you would open the task manager (Windows) or use the PS command in Unix. But you must note that these are merely applications that ultimately make a call to a OS level API and request this information; then they display whatever this API returns them.
The OS level API is just a piece of code that will have access to the internal OS data structures that hold the information for the processes. This code would piece together a response with the processes names, etc. and return this "list".
So, what would happen if I go and modify the code that pieces together this list of processes and omit the "worm.exe" process everytime? Well, that's pretty much a rootkit virus strategy.
The result is that you wouldn't be able to see the process anywhere. Any program that uses this OS API call would not see the process, be it ps, the Task Manager or an Antivirus.
So . . . why not providing every program with a direct access to the running processes structures so that they can "see" all the information there and "figure out" by themselves whether there is a virus or not.
Well . . . that's a disaster from a security standpoint since it would provide an avenue for viruses to exploit. And this "direct access" is never direct, it is always through another OS API that may in turn be modified to hide the virus . . .
So . . . why not scanning the disk?, I mean, the virus must be stored somewhere if it will run.
Well . . . file access is done by an OS call that may be modified to hide the virus.
So . . . why not doing an OS module that performs an CRC check and make sure that the OS APIs have not been modified?
Well . . . this too can be modified not to include the file that you infected in the first place.
So . . . why not making OSs "unmodifiable".
Well . . . how would you then install it in the first place? (that is pretty much a modification) or install security updates? (that's another modification).
So . . . Well . . . ad infinutum.
I think I made my point.
Anyways, the bottom line is that you can only do all those modifications *if* you have privileges to modify system files. You have to have "root" access for that. So once you have broken the security of an OS to the point where your virus can modify OS system files, you are pretty much doomed.
Ideally, the solution is a secure operating system, where regularly you run your user programs with an account whose privileges do not include modifying OS files and any processes that you start cannot breach that security (again *ideally*). You would only use the root account to do OS installs and updates (if the virus gets you while you are at it, you are doomed again, so shut down AIM!).
That's why Windows is so dangerous, because the normal XP user is running with an Administrator account (similar to having root privileges), so any application that is infected can potentially cause a root-level infection.
And then, no matter how much you program securely, the missing piece as usual is education. At some point, even in the ideal OS, the user would have to log in with the root account to do OS changes or at least explicitly authorize in some manual way the modification of system files (that would be my choice just to make things easier to learn for everyone in the real world).
Re:Jabber! (Score:5, Insightful)
I understand users/groups/file permissions. I assume you do too. What about your parents?
What would they need to know? There's a separate password to access the "administrator" account. When you buy the computer (presumably preloaded with Windows) you set that password and create accounts for everybody in your family. From that point on you only use that password to install software for everybody to use.
It shouldn't even be required to use that password to install software for just yourself. If I go out and buy Sim City 4000 and I only want to be able to use it on my user account, then why should I need admin rights to install it? This would be the same behavior as --prefix on Unix -- but a lot more user friendly.
You'd still have the problem of social engineering (download our new screensaver!!!!) but it would be a lot easier to tell people to never enter that password when prompted by a website then it would be to block access to bad scripts or ActiveX controls.
They will try it in the next version of Windows apparently. I don't see what's stopping it from being in XP SP3 (or why it wasn't in SP2 for that matter). That would be even better because it would give software publishers time to get used to the model before Vista is released.
Re:The Disease is Awful (Score:3, Insightful)
Near-instantaneous worldwide communication.
I can easily foresee the creation of a virus that does nothing but spreads, quietly and innocuously. Via rootkits and other methods (polymorphism, etc), it could spread and likely not be detected over the course of the infection. Each virus infection would have a counter, so that once the n-th infection has occurred (where "n" is some large number - say 1 million), that virus would send out a quick signal over the internet which all the other viruses are listening for, at which point they all wake up and say "game over", formatting the drive (at night, at next power-up, at low-activity time, etc), or do other malicious damage.
In a way, it is kinda like a countdown virus "bomb" - the host that is being infected in this case is the network itself, with the nodes being infected analogous to the cells of the host. Basically a virus that "liquidates" the nodes which make up the host network. Such a virus infection might wake the world up big-time, especially if it took down some large server farms or company-wide PC networks. Why it hasn't occurred yet is anyone's guess. Likely, it is because there is no profit-motive behind it, yet.
If you wanted to be paranoid, you might suppose that it actually has already started, we just haven't noticed the infection, nor has the countdown reached the requisite number of infected machines...
Re:Do these things affect non-AIM apps? (Score:3, Insightful)
Besides, your statement about Windows is rather generic and so incorrect. I logon as a normal (i.e. limited) user, so unless there's an unknown security hole (every exploit known so far uses a known security hole and I patch quickly) then my whole system will not be compromised. My local account might be affected, but that concept applies to OS X too.
AIM backdoors (Score:1, Insightful)