New Worm Chats with Users on AIM

goldseries writes "CNet is reporting that a new IM worm chats with users to get them to down load a file containing a virus. The virus replicates its self and sends its self out to user's buddy lists. The virus will reply 'lol no this is not a virus.' The virus hides users from seeing the messages sent out to members of their buddy list. Viruses are evolving; now they will even talk to you."

The next generation

[QuaintRealist]

Honestly (and no, I'm not a programmer), the potential here scares me. It seems to me that "interactive" automated intrusion is going to be a serious issue for security. Yes, the truly prudent are (as usual) safe, but the gap between the "luser" and people like me and my co-workers is going to get smaller.

I really do have some of our local users using vmplayer virtual machines to access the internet (the ones with Windows laptops) - and a lot of services shut down (chat, in particular) that some would like to use.

Those who know more than I (most of you) - any comments?

er...

[escay]

wouldn't an unknown new name on the buddy list sending you a package with the message "lol no its not a virus" be a dead giveaway?

Wow!

[Youssef Adnan]

Only on /. could you find stuff like "down load" then shortly followed by "its self". Somebody there doesn't like to put words together, probably...

The newest front

[sammy baby]

The virus will reply 'lol no this is not a virus.'

My friends, we are fighting a war: a war on stupidity.

And clearly, we are losing.

People are lazy these days...

[jacobcaz]

• lol no this is not a virus

So it will sound like almost every other meat-head out there using instant messaging? It will blend right in! I have received less comprehendable IMs from people who would consider it a mortal sin to be anything other than professional in person or on paper.

Why does all respect for grammar and spelling (and not sounding like a 12 year old) go out the window when instant messaging technology is involed (especially in a business setting)?

These lusers don't know and they don't care

[Secrity]

These are the same people who also don't know and don't care that they allowed music disks to install rootkits and backdoors on their computers.

Re:Eliza Virus?

[meringuoid]

Let me know when it will have hot N3TS3X with you, and I'm in!

The frightening thing is, that would probably be pretty easy to code. The net is full of freely-available pornographic stories; extract a whole bunch of phrases from those, use an Eliza-like system to select the right one for the circumstances and incorporate elements of what the user just said into your response...

You could write up a pretty effective cybersex bot, and you could program it to offer to send across 'cam pix' once in a while. Which would, of course, be virus-ridden.

Better yet, once you've written it you could have it communicate with sad lusers via SMS at, oh, 20p per message. And make a killing. Excuse me, I have an Eliza-bot to hack up with some pornography. bbl, d00dz.

Re:The newest front

[Anonymous Coward]

My friends, we are fighting a war: a war on stupidity.

It's sort of like natural selection for computer users, except somebody else keeps coming in and fixing their computers...

Re:lol no this is not a virus

[tpgp]

Windows needs to be fixed so that executables renamed as PIF are NOT executed. God that's stupid.

How about fixing windows so that it uses execute bit in the filesystem, rather then the extension of the file to decide whether to execute something or not?

Re:lol no this is not a virus

[Koiu Lpoi]

So people can send out executable jpegs? No thanks.

Re:People are lazy these days...

[meringuoid]

Because time is money even in the IM world. With probably hundreds of people on that person's buddy list, chances are they're talking to multiple people at once. Why use proper grammar to talk to one person when you can ignore netiquette and talk to five people in the same time?

What rot. If you're using IM for business purposes, you'd better be spending more time thinking about what to say than you spend saying it. Legally, you're putting this stuff in writing. They could log what you say over IM and use it against you later.

Assuming you are spending more time thinking about what to say than actually doing the mechanical work of typing it, then the benefit in terms of time between 'u' and 'you' becomes trivial, while the benefit in terms of your professional image between 'you' and 'u' is just as significant.

Re:The newest front

[Gadgetfreak]

You know, honestly, we've been fighting stupidity for quite some time now. More and more it seems like most of my fellow Americans want someone else to take responsibility, and someone else to take care of their problems for them. There's a general lack of desire to be intelligent or self-reliant. With advancing technology, more and more people begin to fall behind... it's getting to a point where people just aren't smart enough to take care of themselves.

Re:lol no this is not a virus

[SomeoneGotMyNick]

euthanizing AOL users

No. just deny them use of computers until after rehabilitation. Now those who get broadband access AND STILL BUY AOL because it's the Internet, those are the ones to use your tactics on.

Re:lol no this is not a virus

[PhoenixPath]

Or just end up being a fully functionaly Zombie.

And that's all we need. Another 144 Million Zombie Bot-net.

Yeah, it'll sort itself out...when we get our "Interneational Reformat, FDISK-MBR, and Re-Install Day"

Re:lol no this is not a virus

[tsa]

Apple also hide file extensions by default. It's amazingly annoying, but I never here anyone complain about that, only about MS doing it. Weird.

Re:lol no this is not a virus

[Jaruzel]

No, PIFs are now legacy.

On 2000,XP and 2003 DOS apps settings are now held in two places, the registry and inside the .LNK file (the actual shortcut).

However, PIFs are still supported execution-wise in the OS to maintain backwards compatiblity - something that *shuold* have been eradicated/managed-out with XPs SP2 and all it's 'security' updates - something along the lines of:

'You've have tried to run the file CelineDionNaked.jpg.pif, this may not be a legitimate application. Choose Run to run the file, Delete to delete the file, and Update to convert to a Windows XP icon.'

-Jar.

The dawn of AI/Better Turing Test.

[freality]

If this technique keeps on working after a while, virus writers will have effectively passed the Turing test. Though as predicted, the Turing test will end up saying more about itself (and us) than AI. Perhaps there should be a Turing Test++ that identifies AI as intelligence capable of distinguishing a human from a virus bot soley by communication over IM.

Re:lol no this is not a virus

[jim_v2000]

We have users that are already downloading zip files, opening then, running the executable and getting infected. Is it really that much harder to also check a box in order to get infected? I don't think it would make a difference.

Not terribly new

[eclipz]

I've been getting spam messages and some really bad bot messages on Yahoo! messenger for quite awhile. Most of them start out asking if you'd like to chat, then send you a link for their webcam site. Quite a few chat sites on the internet have become bot havens, with rooms filled with more bots than people trying to fish for people stupid enough to click on links. Also, on sites such as MySpace, there are bots that will create profiles that look real and then send messages out asking for people to visit and click on their homesite. I'm not terribly surprised that a worm found its way into AIM. Although it does rely on the same thing all the others do: gullibility.

Re:lol no this is not a virus

[eMartin]

"You've have tried to run the file CelineDionNaked.jpg.pif, this may not be a legitimate application. Choose Run to run the file, Delete to delete the file, and Update to convert to a Windows XP icon."

For many people, that sentence would mean nothing other than "hit run to proceed".

Re:lol no this is not a virus

[gg3po]

'You've have tried to run the file CelineDionNaked.jpg.pif, this may not be a legitimate application. Choose Run to run the file, Delete to delete the file, and Update to convert to a Windows XP icon.'

Anyone that would even be remotely interested in clicking on a file that was labeled CelineDionNaked.* has more immediate and serious issues than their pWn3d w1nbl03s box.

Re:lol no this is not a virus

[krakelohm]

I think the problem is that you would still have 90% of the people running something.jpg.exe even if they saw the extention. Most people still have no clue what '.exe' is, but since there is a '.jpg' they would still double click it thinking its a picture.

Re:lol no this is not a virus

[DrSkwid]

This user that somehow managed to Run Explorer, clicked Tools ... Folder Options, clicked the View tab and unticked "Hide file extensions of known file types".

(we'll ignore the WTF of unhiding something by unticking it)

Re:Turing tests

[wk633]

The Turing test is turning out not to be a test of artificial intelligence, but of human stupidity.

Re:lol no this is not a virus

[morgan_greywolf]

This should be moderated 'Insightful', not 'Funny'.

Seriously, the problem is user education. People believe ANYTHING that appears on their computer screens, much in the same way people believe ANYTHING that appears on the TV news.

The problem we have is that too many people lack the critical thinking skills necessary to operate a computer (or watch the TV news).

Re:The newest front

[dr_d_19]

Exactly. What you are talking has been occuring for a very long time in the United States. Why is that every piece of gear or electronics device comes with a "DO NOT"-list longer than Microsofts EULAs? Or why we got EULAs in the first place? Are these people perhaps a bit scared of being sued?

I'm convinced that with a less embracing justice system, these would not exist. If people know they can sue over some hot coffee, and know it has been done in the past, they'll drink everything without "CAUTION: HOT" without a hesitation.

Why should you think for yourself when you do not have to?

AIMFix removes these

[jayloden]

I wrote and maintain a free AIM / IM specific antivirus tool called AIMFix [slashdot.org] that removes these two worms in several variations. I've been working with this stuff since 2003 (AIMFix is used by dozens of Universities as part of official cleaning procedure and recommendations, see the users page [jayloden.com] for details). In particular, these two worms have been eating all of my free time for the last three or four days with several variants and some new behavior (installing as services only, rather than registry keys all over the place, etc). They're also hiding as Windows filenames, but in different directories, like C:\Windows\svchost.exe (instead of system32), C:\Windows\taskmgr.exe, etc.

It is so incredibly weird seeing these stories in the media. I've been so deep into researching them and writing updates to AIMFix to keep abreast of everything that it comes as a total surprise to see a media outlet cover them. I've gotten countless emails from people who got hit by these two worms, and I've become quite familiar with the symptoms over the past few days, yet at the same time I'm uniquely ignorant of the rest of the story (the AI aspect, etc) because I only end up dealing with the nitty gritty that happens on the symptoms and removal level. Go figure.

-Jay

Re:This is old school

[jayloden]

Sure...and they could also put a big fat warning symbol next to urls that end in executables and tell people "this is a program!" before they download it.

They could probably even set up filters to prevent blacklisted urls from even being transmitted. Hell, with AOL's money and power it's highly likely they could get most of the virus sites shut down much faster than you or I can.

But if there's one thing I've learned in the years I've been fighting the IM virus battle, it's that AOL doesn't do a damn thing until it's so huge that they *have* to do something, or the media gets involved enough to make it an issue. I deal with this crap every single day. I create definitions for new virus variants for my AIMFix software, answer hundreds of emails from (usually virus infected) users, and analyze various bits and pieces of the malware themselves. Hell, I've even tracked the authors down to their home address & phone in a couple of cases. It's not like AOL couldn't take care of all of this if they really wanted to. Hell, they could even just pay me to do it full time - I work cheap ;) But the honest truth is that they don't care unless they have to. When it comes to the scale of priorities, welfare of the users hardly even registers for AOL. What matters is revenue, and unless the virus(es) directly impact revenue, they could care less.

It's often frustrating to me that a relatively minor investment on the part of AOL (and other parties, I might add) could make my life a lot less busy and make the life of a virus writer that much more difficult. It's hard to see dozens of people email me in one weekend because they had their passwords stolen and their account hijacked, or hear from thousands of frustrated and upset people whose computer is suddenly a mess of spyware and ads. I can't even imagine what it'd be like to have your screen name sending out IMs to all of your friends, infecting them with the very same unpleasantness while you sit there helpless. Sure, much of that can be attributed to the end user, but AOL sits in a position to help save a lot of these people from themselves and they just aren't interested.

-Jay