Fully Automated IM Worms on the Way? 230
nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
Jabber! (Score:2, Funny)
Re:Jabber! (Score:3, Insightful)
Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network.
Re:Jabber! (Score:2)
On top of that, the likelihood of a community-created response to the worm or vulnerability is pretty high when the project is a popular open-source one. I'd expect the same of GAIM, for example. I've also noticed that those who run open source are more likely to actually take care of their computers before
Re: (Score:2)
Re:Jabber! (Score:5, Insightful)
Your mom. Litereally.
I understand users/groups/file permissions. I assume you do too. What about your parents?
Comment removed (Score:5, Insightful)
Re:Jabber! (Score:2)
Re:Jabber! (Score:2)
Not at first. After their credit card #'s had been stolen enough times, you'd be surprised what a person can learn...
Re:Jabber! (Score:2)
Oh, wait.
Re:Jabber! (Score:3, Interesting)
I was going to moderate this, but had to comment instead.
You do realize that OS X is built on BSD, which has the traditional Unix file permissions? My mother, sister, father, stepmother and girlfriend have no problems coping with file permissions.
Command line unix might be obscure to the majority of the public, but OS X proves that,
Re:Jabber! (Score:2)
Re:Jabber! (Score:2)
Thay can and they are. It's called Vista. I suspect that it will be such a big mindset change for customers and software developers that MS will back off just enough to ruin it before Vista goes retail, but at least it's being attempted. Longhorn server may actu
Different from other open ports? (Score:5, Insightful)
Re:Different from other open ports? (Score:4, Insightful)
Basicly it says "People are using IM. Buffer overflow in IMs is like any other buffer overflow also bad".
May I say "Duh"?
Re:Different from other open ports? (Score:3, Insightful)
And if there really is some essential functionality that depends on such open ports, wouldn't one hope they were implemented FTP-style ie. open them randomly and tell the other party what they are via outgoing connection?
And if the above is true, how can a remote host cause a crash? It shouldn't be allowed to connect to my IM client just like that. There shouldn't be anything to c
Re:Different from other open ports? (Score:2)
Re:Different from other open ports? (Score:5, Interesting)
In this case it doesn't really matter.
Consider a exploit that can get the buddy list out of MSN for example.
Now as most IM's only have one client used by the bulk of people, it becomes trivial to send a copy of the exploit to each person on your list and have a high proportion of them become infected, to progress outwards to friends
geometrically (unless you have no friends)
This is a hell of a lot more sucessful than your usual pick-a-random-ip-and-hope-it's-exploitable method.
Re:Different from other open ports? (Score:2, Funny)
haha, it finally pays off. err.... wait a minute.
Re:Different from other open ports? (Score:4, Insightful)
And yet worse, unlike other software which keep open ports, Messenger software has the slight property that its users does not know a lot about computers to take precautions.
About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!
Re:Different from other open ports? (Score:5, Insightful)
But then again, I don't know much specific about how this all is supposed to work, so I may be wrong.
Re:Different from other open ports? (Score:2)
Re:Different from other open ports? (Score:2)
I'm not sure that comparison is completely accurate... for a worm to spread using a Windows service, it must first find another computer on the network or Internet that has the necessary security vulnerability. Then it must be able to make a connection to that host's open port(s) through whatever NATs and firewalls may lie between the two computers.
NATs and firewalls, a road block for most computer worms, are also a problem for IM systems. Centralized systems like AOL's AIM get around the issue of compute
Infection (Score:4, Interesting)
It glosses over good old fashioned buffer overflows, but not much else. Then again, what else do you need?
Re:Infection (Score:5, Insightful)
Re:Infection (Score:5, Informative)
"Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."
FTA "'We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything,' Wells said."
User education won't help if propagation occurs without any action by them.
Re:Infection (Score:2)
In terms of security, we have to work from the assumption that people will use the software in question... so how do we mitigate damage / prevent infection?
The popularity of IM shows that it's an application not likely to go away... so how do we make it safer?
That is a how a worm or virus should be! (Score:5, Interesting)
So what is the issue with this?
Re:That is a how a worm or virus should be! (Score:2)
That viruses (or worms, as I believe this would be) are generally a bad thing to have around in the wild.
Re:That is a how a worm or virus should be! (Score:2)
Very infectious. (Score:5, Interesting)
Re:Very infectious. (Score:5, Funny)
Re:Very infectious. (Score:2)
Obviously they'll name this looming IM worm threat the Kevin Bacon Virus.
Re:Very infectious. (Score:2)
Workplace (Score:5, Insightful)
I know our IT department frowns upon it but walking around you still see it used
Its only a matter of time until something like this came out that has the potential to severly damage both corporate and private networks
The Disease is Awful (Score:5, Insightful)
Maybe one day we'll get a series of destructive worms that will render hardware unusable (e.g. no boot, disk overwritten, fan turned off and processor cranked up to do permanent damage, boot flash cleared) -- resulting in successive waves of hardware replacement.
I talked to a guy at a computer store about the aftermath of a worm that cleared the bootflash -- they sold so many new computers!
At that point, I figure Micr$oft will be in big trouble; after you buy your fifth motheboard in a row (and try to recover your data) after "Bukk@keB1ll" versions A through X hit you, you'll consider getting a Mac so you can get work done.
Re:The Disease is Awful (Score:4, Insightful)
No, the sneakier viruses won't ruin your box, they will just sit there and gather information. I would much rather have my email and personal documents destroyed then had them read. Even if you read them then destroy them, I know they have been compromised and can take whatever steps deemed neccessary to mitigate my risk. The most sinister viruses would just read and transmit them without me ever knowing.....
Re:The Disease is Awful (Score:2)
Seriously, I reckon a self-propagating IM worm with a destructive payload could probably take out most of the population of said IM network that was online at the time of launch. Add (say) a 5-10% chance that any given PC won't be destroyed (in order to leave some to reinfect the network), and possibly a time delay between steps 2 and 3, and you'd be talking really nasty.
Just my $0.02
Re:The Disease is Awful (Score:3, Insightful)
Near-instantaneous worldwide communication.
I can easily foresee the creation of a virus that does nothing but spreads, quietly and innocuously. Via rootkits and other methods (polymorphism, etc), it could spread and likely not be detected over the course of the infection. Each virus infection would have a counter, so that once the n-th infection has occurred (where "n" is some large number - say 1 million), that virus would send out a q
Re:The Disease is Awful (Score:2)
Re:The Disease is Awful (Score:2)
The sky is falling! ( again ) (Score:5, Insightful)
Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?
And IM services are hardly a new vector. If anything, this story should be about how long it has taken these people to figure out that services like AIM and ICQ are used by people with little or no computer knowledge, who will randomly click on things. You know, sorta like email. That's the real new nugget out of all of this, and hardly worth the two pages of ads to read about.
Re:The sky is falling! ( again ) (Score:4, Informative)
Any worm that requires the user to click on a link on order for the worm to propagate. The scary thing about this class of worms is that it installs a rootkit without activity from a user, so the only rate-limiting step in the infection cycle would appear to be buddy lists. So, you're on someone's buddy list... you get infected without taking any action. Then, boom, all your buddies are belong to them. &c.
Educated users know better than to click just any link they see -- we depend on that to limit propagation. But it doesn't apply here.
Re:The sky is falling! ( again ) (Score:2)
Unfortunately, we've long since stopped being clear on the distinction between "worms", "trojans", and "viruses". (Actually, I'm not entirely clear on the differnce between worms and viruses myself. Wikipedia draws a distinction between the two.) But many things that are called "worms" require some sort of user intervention in order to run.
For exmaple, the "Loveletter" worm is called a worm, and it wasn't fully automated: it dep
Re:The sky is falling! ( again ) (Score:2)
"Pay no attention to that man behind the firewall. I am the great and powerful Code Red"
Re:The sky is falling! ( again ) (Score:2)
This is slashdot, good sir. I resent your implications.
Problem with older hardware, operating systems (Score:2, Insightful)
Re:Problem with older hardware, operating systems (Score:2)
Re:Problem with older hardware, operating systems (Score:2)
That depends on what the OS does with the NX bit, and what other preventions are in place. On OpenBSD the NX bit is just another piece of a puzzle to make the OS harder to exploit. Incidentally, on OpenBSD it's not trivial to overwrite the return adress the way you suggest.
I have the solution... (Score:2, Funny)
Why does the OS let software be invisble? (Score:5, Insightful)
It seems to me that a well designed OS should NEVER let a piece of code be invisible. There should be some part of the OS that knows what is running, what invoked it, what file it came from, etc. A well designed OS would know the provenance of every segment of code. This information should be read-only to anything outside of this protected monitoring function. Thus ALL running code would be visible to the user and anti-malware software. And if you add hash-code locks on installed software, then malware wouldn't be able to masquerade as some other normal bit of code or damage anti-malware apps. Malware could still hide in a user-downloaded software, but the tracking function would aid the detection and removal of any unwanted code.
Is there ever a good reason to let software be invisible?
A rootkit doesn't need the OS to "let" it... (Score:3, Insightful)
The point of a rootkit is that it alters the behaviour of the OS. Sure, a pre-rootkit kernel wouldn't have let just any code run. But once the rootkit gets in (one way or another), it alters the OS's behaviour. Just like the Sony audio CD rootkit (mentioned in a previous Slashdot article) alters the behaviour
Re:Why does the OS let software be invisble? (Score:2)
Re:Why does the OS let software be invisble? (Score:2, Insightful)
What do you think happens when some miscreant (with root access) replaces that jumppoint in memory with one of his own UTLIMATE_PR0CESS function?
Remember, we are not talking about ROM systems here, all system commands are loaded into RAM.
Consider a much simpler situation:
You use the dir command to list the contents of a folder.
Somebody could replace that command on disk with a dodgy one that runs the original dir
Re:Why does the OS let software be invisble? (Score:2)
You missed the explosion [slashdot.org]! :-)
Never mind, it'll be duped in a day or two...
Re:Why does the OS let software be invisble? (Score:5, Insightful)
At a user level, to "see" a process, you would open the task manager (Windows) or use the PS command in Unix. But you must note that these are merely applications that ultimately make a call to a OS level API and request this information; then they display whatever this API returns them.
The OS level API is just a piece of code that will have access to the internal OS data structures that hold the information for the processes. This code would piece together a response with the processes names, etc. and return this "list".
So, what would happen if I go and modify the code that pieces together this list of processes and omit the "worm.exe" process everytime? Well, that's pretty much a rootkit virus strategy.
The result is that you wouldn't be able to see the process anywhere. Any program that uses this OS API call would not see the process, be it ps, the Task Manager or an Antivirus.
So . . . why not providing every program with a direct access to the running processes structures so that they can "see" all the information there and "figure out" by themselves whether there is a virus or not.
Well . . . that's a disaster from a security standpoint since it would provide an avenue for viruses to exploit. And this "direct access" is never direct, it is always through another OS API that may in turn be modified to hide the virus . . .
So . . . why not scanning the disk?, I mean, the virus must be stored somewhere if it will run.
Well . . . file access is done by an OS call that may be modified to hide the virus.
So . . . why not doing an OS module that performs an CRC check and make sure that the OS APIs have not been modified?
Well . . . this too can be modified not to include the file that you infected in the first place.
So . . . why not making OSs "unmodifiable".
Well . . . how would you then install it in the first place? (that is pretty much a modification) or install security updates? (that's another modification).
So . . . Well . . . ad infinutum.
I think I made my point.
Anyways, the bottom line is that you can only do all those modifications *if* you have privileges to modify system files. You have to have "root" access for that. So once you have broken the security of an OS to the point where your virus can modify OS system files, you are pretty much doomed.
Ideally, the solution is a secure operating system, where regularly you run your user programs with an account whose privileges do not include modifying OS files and any processes that you start cannot breach that security (again *ideally*). You would only use the root account to do OS installs and updates (if the virus gets you while you are at it, you are doomed again, so shut down AIM!).
That's why Windows is so dangerous, because the normal XP user is running with an Administrator account (similar to having root privileges), so any application that is infected can potentially cause a root-level infection.
And then, no matter how much you program securely, the missing piece as usual is education. At some point, even in the ideal OS, the user would have to log in with the root account to do OS changes or at least explicitly authorize in some manual way the modification of system files (that would be my choice just to make things easier to learn for everyone in the real world).
OSS IM transparent filter? (Score:2)
Wow another vector. (Score:2)
IM worms go undetected (Score:5, Informative)
Re:IM worms go undetected (Score:2)
I've been somewhat disappointed with how badly the mainstream antivirus companies have handled most of the IM outbreaks. There are vunerable clients out there, mass spreading worms that install rootkits, disable AV programs and Internet Explorer, and through it all I feel like the AV companies are barely even there.
I'm not an antivirus expert, and I'm not a programming genius by any means. The guys at Symantec and McAfee and F-Prot et al are trained to deal with this stuff. They have t
Partial cheap solutions: low-profile + firewall (Score:4, Interesting)
1. Encourage people to use non-high-profile clients. It's a lot easier to "take over the world" if 90% of the people are using the same client with the same vulnerabilities than if 30% are using client A, 20% each are using clients B, C, and D, and the remaining 10% are using a variety of other clients.
2. Put a firewall between the application and the network. Again, don't have 90% of the world use the same firewall. It's best if at least part of the firewall sits in front of the OS, i.e. a hardware firewall or a "host-OS-based" firewall in virtual/emulated-hardware environment.
Here's what I see happening in a few years time, when virtualization becomes the norm:
1) everyone has a hardware firewall built into their cable/dsl/whatever box
2) PCs boot into a hypervisor, see #4 below
3) apps run in different security contexts, each having the network, memory, and disk-access privilages that they need and no more. For example, Solitaire will have no disk or network access. A Web browser will have very limited disk access and outgoing-only network access only over certain ports. A "local-only" web browser will be available for reading local html files.
4) The user will be encouraged to run certain applications like web browsers in a "lock box" which will in reality be a virtual machine, with its own firewall mechanism. Multiple VM implimentations or VM-hardening-products will be available so no single VM-related exploit will be shared by "90% of the world." The user will be able to "reset" his lock box at any time, erasing any viruses and malware that have infected it but which haven't "escaped" the VM environment.
Yes, the user can still be infected and yes, he can still be contagious, but instead of "everyone" being vulnerable only a part of the world will be. Furthermore, if people use the VM-lockboxes, they can "cure" themselves quite easily from the most common problems. They'll still need security software for the really nasty stuff, and they'll always need a "boot CD" or equivalent to do a full scan of their system for rootkits and such.
Remember: The goal isn't to wipe out viruses - that's practically impossible. It's to reduce your risk and decrease your recovery time.
Here's an example of how #4 can reduce exposure for web browsing:
Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from:
IE under Windows VM
Opera under Windows VM
Opera under {pick one of many} Linux VMs
Opera under {pick one of many} BSD VMs
Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs
{insert other web browser here} under {insert operating system here} VM.
The VM would be bare-bones, just having essential services - including a built-in firewall - and a "screen" that just displayed the web browser. The user wouldn't necessarily see he was under a VM if he was merely browsing. If the web-browser screen output were "exported" to the "main" OS a la X, so much the better, assuming that didn't introduce security holes of its own.
Re:Partial cheap solutions: low-profile + firewall (Score:2)
DOA
100 million or so users run the AIM client. How many do you think will switch?
That depends on what happens (Score:2)
100 million use AOL client. Of those:
90 million see bad press about killer virus
70 million see press recommending specific alternatives
40 million get 0wned and have to repair their computers, 40 more million know someone who did.
10 million corporate users get it banned by their IT people.
Now what was the question again?
Then again you may be right, if IE's 80+% market share in the face of bad press and constant infections is any e
from AIMS "security central" (Score:2)
Unless there's an exploit of course (Score:2, Interesting)
ANY network-facing application should be presumed to be exploitable until proven otherwise.
ANY application should be presumed to be network-facing until proven otherwise.
Alternative IM system without an IM client... (Score:2)
Gangplank was written to support the standard TELNET protocol, meaning any standard TELNET client can be used to connect to the system. Despite not using a custom client, the server supports remote character echo, full (RFC-compliant) TELNET protocol support, Emacs-style line editing, input redrawing when output occurs, and a full input history buffer -- all in a nonblocking, single
I'll use it when it supports ASCII Video Chat... (Score:2)
This would be really cool if it supporte ASCII based Video chat! Ofcourse that would probably require specialized clients and all...
Re:I'll use it when it supports ASCII Video Chat.. (Score:2)
I didn't say that the system won't ever have a client of its own -- one of these days, it will. However, I'll make sure that it continues to remain usable from a plain TELNET client, at least for the basic functionality that is already supported. Obviously, fancier features will likely require a client. If you want the fancy features, you take more risk of a security hole. If you wan
Re:I'll use it when it supports ASCII Video Chat.. (Score:2)
I did some research and I think you could do it with this live-cd:
http://ascii.dyne.org/?info=description [dyne.org]
-I haven't tried it, but I'm guessing that there is probably a telnet client on there.
-Ftp push technology is supported, to publish your hascii feed on your online webserver: that is implemented using a simple C code which wraps execution of your unix ftp client.
-It can output to an HTML page with a meta-refresh tag so that it is constantly updating the image.
So, then theoretically, people could even vie
Re:I'll use it when it supports ASCII Video Chat.. (Score:2)
In any event, I don't have a webcam, so it's all moot. And supporting an ASCII webcam would be more of a joke feature than anything. Gangplank is a serious system -- it's designed to perform a basic communication f
Re:I'll use it when it supports ASCII Video Chat.. (Score:2)
The only way we'll get through this is when people smarten up, and start using an XML based IM.
Re:I'll use it when it supports ASCII Video Chat.. (Score:2)
en.wikipedia.org/wiki/ASCII_art [wikipedia.org]
www.geocities.com/SouthBeach/Marina/4942/ascii.ht
www.asciiartfarts.com/ [asciiartfarts.com]
Re:problems: (Score:2)
Wow, a knee-jerk reaction if ever I saw one. Yes, TELNET is an insecure protocol -- everything goes over the wire in cleartext. That means that someone with the ability to snoop on your packets could get your login and password and use it to sign onto your account on the server. It's a risk, but only one of
What about voice services? (Score:2)
I know it sounds far-fetched, but you know, jpegs were once safe too. Skype had its vulnerabilities (even on Linux [secunia.com]), but were there any on the audio codec?
I hate these "must-have-a-firewall-passage" kind of programs, and I've so far managed to keep them out of my network, but now I'm trying hard to convince my boss not to install Skype on a CAD user'
Yeah, so? (Score:2)
Buffer overflows (Score:2)
Again.
Any programmer who let a buffer-overflow bug slip through should be sacked. On the spot. And his boss, too. As well as the numbskull bean-counter who declined the ressources to do proper checking, and the marketoid who ordered the work done by last monday should be be drawn and quartered.
Gaim not connecting right now (Score:2)
Perl to the rescue (Score:2)
Help! Reality check needed! (Score:2)
Whatever happened to... (Score:2)
If you REALLY neeed to have a conversation with someone in real time, pick up the goddamn phone.
Fucking IM.
Re:Evolution baby (Score:5, Funny)
These viruses seem to be intelligently designed.
Re:Evolution baby (Score:2, Insightful)
Re:Evolution baby (Score:5, Insightful)
Not quite. Biological viruses evolve. Computer viruses, however, are products of intelligent design, for certain values of 'intelligent'.
Computer viruses aren't a force of nature. Behind every one of them is a malicious programmer.
Eventually, I imagine we'll see polymorphic and self-modifying code reach the point where it can evolve in the same way as biological viruses, but that's probably quite a way off. The nearest I've heard of to that is viruses programmed to alter their appearance to avoid detection.
Re:Evolution baby (Score:2)
We would have to develop immune systems for computers.
Re:Evolution baby (Score:2)
Actually, the programmer is not the one doing wrong. Writing, studying and understanding computer viruses is an interesting and useful thing to do. The largest benefit is probably in the anti-virus field, but like any other abstract subject, progresses made can be translated into break-throughs in other areas.
It's the person that deliberately releases the virus from a controlled environment it into the wild that is the malicious one.
Re:Evolution baby (Score:2)
You may be thinking of mitochondria. They have their own DNA qu
Re:Evolution baby (Score:3, Interesting)
So, a memestructure known as 'Virus A' arrives on the computer of Hacker 0. He reverse-engineers it; now it is resident in the brain of Hacker 0. There it breeds furiously, producing countless of
Re:I cant take any more of this (Score:5, Insightful)
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
Rootkit is no longer a term restricted to gaining "root" user access. The term now stands for any suite of hack and/or programs (the "kit") that enables the malware to disguise its presence in the OS in a more sophistocated manner than simply having obscurely named
Furthermore, in my entirely humble and sincerely personal opinion, the term is an appropriate, apt, and succinct way of decribing these types of malicious programs, both in distinguishing them from the less deeply embedded malware types, and in emphasising the increased security threat these programs pose.
Re:I cant take any more of this (Score:2, Funny)
Damn you, Wikipedia!
Re:I cant take any more of this (Score:2, Informative)
Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
I work in the IT department at my college, and in the last week, have encountered two machines infected with this worm. Easily detected as it may be to the expert user, it is a rootkit, hiding from detection
Re:I cant take any more of this (Score:5, Informative)
Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?
Strictly speaking the Windows equivalent of 'root' is the hidden 'LocalSystem' account.
Re:I cant take any more of this (Score:4, Informative)
Re:Do these things affect non-AIM apps? (Score:3, Informative)
Re:Do these things affect non-AIM apps? (Score:5, Funny)
Re:Do these things affect non-AIM apps? (Score:5, Informative)
I doubt it, because any malicious program that wants to alter OS X's settings is going to have to prompt you for an administrator password (unlike Windows). Besides, it's likely that any such worm will target official IM clients rather than third-party apps.
Re:Do these things affect non-AIM apps? (Score:3, Insightful)
Besides, your statement about Windows is rather generic and so incorrect. I logon as a normal (i.e. limited) user, so unless there's an unknown security hole (every exploit known so far uses a known security hole and I patch quickly) then my whole system will not be compromised. My local account might be affected, but that concept applies to OS X too.
Re:Do these things affect non-AIM apps? (Score:2)
What you're saying is technicaly correct, but I'd have to agree with the OP. Limited accounts are not the default in Windows (so most people don't use them), and there are a lot of apps out there that either require Admin privleg
Re:Do these things affect non-AIM apps? (Score:2)
Re:Do these things affect non-AIM apps? (Score:2)
C:\WINDOWS>copy con test.txt
fdsf
Access is denied.
0 file(s) copied.
C:\WINDOWS>
Re:Isn't this about who controls the Spice? (Score:2)
Re:First line of defense... (Score:2)
That's not a solution the public will implement. I want to get IMs from people I just met who aren't on my buddy list yet. And I want to IM someone who probably doesn't have me on their buddylist.