Worm With Rootkit Package Loose On AIM 438
Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"
Only Chat room users affected? (Score:5, Interesting)
Re:Only Chat room users affected? (Score:5, Funny)
Re:Only Chat room users affected? (Score:4, Funny)
Some viruses DO run on WINE (Score:3, Informative)
I think this was posted on
http://os.newsforge.com/article.pl?sid=05/01/25/1
Re:Some viruses DO run on WINE (Score:5, Funny)
Re:Some viruses DO run on WINE (Score:3, Informative)
Re:Only Chat room users affected? (Score:5, Funny)
Sure a woman can block pop ups, all she has to do is giggle.
Re:Only Chat room users affected? (Score:3, Funny)
Isn't that the cause of most popups?
Personally... (Score:3, Funny)
And with firefox, you get to touch a mouse, but with a woman, you get to touch a cat. (meow)
Re:Only Chat room users affected? (Score:5, Informative)
Use of GAIM [sf.net] will only prevent propagation of this worm. There are more levels at play here.
The worm is actually installed from a link you would click on from an infected IM. Nothing fancy here, it's just a simple HTML link. Clicking on this link will call up your web browser. What happens here depends on both the browser, patches, browser settings, and you. In IE, it's likely that the executable will just run it. Or, ask you to download/run said file. The latter true for Firefox or Opera as well as IE.
In any case, if your computer runs this executable, the computer in infected and it's game over. BUT, you won't be spreading the worm to others since you're using GAIM. The spreading of the worm depends on the AIM (or AOL?) client running on the computer.
That is until the worm writers also write for GAIM.
Re:Only Chat room users affected? (Score:2)
Re:Only Chat room users affected? (Score:2)
Re:Only Chat room users affected? (Score:5, Insightful)
So yea it's likely to be granted Admin access, and it's likely to be a threat, on the scal of the whole "nasty shit that causes unnecessary network traffic" thing.
Re:Only Chat room users affected? (Score:5, Interesting)
But you know what? I'm not going to be frightened by a worm or virus until someone writes one that works via bittorrent.
IE: The worm is a compact, surreptitious BT/Kademlia client. There are distributions of the nasty part built for Win32, OSX, and Linux, floating on the torrentstream. The nasty part can be any size, and has constantly updated exploit code for numerous pluggable targets (for example, you, as the virus writer, could add a torrented executable for exploiting a new bug in filezilla server, or in Apache, etc.) The virus core would download this and run it on the local machine. It could even be "smart", and detect the target machine's servers before getting and running the exploit. Once the exploit is run at the target machine, it uploads the BT client virus core for the appropriate architecture, and the process starts again.
One could use the usual tools for preventing detection and removal: polymorphic code, torrential code (code that is split on function barriers and resorted in random order on a per-spread basis), multiple copies, Knowing your Permissions (IE: run itself as user X, make user X root/admin, set permissions so that only user X can know the executable and process exist.) Persistent regression (IE: making sure that the executable is in the startup files of the OS) Trojaning, masking (encoding the executable and running itself via a decoder program)
Y'all should be happy I don't write virii. I've been fighting with them so long, I think I'd be pretty good at it...
Re:Only Chat room users affected? (Score:5, Funny)
Re:Only Chat room users affected? (Score:3, Insightful)
Re:Only Chat room users affected? (Score:3, Funny)
Even better (worse), on my old Apple II+ I got a virus that slammed the hard disk head against the casing in a carefully timed pattern to play CHRISTMAS MUSIC from the humming and shaking of my hard drive case!
There's nothing weirder than hearing 'Santa Claus is Coming to Town' coming from your computer and realizing it's not coming from the computer, but from your hard drive which is slowly vibrating it's way off the edge
IE and i.e. (Score:5, Informative)
Took me a second to realize that "IE" meant "id est" and not Internet Explorer. And "id est" means "that is," not "for example," also known as e.g. (exempli gratia).
Handy cheat sheet:
i.e. = id est = that is (not commonly captitalized, or puncuated as an acronym like IE)
e.g. = exempli gratia = for example
There's your pendantic lesson of the day
Re:IE and i.e. (Score:3, Informative)
Now, let me pedanticly correct you. I.e. does indeed stand for 'id est,' but 'id est' do
Re:IE and i.e. (Score:3, Informative)
i.e. = "in effect" ("in other words")
e.g. = "example given"
Just think of it as a handy mnemonic device as opposed to literal translations.
Re:Only Chat room users affected? (Score:5, Interesting)
To answer the parent's question, as long as X person out there has this virus, you are affected, because they can send you the link.
duh (Score:5, Insightful)
ummm isn't that the definition of a root-kit?
How to remove it. The answer. (Score:3, Informative)
This tool is updated almost daily. 100% effective, I can vouch for it. You can become infected if you click the link on non-AIM clients, but it won't spread to everyone else on your buddylist.
Re:How to remove it. The answer. (Score:5, Interesting)
And who are you?
Re:How to remove it. The answer. (Score:4, Funny)
He's TheGSRGuy of course.
Re:How to remove it. The answer. (Score:2)
Re:duh (Score:5, Informative)
(Shamelessly stolen from grc.com)
"What happens is, they essentially modify the way the OS itself works. They're compromising the operating system kernel. You know, in operating system terminology we have the notion of a kernel, which is the OS core. And then you've got applications which run as sort of clients of that operating system. So a program you're running, you know, Corel Draw or Outlook or whatever, that's a client of the operating system. Well, so are the spyware scanners. So when you're running even a spyware scanner, it's saying to the operating system - in fact, for example, there are two API calls that's "find first file" and "find next file." So if you ever want to, like, do a directory listing, you'll say "find first file *.*," and it gives you the first file. And then you successively call "find next," "find next," "find next," until it returns no more files. That's all there is to it. So that's - so anything that's scanning your system is basically doing that.
Well, imagine if something altered the way the "find first" and "find next" operated, so that it was intercepting the response back to you, out of the operating system, back to any application that was asking, so that if it was about to report one of its own files, it would call - it would say, whoops, and call "find next" again on your behalf, skipping over that file. Suddenly any program running on the operating system will not see any of those stealthed, rootkitted files. They just disappear. "
link
http://www.grc.com/sn/SN-009.htm [grc.com]
Re:duh (Score:5, Interesting)
Explaining about api's only makes you look incompentant if your an It professional because your not speaking down to their language to build confidence.
I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.
Watch as spyware makers do this in the future to prevent anyone from deleting their wares.
FDisk in 2005? (Score:3, Informative)
It's 2005 and you only tried FDisk? There's a number of free boot record editors that could have fixed anything. There is no rootkit that I know of that is based out of the MBR the way the old Pakistani virus did to Apples. If I have a customer who needs data recovered off a rootkit infected computer I
Re:FDisk in 2005? (Score:3, Insightful)
Re:FDisk in 2005? (Score:4, Informative)
Re:duh... damn (Score:3, Funny)
> install a rootkit".
I expect that would work fairly well.
Re:duh (Score:3, Interesting)
http://www.catb.org/~esr/jargon/html/R/rootkit.ht
Apparently "rootkit" will be the next malware term to be misused after crossing over to the Windows world.
Who of us actually would click... (Score:4, Funny)
Re:Who of us actually would click... (Score:5, Insightful)
Re:Who of us actually would click... (Score:3, Funny)
Re:Who of us actually would click... (Score:5, Insightful)
the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.
my nice response to your comment is that you should try to appreciate that not everyone has the time, energy or will to learn computers to the extent that you or i have.
my mean response is as follows: i have a theory. kids start out life talking about how they want to be astronauts, or the president, or teddy bruschi.* they see a vast world of limitless possibility and imagine themselves filling up an enormous space within it. as people age, they start to realize that they most likely won't be a michael jordan or a bill gates, and their response is not to be content being a small fish in a big pond -- it's to reduce the size of the pond that is 'important'. so, i, for example, work in politics. it's easy for me to see the political world i inhabit as the most important thing locally, or even in the world, and to feel very self-important as a result. many users on slashdot see the world of tech as the pond. or their own i.t. departments. people reduce the scope of the important world, until they are a big fish. i call this, uncleverly, 'resizing the pond'.
i posit that you are resizing the pond. and, further, that you shouldn't.
</self-righteousness>
* don't know who this is? there are people who would call you an idiot if you didn't.
Re:Who of us actually would click... (Score:4, Insightful)
"Hey, you don't know me, but I just KNOW you'll love what I have in this box. Go ahead, take it home and open it."
Trusting complete strangers isn't a mark of techno-ignorance, it's a mark of idiocy.
Hey kid, want some candy? (Score:5, Insightful)
Most people just don't make the mental connection that they could click on a link -- something they do pretty often and usually without incident -- and cause serious harm to their computer.
I vote that it's more ignorance (to a certain degree self-imposed, because a lot of people could understand a lot more about their computers if they wanted to, but simply choose not to) than a lack of ability or mental capacity.
Re:Who of us actually would click... (Score:4, Insightful)
second, trusting complete strangers is a mark of being able to function in society. when you leave the house, do you need to ensure that everyone driving down the street is a friend or acquaintance? when you go to a restaurant, do you get background checks on the staff? from whom did you buy the aluminum foil to make your hat? mom?
Re:Who of us actually would click... (Score:4, Insightful)
I think part of the problem--and nothing earth-shattering here--is that people still think of PCs as a regular appliance. I know people who think of websites the same way they would think of turning on a TV show. If a friend tells you to turn on a station, nothing bad could happen to the TV. They tend to think the same of a website.
Now, the question is whether people who get infected learn their lesson...that's what I'd like to see. Anyone know of any studies or such related to that? Do people take security more seriously once it happens? You'd think so, but we all know people who went back to using IE after we install Firefox/Opera/other because the Flash games wouldn't work.
Re:Who of us actually would click... (Score:2)
I doubt it. Most really clueless people will never know that their PC has been rooted, they'll just eventually notice that it's slower than crap (because it's saturating their 1Mb/s cable modem line with packets as part of a DDoS attack) and when it finally becomes unbearable, call GeekSquad or take it down to CompUSA to have it reformatted.
Then they'll start using it again, eventually become re-infected, w
Re:Who of us actually would click... (Score:5, Insightful)
Re:Who of us actually would click... (Score:3, Insightful)
What strangers? The links come from people that have you on their buddy list.
Re:Who of us actually would click... (Score:2)
* don't know who this is? there are people who would call you an idiot if you didn't.
You mean Tedy Bruschi, surely. Excellent points otherwise though.
Re:Who of us actually would click... (Score:2)
Re:Who of us actually would click... (Score:3, Insightful)
Maybe the vast majority of internet users should take the little bit of time to appropriately learn about computers and the internet. I'm not saying everyone who uses a computer should be system admins, but I don't thi
Re:Who of us actually would click... (Score:2)
"YES!!!! (link next to it, just like a pasted url)"
She says "yes!!" just like that, so my gut feeling was that she found something cool online. Fortunately, I thought better of it when I saw that it was a
Another time I actually did click on one of those, due to the fact that I was really quite groggy (computer was right next to bed, and I just had been woken up). I
Re:Who of us actually would click... (Score:5, Funny)
You cheated, there was no link in your post. I have been clicking on the post for last 10 min, nothing happened.
Re:Who of us actually would click... (Score:2)
Add a little to it and.. (Score:2)
Add on
"Jenny got drunk and decided to stripteaze!!"
and I bet alot of "us" would...
Tm
Re:Who of us actually would click... (Score:3, Interesting)
The sad thing is, people do! And not only do they click the link pointing at some odd site, they download a file, and execute it!
There was an AIM trojan similar (but not the same, I believe) that got circulated to me (by a few of my 'friends') this last week. It's text was something like, "check out these kewl pics of me!" Now, if anyone I know said "kewl" that'd instantly throw red flags. (And still, I got that same IM
Re:Who of us actually would click... (Score:3, Informative)
How did you know that it didn't dial home? You said you had no security and no anti-vi
*yawn* (Score:3, Interesting)
Designed not to be detected - as compared to...? (Score:5, Insightful)
You can often judge the quality of the articles linked to by
As compared to the one with the alert box? (Score:3, Insightful)
I'll bet that there are a lot of people that would just click on through for what ever the carrot is, screen savers, free porn, or whatever...
Re:As compared to the one with the alert box? (Score:4, Funny)
Re:Designed not to be detected - as compared to... (Score:3, Insightful)
And your hoping for competence???
Um... (Score:4, Insightful)
So
Noteworthy tools (Score:5, Informative)
Hopefully Microsoft's project [microsoft.com] that hasn't been released yet will show up soon. They also have a few hints to detect rootkits installed on a system including two Slashdot [slashdot.org] links [slashdot.org].
Hooray for AOL.
Re:Noteworthy tools (Score:5, Funny)
Re:Noteworthy tools (Score:2)
Surely, but (from experience) they also like easy ways to fix it. Especially if it can amount to popping an autorun CD in and just letting a script run.
Old.. (Score:5, Informative)
Re:Old.. (Score:3, Funny)
Is this a duplicated post. I am sure I read this in 1995
Re:Old.. (Score:2)
The problem is that most of the users on the Internet would have a hard time putting half a brain together between them.
Intelligence in the Universe is a constant. The population is growing. You do the math if you can.
There should be a project created that is designed to catch idiot users. If they are caught clicking on links in unsolicited emails/IM sessions, buying things from spam, or replying to 419 sca
Re:Old.. (Score:5, Insightful)
Rule #1 when dealing with rootkits (or other break-ins)... The system can no longer be trusted. That means any and all executables on the system are suspect (including System Restore functionality) and may have been tampered with.
On a unix/linux box, that means shutting the system down and booting from read-only media that cannot be tampered with. Then you use tools that are only on the CD/DVD to investigate the system and find out what files have been changed / corrupted / hijacked. This is where tools like Tripwire come into play (or simply using fingerprinting tools like md5sum and doing a diff between two sets of signature files).
On a Windows box, you're better off with a format and re-install from CDs. Or, if you thought ahead and created a disk image using Knoppix, you could restore using that image. (Be sure that it's an image that you know is clean.)
Luckily for you, it sounds like the worm that you dealt with was apparently not very sophisticated. But how can you be sure that you've removed that rootkit from the system? And who's to say that the next one won't interfere with System Restore?
Never assume that worm writers are stupid. Don't assume you can outsmart them. However, most of the time (unless you are a specific target), worm writers are looking for the biggest return for least effort. So a worm that infects the majority of hosts is enough and they will not bother writing the code to infect the rest.
IOW, if System Restore functionality begins to have a significant impact on infection rates, you should plan on System Restore functionality being broken by future worms.
In summary:
- Backup your data files regularly.
- Boot a Knoppix CD/DVD and fingerprint your system regularly for a baseline to compare against at a future date.
- Use that Knoppix CD/DVD to create snapshot images of your currently working (and uninfected) system.
- If you're infected / invaded, assume that you haven't found everything and will need to rebuild the system from scratch.
(Yes, I've fought off a rootkit once. It was a real pain.)
Re:A couple of hours? (Score:3, Informative)
It was a ver
When everyone runs as root already (Score:2, Insightful)
Re:When everyone runs as root already (Score:3, Informative)
Despite the fact that the \Documents and Settings\username folder exists, some developers choose not to use it,
Root kits (Score:5, Funny)
As opposed to those root kits that are designed *to* be detected? Damn it, thinking again instead of being scared into buying something. Really need to work on that...
Wow... (Score:2, Insightful)
Re:Wow... (Score:3, Informative)
Administrator privs on windows is pretty much "root" as far as users are concerned *but* there is a higher level of privs. The SYSTEM user, which has a complete control (iirc, and I might not cos it's 4:30am here) it's near enough acting like the operating system as makes no difference.
rootkits tend to get themselves to SYSTEM privs
malware social engineering (Score:3, Insightful)
The bigger point is that malware need only become better at social engineering to convince most people not to ask. If the worm sent two messages -- one with the link and a second one with a friendly confirmation ("Hope you liked that link. See you later."). This could easily convince many people that it was a trusted link from a trusted source. By the time they actually talk to the friend (if they do) and mention it, the friend will deny sending anything, the infected person will check their PC, find no evidence of an infection and just be puzzled by the exchange. But it will be too late.
Yes, some people might still ask or be suspicious. But infectious malware needs only to succeed with a very small % to create a very large and valuable botnet.
Well... (Score:5, Funny)
As opposed to the usual kind and gentle root kits, I suppose?
Isn't that part of what makes a root kit?
Ad Nauseam (Score:2, Insightful)
One worm does not a trend make.
Isn't this the actual point of any worm/virus/etc. To not be detected so as to be able to do what it's supposed to do. Haven't these things been doing this even before the 90's... really since the beginning.
This is just more typically stuff.
Just curious (Score:3, Interesting)
Why with anyone write a chat program where you can install (and obviously run) a program just by clicking on a link?
Besides that, in Windows isn't there a way to run programs (like chat) as an innocuous (nobody) user limited only to that user's home directory and with limited write capabilities?
What gives?
'Rootkit' detection (Score:2, Informative)
Re:'Rootkit' detection (Score:2)
Spyware Included (Score:2, Interesting)
The worm also places several spyware and adware applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, the company added.
So, would you like some spyware with your virus at no extra charge? I know this is fairly common, but does this imply that the people that make the viruses are the same ones that make the spyware we have grown to know and love? It seems that the line between "spyware" and "malware/viruses" gets more blurry every day.
Re:Spyware Included (Score:2, Interesting)
That's how it's usually done with malware nowadays - the authors of spyware typically don't care who is installing their crap on peoples' computers or how they're doing it. A worm author (or just someone releasing it) can sign up for an account with these spyware companies, and simply make sure the account is referenced when the spyware is installed on an unsupecting victim's machine
Re:Spyware Included (Score:2)
> that make the viruses are the same ones that make the spyware we
> have grown to know and love?
No, just distributors for them.
been here before (Score:4, Interesting)
silly AOL, will they ever listen?
About the rootkit (Score:4, Informative)
This looks like the same worm a friend of mine got a few weeks ago. I loaded it up in VMWare and discovered that it installed, among other things, the "FU" rootkit [rootkit.com].
I took a rootkit class at this year's Black Hat Training from the guy who wrote FU. He pointed out that it's more of a proof-of-concept rootkit. It does allow you to hide files, registry keys and drivers from both user-mode and kernel-mode processes, but, it really doesn't go out of its way to hide itself from every possible angle, so detection (and thankfully, removal) wasn't that bad.
I was able to whip up a little app to fix it from within Windows. But had the worm's author actually expanded on FU's techniques and done a better job of hiding the rootkit, recovery would not have been as nearly as easy. (Just imagine how much fun would it be to talk a novice through Windows XP's Recovery Console!)
Once the worm authors start to get better at exploiting the potential of rootkits, we've definitely got a much better problem on our hands. The old "1. get infected, 2. run anti-virus to disinfect, 3. repeat" cycle just won't work anymore. Good luck even finding a well-implemented rootkit once it's in your kernel, let alone trying to clean it up while it's effectively able to veto every action you take.
(Yet another reason why no Windows user should run as an Administrator.)
Re:AIM client, or AIM protocol? (Score:3, Informative)
Re:AIM client, or AIM protocol? (Score:5, Interesting)
At least this is how several other IM viruses have been spread. I noticed that just this weekend I got several IMs from people that I haven't talked to in years (but who apparently still have me on their lists) which were nothing but links to
One of them was being hosted at this address:
http://home.earthlink.net/~two4tea/mc-110-12-0000
And I didn't get the other URL that was going around. I downloaded the file and opened it up in a hex editor just out of curiosity (I'm on a Mac so it wasn't possible to execute anyway), but there didn't seem to be any obvious text strings or anything.
What I wonder is how the file got up on that web site to begin with; it seems rather farfetched to believe that a virus could find out that someone has a Earthlink web page and upload itself, then send out that link, which makes me think that the person spreading the virus probably planted it there after somehow gaining access to the account, and then letting the version of the virus which points to that URL out. When the linked file is removed the virus stops propagating, but by then has already spread and nabbed a few unwary users. Unless the program has the capability of 'phoning home' to get the URL of the latest location to send out to everyone, that is. The file was a few hundred KB, so I suppose it's entirely possible that it has that capability; you could fit quite a bit of code into something like that.
Not really my area of expertise, but perhaps someone who knows something more can elaborate on how these things work?
Re:hah (Score:4, Insightful)
Re:hah (Score:3, Informative)
Shiny Red Button (Score:2)
Don't press the Shiny Red Button!
Re:Example (Score:2)
Think it's safe?
Re:Example (Score:3, Funny)
Re:Example (Score:3, Funny)
Re:Example (Score:2)
Re:Updated my client ... and (Score:2)
Fortunately, Mac OS X 10.4 broke the networking config in my virtual Windows instance, so the machine will be pretty safe from outside intrusion even after the rootkit is installed.
Re:Updated my client ... and (Score:2)
But not if you've undone Connectix/MS's collective stupidity and associated
Re:Why aren't they prosecuted? (Score:2, Insightful)
Make it unprofitable for businesses to use these tactics and the tactics will go away, or at least be less prevelent.
Re:Why aren't they prosecuted? (Score:3, Insightful)
Now 180solutions could invoke the terms of their affiliate agreement and freeze payments to the scumbags that install this software on the sly. Of course that's no consolation to the consumer that gets stuck with that adware/spyware on
Yahoo.com and Google.com (Score:5, Informative)
How many people still use .com files anyway?
Yahoo.com, Google.com, Fark.com, News.com.com... Windows stores Internet shortcuts in files with the .url suffix, but even when you have "hide file extensions" turned off, Windows still hides the .url suffix, making it nearly impossible to distinguish Google.com from Google.com.url in icon view and difficult in any other view. The little arrow in the corner doesn't mean much, as the Google.com file could contain an icon with the arrow already drawn inside.
Re:Yahoo.com and Google.com (Score:4, Informative)
Tools/Folder Options/File Types/URL/Advanced/Always show extension
Alternatively, you can edit the registry and create the following key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShor
"AlwaysShowExt"=""
Re:Looks like... (Score:3, Insightful)
Oh, you mean alternative OSs like LINUX for which NO [theregister.co.uk] rootkits [nai.com] exist [sourceforge.net]?
Re:Looks like... (Score:3, Insightful)
That'll happen about the time stupid assholes quit recklessly dishing out mod points.