Become a fan of Slashdot on Facebook


Forgot your password?
Security Worms IT

Fully Automated IM Worms on the Way? 230

nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
This discussion has been archived. No new comments can be posted.

Fully Automated IM Worms on the Way?

Comments Filter:
  • Jabber! (Score:2, Funny)

    by caluml ( 551744 )
    We need to use Jabber. It will prevent against things like this. Oh wait. It won't. Still, use Jabber anyway, for it is Open Source goodness.
    • Re:Jabber! (Score:3, Insightful)

      I was actually going to suggest the same thing. AFAIK, it's not IM protocol that are insecure to the point of allowing worms to propogate, it's the client. Jabber is a standardized protocol, allowing for a multitude of different clients.

      Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network.
      • "Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network."

        On top of that, the likelihood of a community-created response to the worm or vulnerability is pretty high when the project is a popular open-source one. I'd expect the same of GAIM, for example. I've also noticed that those who run open source are more likely to actually take care of their computers before
  • by spencerogden ( 49254 ) <> on Tuesday November 01, 2005 @10:47AM (#13923193) Homepage
    How is this any different any other services attached to a port on your computer? Whenever a listening program has an overflow vulerability there is the potential for "A fully automated worm." Granted there is a lot of IM software out there, but there have been plenty of ports and services on Windows that have been exploited in a fully automated way in the past. At least IM software is a _bit_ more heterogeneous than Windows.
    • by trezor ( 555230 ) on Tuesday November 01, 2005 @10:59AM (#13923290) Homepage

      Basicly it says "People are using IM. Buffer overflow in IMs is like any other buffer overflow also bad".

      May I say "Duh"?

      • Why on Earth would an IM application, which is essentially a "client" application, maintain open ports, listening, service-style?

        And if there really is some essential functionality that depends on such open ports, wouldn't one hope they were implemented FTP-style ie. open them randomly and tell the other party what they are via outgoing connection?

        And if the above is true, how can a remote host cause a crash? It shouldn't be allowed to connect to my IM client just like that. There shouldn't be anything to c
    • by ColaMan ( 37550 ) on Tuesday November 01, 2005 @11:00AM (#13923300) Journal
      At least IM software is a _bit_ more heterogeneous than Windows.

      In this case it doesn't really matter.
      Consider a exploit that can get the buddy list out of MSN for example.
      Now as most IM's only have one client used by the bulk of people, it becomes trivial to send a copy of the exploit to each person on your list and have a high proportion of them become infected, to progress outwards to friends
        geometrically (unless you have no friends)

      This is a hell of a lot more sucessful than your usual pick-a-random-ip-and-hope-it's-exploitable method.
    • by xtracto ( 837672 ) on Tuesday November 01, 2005 @11:02AM (#13923317) Journal
      I think an important point to note is the number of users (more than 195 million users acording to Wikipedia [] [i know, i know... maybe it was better to get the number from my ass]).

      And yet worse, unlike other software which keep open ports, Messenger software has the slight property that its users does not know a lot about computers to take precautions.

      About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!
    • by cowscows ( 103644 ) on Tuesday November 01, 2005 @11:03AM (#13923328) Journal
      It's not entirely different, but it's still interesting. Partially because a lot of people are running IM clients. Also interesting is the fact that an IM client generally has a built in list of other vulnerable machines, via a buddy list. Having this list of people could be pretty handy if the worm can manage to spread through the IM protocols themselves, since it could allow infections to spread without relying on sending out masses of random traffic looking for vulnerable machines. That could just make this sort of thing that much more efficient and harder to detect, because the offending traffic might not look all that different than normal IM chatter.

      But then again, I don't know much specific about how this all is supposed to work, so I may be wrong.
    • In most cases, those services you mention should never have been exposed to the internet in the first place. IM services, in contrast, generally have to be to be of any use; you can't just hide them behind a firewall.
    • I'm not sure that comparison is completely accurate... for a worm to spread using a Windows service, it must first find another computer on the network or Internet that has the necessary security vulnerability. Then it must be able to make a connection to that host's open port(s) through whatever NATs and firewalls may lie between the two computers.

      NATs and firewalls, a road block for most computer worms, are also a problem for IM systems. Centralized systems like AOL's AIM get around the issue of compute

  • Infection (Score:4, Interesting)

    by kevin_conaway ( 585204 ) on Tuesday November 01, 2005 @10:49AM (#13923206) Homepage
    Is it me or did the article not really explain how the users can become infected without some sort of user interaction? If not, I think the best way to combat this is user education. I know AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.

    It glosses over good old fashioned buffer overflows, but not much else. Then again, what else do you need? :)
    • Re:Infection (Score:5, Insightful)

      by LordSnooty ( 853791 ) on Tuesday November 01, 2005 @10:55AM (#13923257)
      AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.
      I do hope you are being humourous, they are exactly the kind of unannounced "system" pop-ups which can lead to user confusion & miseduaction at best, or system infections at worst. Think of Windows Messanger - not IM - with its "you are leaking your address onto the Internet!". Or think of web banner pop-ups masquerading as OS messages. It's no surprise the average user has no understanding of what's a real message and what's malicious.
    • Re:Infection (Score:5, Informative)

      by Red Flayer ( 890720 ) on Tuesday November 01, 2005 @11:07AM (#13923355) Journal
      From the summary:

      "Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

      FTA "'We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything,' Wells said."

      User education won't help if propagation occurs without any action by them.
  • by jurt1235 ( 834677 ) on Tuesday November 01, 2005 @10:50AM (#13923217) Homepage
    No social engineering by seducing (l)users to click on a link. Real virus [] multiply themselves!
    So what is the issue with this?
  • Very infectious. (Score:5, Interesting)

    by Poromenos1 ( 830658 ) on Tuesday November 01, 2005 @10:50AM (#13923218) Homepage
    If you take into account the Small world phenomenon [], this means that these worms will infect everyone in the world in at most six or seven hops.
  • Workplace (Score:5, Insightful)

    by GoodOmens ( 904827 ) on Tuesday November 01, 2005 @10:51AM (#13923226) Homepage
    Its a shame that AIM is so widly used in the workplace even though is so vunerable
    I know our IT department frowns upon it but walking around you still see it used ....
    Its only a matter of time until something like this came out that has the potential to severly damage both corporate and private networks ....
  • by putko ( 753330 ) on Tuesday November 01, 2005 @10:55AM (#13923255) Homepage Journal
    This particular payload is awful -- automated rootkit install.

    Maybe one day we'll get a series of destructive worms that will render hardware unusable (e.g. no boot, disk overwritten, fan turned off and processor cranked up to do permanent damage, boot flash cleared) -- resulting in successive waves of hardware replacement.

    I talked to a guy at a computer store about the aftermath of a worm that cleared the bootflash -- they sold so many new computers!

    At that point, I figure Micr$oft will be in big trouble; after you buy your fifth motheboard in a row (and try to recover your data) after "Bukk@keB1ll" versions A through X hit you, you'll consider getting a Mac so you can get work done.

    • by antifoidulus ( 807088 ) on Tuesday November 01, 2005 @11:34AM (#13923563) Homepage Journal
      If you take nature at as a model(tenous at best) then actually the MOST virulent viruses are the least likely to cause pandemics. Why? Because they burn out so fast the victims aren't nearly as likely to spread them. Take ebola for example, it's a horrible virus but it killed it's victims so quickly it never spread very far outside of Africa. That is why they are concerned about the fact that the bird flu this time around is killing LESS people, gives it more of a chance to mutate and become wide-spread. Remember the Spanish Influenza that killed so many people only had a fatality rate of around 5%.
      No, the sneakier viruses won't ruin your box, they will just sit there and gather information. I would much rather have my email and personal documents destroyed then had them read. Even if you read them then destroy them, I know they have been compromised and can take whatever steps deemed neccessary to mitigate my risk. The most sinister viruses would just read and transmit them without me ever knowing.....
      • That's easy.
        1. Send copy of self to everyone on friends list
        2. Destroy computer
        3. Carnage!

        Seriously, I reckon a self-propagating IM worm with a destructive payload could probably take out most of the population of said IM network that was online at the time of launch. Add (say) a 5-10% chance that any given PC won't be destroyed (in order to leave some to reinfect the network), and possibly a time delay between steps 2 and 3, and you'd be talking really nasty.

        Just my $0.02

      • by cr0sh ( 43134 )
        However, computer viruses have an ability that biological viruses don't:

        Near-instantaneous worldwide communication.

        I can easily foresee the creation of a virus that does nothing but spreads, quietly and innocuously. Via rootkits and other methods (polymorphism, etc), it could spread and likely not be detected over the course of the infection. Each virus infection would have a counter, so that once the n-th infection has occurred (where "n" is some large number - say 1 million), that virus would send out a q

  • by grasshoppa ( 657393 ) < minus caffeine> on Tuesday November 01, 2005 @10:56AM (#13923265) Homepage
    Gee, wiz, a "fully automated" worm using a different attack vector.

    Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?

    And IM services are hardly a new vector. If anything, this story should be about how long it has taken these people to figure out that services like AIM and ICQ are used by people with little or no computer knowledge, who will randomly click on things. You know, sorta like email. That's the real new nugget out of all of this, and hardly worth the two pages of ads to read about.
    • by Red Flayer ( 890720 ) on Tuesday November 01, 2005 @11:13AM (#13923389) Journal
      "Let me ask you something, what *doesn't* constitute a "fully automated" worm? "

      Any worm that requires the user to click on a link on order for the worm to propagate. The scary thing about this class of worms is that it installs a rootkit without activity from a user, so the only rate-limiting step in the infection cycle would appear to be buddy lists. So, you're on someone's buddy list... you get infected without taking any action. Then, boom, all your buddies are belong to them. &c.

      Educated users know better than to click just any link they see -- we depend on that to limit propagation. But it doesn't apply here.
    • Let me ask you something, what *doesn't* constitute a "fully automated" worm?

      Unfortunately, we've long since stopped being clear on the distinction between "worms", "trojans", and "viruses". (Actually, I'm not entirely clear on the differnce between worms and viruses myself. Wikipedia draws a distinction between the two.) But many things that are called "worms" require some sort of user intervention in order to run.

      For exmaple, the "Loveletter" worm is called a worm, and it wasn't fully automated: it dep
    • Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?

      "Pay no attention to that man behind the firewall. I am the great and powerful Code Red"

  • by Anonymous Coward
    With new hardware and operating systems supporting NX (no execute), wouldn't the effects of a buffer overflow be minimized? I may be crazy, but I thought that this was the entire point behind NX.
    • NX doesn't help anything. It's trivial for an attacker to overwrite the return address with one that points to code that's in an executable section. For example, instead of injecting his own code to 'rm -rf /' (which NX might stop), he can just call the execv (that's already in the program and executable) and feed it 'rm * -rf'. This does require a bit more work, but it's pretty simple to inject text into an IM client (just send the user a few IMs -- "rm" "*" "-rf" -- and your strings are in the program)
      • NX doesn't help anything. It's trivial for an attacker to overwrite the return address with one that points to code that's in an executable section.

        That depends on what the OS does with the NX bit, and what other preventions are in place. On OpenBSD the NX bit is just another piece of a puzzle to make the OS harder to exploit. Incidentally, on OpenBSD it's not trivial to overwrite the return adress the way you suggest.

  • Simply IM me at w0rMzH0seTer and I'll give you all the details...
  • by G4from128k ( 686170 ) on Tuesday November 01, 2005 @11:13AM (#13923386)
    This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? I really want to know.

    It seems to me that a well designed OS should NEVER let a piece of code be invisible. There should be some part of the OS that knows what is running, what invoked it, what file it came from, etc. A well designed OS would know the provenance of every segment of code. This information should be read-only to anything outside of this protected monitoring function. Thus ALL running code would be visible to the user and anti-malware software. And if you add hash-code locks on installed software, then malware wouldn't be able to masquerade as some other normal bit of code or damage anti-malware apps. Malware could still hide in a user-downloaded software, but the tracking function would aid the detection and removal of any unwanted code.

    Is there ever a good reason to let software be invisible?

    • "This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? ...It seems to me that a well designed OS should NEVER let a piece of code be invisible."

      The point of a rootkit is that it alters the behaviour of the OS. Sure, a pre-rootkit kernel wouldn't have let just any code run. But once the rootkit gets in (one way or another), it alters the OS's behaviour. Just like the Sony audio CD rootkit (mentioned in a previous Slashdot article) alters the behaviour
    • It's not actually hidden to the OS, it's hidden to the user, and yes, there are many good reasons to let software be invisible to a user, I agree though that there should be an easier way to audit processes as the super user.
    • So, you want to create a Function entry point to return a table of ULTIMATE_PROCESS information.
      What do you think happens when some miscreant (with root access) replaces that jumppoint in memory with one of his own UTLIMATE_PR0CESS function?
      Remember, we are not talking about ROM systems here, all system commands are loaded into RAM.

      Consider a much simpler situation:

      You use the dir command to list the contents of a folder.

      Somebody could replace that command on disk with a dodgy one that runs the original dir
    • by SSalvatore ( 666913 ) on Tuesday November 01, 2005 @12:11PM (#13923876)
      That's the beauty of rootkits. They modify the normal operation of an OS; yes, even one that does not allow "invisible processes" (to give it some same). Here is a short and informal explanation (where there is probably an accuracy compromise for simplification purposes):

      At a user level, to "see" a process, you would open the task manager (Windows) or use the PS command in Unix. But you must note that these are merely applications that ultimately make a call to a OS level API and request this information; then they display whatever this API returns them.

      The OS level API is just a piece of code that will have access to the internal OS data structures that hold the information for the processes. This code would piece together a response with the processes names, etc. and return this "list".

      So, what would happen if I go and modify the code that pieces together this list of processes and omit the "worm.exe" process everytime? Well, that's pretty much a rootkit virus strategy.

      The result is that you wouldn't be able to see the process anywhere. Any program that uses this OS API call would not see the process, be it ps, the Task Manager or an Antivirus.

      So . . . why not providing every program with a direct access to the running processes structures so that they can "see" all the information there and "figure out" by themselves whether there is a virus or not.

      Well . . . that's a disaster from a security standpoint since it would provide an avenue for viruses to exploit. And this "direct access" is never direct, it is always through another OS API that may in turn be modified to hide the virus . . .

      So . . . why not scanning the disk?, I mean, the virus must be stored somewhere if it will run.

      Well . . . file access is done by an OS call that may be modified to hide the virus.

      So . . . why not doing an OS module that performs an CRC check and make sure that the OS APIs have not been modified?

      Well . . . this too can be modified not to include the file that you infected in the first place.

      So . . . why not making OSs "unmodifiable".

      Well . . . how would you then install it in the first place? (that is pretty much a modification) or install security updates? (that's another modification).

      So . . . Well . . . ad infinutum.

      I think I made my point.

      Anyways, the bottom line is that you can only do all those modifications *if* you have privileges to modify system files. You have to have "root" access for that. So once you have broken the security of an OS to the point where your virus can modify OS system files, you are pretty much doomed.

      Ideally, the solution is a secure operating system, where regularly you run your user programs with an account whose privileges do not include modifying OS files and any processes that you start cannot breach that security (again *ideally*). You would only use the root account to do OS installs and updates (if the virus gets you while you are at it, you are doomed again, so shut down AIM!).

      That's why Windows is so dangerous, because the normal XP user is running with an Administrator account (similar to having root privileges), so any application that is infected can potentially cause a root-level infection.

      And then, no matter how much you program securely, the missing piece as usual is education. At some point, even in the ideal OS, the user would have to log in with the root account to do OS changes or at least explicitly authorize in some manual way the modification of system files (that would be my choice just to make things easier to learn for everyone in the real world).

  • I've been looking for some time for a OSS based transparent filter that would scan for viruses/malware on IM ports. It would alleviate a lot of these problems, anyone seen or heard of anything like that?
  • Another vector. Big deal....move along...nothing more to see here. g2g..just got an IM from "37337Hax0r 06" gotta see what this dude wan...shi.uh.oh........
  • by rizzo420 ( 136707 ) on Tuesday November 01, 2005 @11:35AM (#13923575) Homepage Journal
    i think a bigger part of the problem, and hopefully this will open their eyes, is that thus far, the big anti-virus companies (symantec and mcafee) will not include IM worms in their definitions. this means that even if you have the most up-to-date windows security patches, and the most up-to-date anti-virus software, you can still be infected by the IM worm. i don't understand why they won't include them as they are, in my opinion, just as dangerous and propogate on their own just like normal email viruses. i deal with the "AIM virus" on a near-daily basis. i keep sending people to download AIMFix []. this guy is getting some serious hits to his site, and he's not getting paid for it... these are real viruses, since the definition of a virus is that it gets onto your computer and propogates on it's own. this just doesn't use traditional means (email, network ports). even if you uninstall instant messenger, it's still there waiting to send itself to everyone on yoru buddy list.
    • Thanks for the plug :)

      I've been somewhat disappointed with how badly the mainstream antivirus companies have handled most of the IM outbreaks. There are vunerable clients out there, mass spreading worms that install rootkits, disable AV programs and Internet Explorer, and through it all I feel like the AV companies are barely even there.

      I'm not an antivirus expert, and I'm not a programming genius by any means. The guys at Symantec and McAfee and F-Prot et al are trained to deal with this stuff. They have t
  • by davidwr ( 791652 ) on Tuesday November 01, 2005 @11:39AM (#13923608) Homepage Journal
    A cheap albeit incomplete solution, one which will make the virus-writers work much harder:

    1. Encourage people to use non-high-profile clients. It's a lot easier to "take over the world" if 90% of the people are using the same client with the same vulnerabilities than if 30% are using client A, 20% each are using clients B, C, and D, and the remaining 10% are using a variety of other clients.

    2. Put a firewall between the application and the network. Again, don't have 90% of the world use the same firewall. It's best if at least part of the firewall sits in front of the OS, i.e. a hardware firewall or a "host-OS-based" firewall in virtual/emulated-hardware environment.

    Here's what I see happening in a few years time, when virtualization becomes the norm:

    1) everyone has a hardware firewall built into their cable/dsl/whatever box
    2) PCs boot into a hypervisor, see #4 below
    3) apps run in different security contexts, each having the network, memory, and disk-access privilages that they need and no more. For example, Solitaire will have no disk or network access. A Web browser will have very limited disk access and outgoing-only network access only over certain ports. A "local-only" web browser will be available for reading local html files.
    4) The user will be encouraged to run certain applications like web browsers in a "lock box" which will in reality be a virtual machine, with its own firewall mechanism. Multiple VM implimentations or VM-hardening-products will be available so no single VM-related exploit will be shared by "90% of the world." The user will be able to "reset" his lock box at any time, erasing any viruses and malware that have infected it but which haven't "escaped" the VM environment.

    Yes, the user can still be infected and yes, he can still be contagious, but instead of "everyone" being vulnerable only a part of the world will be. Furthermore, if people use the VM-lockboxes, they can "cure" themselves quite easily from the most common problems. They'll still need security software for the really nasty stuff, and they'll always need a "boot CD" or equivalent to do a full scan of their system for rootkits and such.

    Remember: The goal isn't to wipe out viruses - that's practically impossible. It's to reduce your risk and decrease your recovery time.

    Here's an example of how #4 can reduce exposure for web browsing:
    Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from:
    IE under Windows VM
    Opera under Windows VM
    Opera under {pick one of many} Linux VMs
    Opera under {pick one of many} BSD VMs
    Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs
    {insert other web browser here} under {insert operating system here} VM.

    The VM would be bare-bones, just having essential services - including a built-in firewall - and a "screen" that just displayed the web browser. The user wouldn't necessarily see he was under a VM if he was merely browsing. If the web-browser screen output were "exported" to the "main" OS a la X, so much the better, assuming that didn't introduce security holes of its own.
    • Encourage people to use non-high-profile clients


      100 million or so users run the AIM client. How many do you think will switch?

      • 100 million or so users run the AIM client. How many do you think will switch?

        100 million use AOL client. Of those:
        90 million see bad press about killer virus
        70 million see press recommending specific alternatives
        40 million get 0wned and have to repair their computers, 40 more million know someone who did.
        10 million corporate users get it banned by their IT people.

        Now what was the question again?

        Then again you may be right, if IE's 80+% market share in the face of bad press and constant infections is any e
  • Q: Can I get a virus through AIM? How do I safely share files with AIM? A: Viruses can't be transferred through an Instant Message itself, but it is possible that files attached to an IM may contain viruses or trojans. Also, links sent in an IM may point to webpages that contain viruses and trojans. Even if you know who is sending you a file or a link, you should use caution in opening it. Some viruses/trojans can send harmful links that appear to be from a buddy you know. You should always use good virus
    • ANY network-facing application with an exploit should be presumed vulnerable to an automated attack until proven otherwise.

      ANY network-facing application should be presumed to be exploitable until proven otherwise.

      ANY application should be presumed to be network-facing until proven otherwise.
  • I might as well take this opportunity to plug my open-source "IM" system (CMC), Gangplank [], which doesn't require an IM client.

    Gangplank was written to support the standard TELNET protocol, meaning any standard TELNET client can be used to connect to the system. Despite not using a custom client, the server supports remote character echo, full (RFC-compliant) TELNET protocol support, Emacs-style line editing, input redrawing when output occurs, and a full input history buffer -- all in a nonblocking, single

    • This would be really cool if it supporte ASCII based Video chat! Ofcourse that would probably require specialized clients and all...

  • Wouldn't it be possible to send a specially crafted audio stream to VoIP programs such as Skype to explore eventual vulnerabilities on the audio codec routines?

    I know it sounds far-fetched, but you know, jpegs were once safe too. Skype had its vulnerabilities (even on Linux []), but were there any on the audio codec?

    I hate these "must-have-a-firewall-passage" kind of programs, and I've so far managed to keep them out of my network, but now I'm trying hard to convince my boss not to install Skype on a CAD user'
  • When you sail in a colander, you should not be surprised to see water leaking through.
  • Buffer overflows.


    Any programmer who let a buffer-overflow bug slip through should be sacked. On the spot. And his boss, too. As well as the numbskull bean-counter who declined the ressources to do proper checking, and the marketoid who ordered the work done by last monday should be be drawn and quartered.

  • Gaim isn't connecting to MSn right now. Has it already happened?
  • Fortunately, the client I use (sirc) is unpopular, low on features, and written in Perl. Good luck trying to exploit that.
  • OK, why would you not use a hard-coded buffer for a chat program? Simply allocate 256 characters (that'd fill about ten lines in a chat; more than enough), then keep reading and discarding characters until you get EOF. Am I missing something? I've never written a chat program, I'm rusty as heck on C/C++ in general, been a while. But don't I remember that this is very easy to avoid? What concept am I missing?
  • ..just checking your damn email every couple of minutes? Also, with the slight delay, maybe - though probably not - people will start typing in semi-coherent sentences again.

    If you REALLY neeed to have a conversation with someone in real time, pick up the goddamn phone.

    Fucking IM.

In seeking the unattainable, simplicity only gets in the way. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982