Pipeline Worm Floods AIM With Botnet Drones

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

i love it...

[0110011001110101]

when I get free trojans... it's so embarassing to buy them in the store...

the internet is a wonderful place

Re:

[smart.id]

I never understood this. What is so embarassing about someone else knowing that you are fucking somebody?

Re:

[Kesch]

It's not that. It's that he's buying the 'Extra Small' ones. (Sorry, I couldn't help it. It was too good an opportunity to pass up.)

Re:

[sfeinstein]

Heh. And I can't help pointing out that you are most certainly NOT A MARKETER. Can you imagine Trojan or any condom company selling "Extra Small"? Yeah, I'm sure they'd fly right off the shelves.

It would have to be marketed as "Tight-fit Performance Pro" or hidden in with macho words like "Maximum Super-Shrunk Thunderbolt" or something like that!

Re:

[Afrosheen]

True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

Re:

[inviolet]

True that, I buy condoms with a big grin on my face. "Yes ma'am, I AM getting some tonight and for the forseeable future. I'll take the economy pack please."

Ah, the 36-count jumbo box... I believe the name for that sized box is "The don't-have-a-Family Pack".

Re:

[rthille]

Yeah, when I was first dating my wife, we ran out and I ran to the store and bought 2 12-packs and a couple of bottles of seltzer water (gotta stay hydrated!) and the clerk's response was, "You must be doing pretty well!" And I replied, "based on what I'm buying or the shit-eating grin on my face?"

And the lesson is...

[d3ac0n]

Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

Re:

[OECD]

... and keeps our employees from IM-ing with people outside the company.

Which company is that? I just want to be sure to avoid working there ever.

Re:

[$RANDOMLUSER]

Many, many companies block AIM at the firewall. Ask at your next interview.

Re:And the lesson is...

[99BottlesOfBeerInMyF]

Many, many companies block AIM at the firewall. Ask at your next interview.

There is more wrong with the above scenario than just that. Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid. At the former, the working conditions probably suck. At the latter, a competent admin will have a Jabber server that connects to AIM and filters for malware. Otherwise, technical employees are likely to bypass security by SSH tunneling their IM communications, which is a risk in and of itself.

The other thing wrong with this is paying for a propriety IM solution instead of going with a free, open, standard, interoperable, secure Jabber server. With jabber you can chat with any other Jabber server using a variety of clients on a variety of platforms. Internal communications are fully internal, running on your own server. External communications can be encrypted. Any company that pays for some other, proprietary IM server is probably run by incompetents and should be avoided.

Re:

[crabpeople]

No offense but are you nuts? People should be able to IM at work? Yeah we used to have that here. Then they made me disable all messengers because people chat on them all day long.

Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.

What I have done to combat this problem is block instant messenger with group policy,

Re:

[mibus]

People should be able to IM at work?

We allow it here (20 people, so there's no real management issue).

It works well, we use MSN and Jabber between employees, and out to associates/clients/friends/family.

Personally, I've always been of the opinion that if an employee is spending too much time on IM, then it's time to talk to the employee, not block access for everyone.

Re:

[G-funk]

Then they made me disable all messengers because people chat on them all day long.

Who gives a crap? If they're not working, then get rid of them because they're not working. If they're still producing an amount you're happy with, then who gives a shit if they're also talking to their girlfriend? Either way, banning IM doesn't help.

Re:

[daem0n1x]

If people have enough time to be chatting all day long, then they are not being well managed. We use IM as a working tool, with some success. My team has lots of projects abroad, there are always 2 or 3 co-workers in foreign countries, working. And IM is a lot cheaper than international phone calls. I have my Gaim clients disconnected most of the time because, even when I'm flagged as "busy", friends of mine come at inappropriate times for some cheap talk, and I have to be kinda rude rude and tell them: I

Re:

[skiman1979]

I have my Gaim clients disconnected most of the time because, even when I'm flagged as "busy", friends of mine come at inappropriate times for some cheap talk, and I have to be kinda rude rude and tell them: I'M WORKING! WE'LL TALK LATER!

That's what I like about how I have Trillian configured. When a user IMs me, the only thing that happens on my desktop is I get a flashing notification icon in my buddy list. The IM window is hidden completely, and only shows when I click that notification icon. We use

Re:

[ktappe]

Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid.

You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?

-K

Re:

[djradon]

Yeah, if an employee had the card info and the willingness to pass it on, lack of IM is not going to deter him. But there are legit reasons for wanting to block AIM. For one, your unwitting users, some of whom are probably administrators on their local machines, could be exposing sensitive information stored on their local hard drives. I'm going to send a friendly reminder to my AIM/Trillian userbase this morning:

There's another AIM worm "on the loose" this morning:

http://blog.spywareguide.com/2006/09 [spywareguide.com]

Re:

[TubeSteak]

Many, many companies block AIM at the firewall.

Are they blocking AIM or are they blocking port 5190?

Most companies are just blocking the port.
Hint: You can change what port AIM uses.

Re:

[canuck57]

Many, many companies block AIM at the firewall.

Should that not be "Many, many companies think they block AIM at the firewall."

Nuff said if your security people think they have it all plugged it all up.

Re:And the lesson is...

[Daniel_Staal]

Which company is that? I just want to be sure to avoid working there ever.

Don't worry. I'm sure everyone there has installed AIM on their computers without letting the IT department know.

Re:

[toleraen]

Any company with an actual IT department. RTFA for an extremely good reason.

Re:

[pluther]

Any company with an actual IT department.

Well damn. I wonder if Intel, Motorola, Cisco, Vodafone, or MCI will ever get "actual" IT departments, as they all currently allow employees to IM to people outside the company, through their firewalls.

Re:

[toleraen]

Congrats, you've listed 5 companies who have assessed the risk of their entire network going down, taking the time to clean everyone's computers, make for goddamnedsure that everyone has every update available, etc etc, or they've paid a whole lot to ensure everything is going to be properly blocked (not 100% possible). Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, i

Re:

[99BottlesOfBeerInMyF]

Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.

Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everythi

Re:

[toleraen]

They see the propagation behavior as a traffic anomaly on their control panel.
A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to /. every minute. I'm sure CNN is much higher than that.

Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm.
If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Becau

Re:

[plopez]

size is no indicator of quality.

And the lesson is, don't use omnipod, use jabber

[spun]

It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

Re:And the lesson is, don't use omnipod, use jabbe

[d3ac0n]

Actually, jabber was one of the options I explored. We didn't go with it because omnipod was already in use by one of our larger branches, and it was simpler to just extend the use of the product. No servers to setup, no additional hardware needed, and low licensing costs. Omnipod worked great for us. For others it might not work so great, but it was our best option.

Oh, and yes, AIM (and YIM, MSN, ICQ and IRC) is blocked at the firewall. Most IM clients are also prevented from being installed by AD pol

Re:

[Buran]

Apparently you don't allow people to have social lives. Apparently, you think all your workers need to be mindless drones while at work. Guess what -- people work better when they can let their minds wander a bit when they need to during the day.

I guess that's against corporate policy, too, then, since it's quite possible to block file transfers while still allowing people to socialize.

But then, it's so much easier to use "security" as an excuse to clamp down on imagined "productivity threats".

Re:

[Buran]

Social lives, mind wandering = not at work.

Funny, I thought that when I was sitting at my desk, I was at work. What I'm actually doing at my desk has nothing to do with whether or not I am at work.

Oh, and by the way, open your eyes and read this:

What's Next: Stupid Productivity Tricks [inc.com]

You say you don't care if people walk around for a bit? Eat your words:

"recreational Web surfing has become a kind of mental floss for workers who spend their days sucking in a stream of work-related data that now comes in at a

Re:

[spun]

Well, in your case it makes sense to use omnipod, if a large part of your company is already using it. I guess it would also make sense for firms that don't have the time, inclination, or technical know-how to do it themselves. I'm not that much of an open-source zealot that I can't see there is a place for other solutions. I just finished setting up jabber where I work, so I'm kinda on a jabber kick is all. Instant messaging is really a great thing for business. Many time people have a really quick questio

Re:And the lesson is, don't use omnipod, use jabbe

[99BottlesOfBeerInMyF]

ur users do actually get alot of latitude with thier machines (programming shop, they have to have it) but there are certain things we do not allow. Public IM networks are one of them.

Having worked at a number of programming shops, that doesn't sound like a lot of latitude to me. If you can't install arbitrary software because of an AD policy and you audit people's machines it sounds like a very authoritarian place that does not trust the workers very much. Here we get a choice of computer brand (1 of 3), laptop or tower, any OS we want, and any software we feel like. We're also responsible for keeping our machines moderately secure. We have internal IRC servers and any IM we want is fine. Shop talk is encrypted by policy, either over Jabber or on top of a public network like AIM.

I think it is pretty darn useful. I have a lot of friends and colleagues on both of the aforementioned IM networks who I regularly consult and vice versus. This provides me with an additional resource as well as makes for a more relaxed atmosphere, like when I want to see if my girlfriend wants to meet me for lunch, or just want to chat with old college buddies. I think the fact that my company trusts me is a lot more valuable than tight security policies. Most serious compromises come from within. Because they trust me I'm happier and I'm also a lot less likely to sell them out. Contrary to what you may have heard, studies show the most effective motivation for not exploiting an employer is not fear of punishment or being fired or jail, but an ethical desire to not hurt those who trust you. If your company does not trust you (audits, arbitrary restrictions) then that motivation is removed.

Re:

[tb3]

Oh, random executable installed in your system32 folder, you say?

No the real lesson here is don't use that half-assed excuse for an operating system for anything more than playing video games.

I am sorry if I don't yawn

[aepervius]

QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

Re:

[TubeSteak]

Seems to me that the main problem is between the keyboard and the chair.

But WHICH keyboard and chair?

[Sloppy]

Seems to me that the main problem is between the keyboard and the chair.

Yes, at some developer's desk.

Some brilliant programmer asked: What if the user of my messenger application, clicks on something? And his answer was: well, if it's a URL, download the file. [Ok, so far, so good. A little risky, but not totally stupid at first glance.]

Then the followup question was: what if the file turns out to be an executable program? And his answer was: execute it, of course! Oh, and with the same privileg

Re:

[Fred_A]

For the (apparently) few of us that haven't ever used AIM, are you saying that like the email clients of old, the IM client automagically executes any program it downloads ?

If that's it, it's indeed completely braindead and whoever wrote it should be taken out and shot.

OTOH, it has been shown time and time again that most IM users are more than willing to download EatMyC0mpu7eR.exe and click on it all by themselves...

Re:I am sorry if I don't yawn

[$RANDOMLUSER]

...downloads the image18.com file (disguised as a jpeg). Running the file...

User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".
Sounds perfectly sane to me.

Re:

[The MAZZTer]

Yeah this is an old trick, there've been file.txt.exe files with a notepad icon for a while now.

What I do is always force file extensions on (except for shortcuts) and I sort/group by file type, so if I download an image/text file and it doesn't get stuck in the image/text file group, I know something's up.

Re:

[megaditto]

MacOS 7+ used to do that, but it was a bitch to send a resource fork properly over the Internet (though possible).

Of course with Mac OS X you need to convince the user to set the execute bit to run the 'picture.jpeg' file: not trivial for a typical OSX user.

Re:

[CTho9305]

XP provides methods to mark a file as coming from an untrusted source. Ever tried to run an executable downloaded through IE? You get a warning dialog. It's the AIM client's fault for not noting the source of the file in the alternate stream used for security info.

Re:

[drsmithy]

User clicks on .JPG file. Operating system (no names, please) looks at file, says "Oh, that's really an .EXE file, I'll just execute it without asking...".

I guess you must mean OS/2, because Windows sure as hell doesn't do this.

Simple risk mitigation

[LinuxIsRetarded]

1- Don't run as an administrator.
2- Back up your profile regularly.

If you ever get bitten by something like this, it's easy to recover from.

Re:

[EmbeddedJanitor]

Try explain that in terms that the average user will be able to understand.

Re:Simple risk mitigation

[russ1337]

Try explain that in terms that the average user will be able to understand.

CLICK HERE [ubuntu.com]

Re:

[tchuladdiass]

Not always an option, if you want to keep your wife and kids happy.
In my case, there is one system that runs windows (the main "family" computer). After the last couple of infections (even with no one logging in as administrator), I've found a way to nip it at the source.
The two major malware infection routes were AIM and Web (they don't do much email on that machine). So, I've got Wine set up on my Linux server with AIM and IE. Windows box has the appropriate icons linked to a Cygwin script that launche

Re:

[russ1337]

[Ubuntu is] Not always an option, if you want to keep your wife and kids happy..... I've got Wine set up on my Linux server with AIM and IE. Windows box has the appropriate icons linked to a Cygwin script that launches a local X server rootless (if it isn't already running), then remotely executes AIM or IE from my server.

I'm not sure why you went to all that trouble... I just switched our family computer to Ubuntu and loaded chat tools etc. They are fine with it as the icons are there for all the tools

Re:

[tchuladdiass]

Simple fact is that the family uses lots of windows-only programs. The wife will come home from an accounting class, and needs to download excel spreadsheets from the college web site (which is IE centric, and has little annoyances under Firefox), these spreadsheets will then need to be used under Excel, because last time I had her use it under Openoffice something didn't quiet work right and caused probems when she sent it back to her instructor.
The kids will often need to use MyJal to download ringtones

Re:

[russ1337]

Further to my last post, have you considered using Ubuntu on your family machine and running your essential Windows aps in a Windows OS under VMWare? This provides all the security of the Linux machine (host), with a VM running Windows.

VMWare gives you the option to not save across sessions, this ensures any changes made are lost. (You can save across sessions if you want to, but for security you may chose otherwise). It ensures each and every time your family use the machine, it is stable, virus free and

Re:

[tchuladdiass]

Here's the one used for Aim

<tt>
export PATH=$PATH:/usr/bin:/usr/local/bin:/usr/X11R6/bin
export DISPLAY=192.168.1.15:10
# check to see if an X server is running, if not start one
if ! xtest
then
run XWin :10 -multiwindow -clipboard -silent-dup-error &
xhost +
fi
ssh -x someuser@192.168.1.4 'export DISPLAY=192.168.1.15:10; nohup bin/aim </dev/null >/dev/null 2>&1 &'
</tt>

The shortcut icon then calls this script (r-aim.sh) via the cygwin "run" command (see the example shortcuts

Re:

[Pollardito]

noooooo! don't run it, it's the Slashdot Pipeline Virus!

At least part of the fault is MS'

[Kadin2048]

Not totally true. Almost all of these exploits revolve around getting the user to click on an executable file which is disguised as something else.

For example, you take an executable ("TROJAN.COM") and rename it ("FUNNY.JPG") and for reasons that have never been clear to me, the brainiacs at Microsoft designed their OS so that it will execute the latter file when you double-click on it. This seems pretty retardate; clicking on a file shouldn't imply "open or execute," it either means "open," or it means "ex

Re:

[AnyoneEB]

Minor correction: the file is named "funny.jpg.exe" and Windows by default hides the ".exe" and just shows "funny.jpg". It is properly reacting to the file extension, it just is quite stupidly not displaying it. I disable that on every computer I use, but most people do not even know about that option. Personally, I do not know why such an option would exist.

Re:

[drsmithy]

It is properly reacting to the file extension, it just is quite stupidly not displaying it. I disable that on every computer I use, but most people do not even know about that option. Personally, I do not know why such an option would exist.

Because to most people, file extensions are meaningless gibberish at best and confusing computer stuff at worst.

Re:

[Buran]

The only reason this attack wasn't launched against Linux was

(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.

Re:

[Al Dimond]

But Linux (along with just about any Unix system) does allow non-root users to modify their .profile, which runs every time you log in. Desktop users don't frequently start their computers without logging in. The things that are really important on single-user desktop systems are the things that aren't owned by root. OS and programs can be easily reinstalled.

Re:

[drsmithy]

(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.

Neither does Windows.

Re:Simple risk mitigation

[(54)T-Dub]

1- Don't run as an administrator.

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

Re:

[pe1chl]

Easy: use this method. when a given piece of software does not run, complain at its supplier. ask your money back. remove it from the system. spread the word far and wide.

Software that requires an admin account is soooooooooo 1995. it should be considered obsolete.
When its supplier does not want to fix it, he deserves to go out of business.

Re:

[99BottlesOfBeerInMyF]

Learn some basic sysadmin skills and you don't have to worry about programs not running more than once.

The sad thing is, on the world's most popular operating system people have to learn obscure methods that the average user will not comprehend or bother with in order to just run programs. Worse yet, on a consumer desktop where most people want to run executables they don't trust, there is no way to easily run them in an untrusted mode that does not give them default access to the entire user account. It

Re:

[cortana]

If you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

Re:

[99BottlesOfBeerInMyF]

you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anythi

Re:

[cortana]

You do not have to set up another user account. The default option is to run the selected program without permissions to access your documents and settings, just as I said.

Re:

[cortana]

None of which has any bearing on the fact that if you intend to complain about the inadequacies of an operating system, you should make sure you actually know what you are talking about!

Re:

[drsmithy]

This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.

No, this is because computers are fundamentally devices that do what you tell them to do, not what you want them to do.

A computer does not know what you mean by "don't do anything bad" unless you actually tell it what "bad" equates to.

Re:

[pe1chl]

Programs which require Admin can be fixed with a quick round of cacls to fix write permissions to the install directory in question (if it's Program Files)

I know that, but:

1 - I consider those programs broken, and so does Microsoft

2 - I think the end-user should not be bothered by this, but the programmer should fix it or find a more adequate occupation.

Re:

[jandrese]

Basic? How in the world is someone supposed to figure out what ACLs they need to set when the application just spits out a "permission error" and quits? Oh, maybe it'll be in the system log? (checks) Nope, by law no useful information is allowed to be put in the system log. If a program wants to write something to the log, it must be of the form "error: Everything is OK" or "error: giving up" and must be repeated 100 times a second.

My experiance is that if a Windows application dies due to permission

Re:

[Kaenneth]

Running an application that requires you to run as Admin for no good reason is like buying a wallet with a chip that voice announces at random intervals how much cash you have on you.

Solutions

[Beryllium Sphere(tm)]

Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.

Re:

[gutnor]

OK I have been running in non-admin account for over 5 years ( at home since Win2000 with its magic RunAs command ( I know this is sad to think of a su-like command as magic :-) ) )
The rest of my family have happily used it for well over 2 years. No incident, no malware crap on their pc. Basically their pc run as new (no windows rotting) and they almost never need any support.

It is true that several years ago it was a real nightmare to setup. Especially with all the program designed for Win95. But after the

Re:

[Software]

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Yep, do it all the time. Even taught the wife how to do it. See http://blogs.msdn.com/aaron_margosis/archive/2005/ 03/11/394244.aspx [msdn.com] for details, but the basic idea is to run a batch file when you want to be an admin. The batch file gives you admin privileges, starts a process (usually iexplore.exe file:///c:/ , which gives you a

Re:

[drsmithy]

Have you ever done this on a windows machine for an extended period of time?

Yes. For about ten years now.

Some programs don't even run unless you are administrator.

Which is why you have "Run As".

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

True to

Re:

[Deanalator]

1. Its not hard in windows to go from user->admin if you are executing arbitrary code
2. Its not hard to infect backups

Good thing it's AIM ...

[(54)T-Dub]

... because it's a well known fact that most AOL users have higher than average internet savvy.

Now I have more reason than ever to install trillian/gaim on newb computers.

Re:

[fr175]

... because it's a well known fact that most AOL users have higher than average internet savvy.

Me too!

Re:

[fr175]

Now I have more reason than ever to install trillian/gaim on newb computers.

AOL silliness aside, according to (my understanding of) TFA (and, yes, I am new here), this worm spreads by getting users to run a .com file which is disquised as a .jpg. The .com then infects the users System32 directory and the magic happens. Wouldn't GAIM and Trillian both be vulnerable to this, if they are running on Win machines?

Re:

[toleraen]

You'd still be vulnerable, but you likely wouldn't spam the linked virus to everyone on your list using gaim/trillian. I would assume that the virus is programmed to expect AIM running, and it probably wouldn't interface with other programs. Then again, IANAP.

Re:Good thing it's AIM ...

[russ1337]

This worm spreads by getting users to run a .com file which is disquised as a .jpg.

I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:

www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Re:

[OverlordQ]

dollars to dohnuts that that is just tracking info for what picture was downloaded where and how much. Keep in mind, just because it says .jpg/foo/bar/baz/quux doesn't mean that there's a picture instead of CGI sitting there returning the content to you

Re:

[ben there...]

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Yeah man, check this one out:

http://images.slashdot.org/slashdotlg.gif?picture. jpg_/session_ID=2383/www.dodgywebsite.com [slashdot.org]

Crazy stuff. Don't click it!

Not to Worry

[Aqua_boy17]

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Re:

[revery]

It's a Pipeline Worm. It's a good thing the internet is made up of tubes instead of pipes or we'd all be screwed!

Senator Ted Stevens responds:
Yes, but you see, the tubes are connected to pipes, and those pipes are connected to larger pipes, and then there are canals, and dams and reservoirs, and other things that are even more complex and convoluted. So you can see by my use of the words "complex" and "convoluted", that it's all terribly complicated. But you are right about one thing: thank God it's not a t

Why this is important.

[AltGrendel]

You probably understand how this works, but I'm sure you can think of someone in your family that you might want to call and warn about this. Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?

And if you don't guess who they'll call first about how their computer has gotten SLOW again.

Re:

[fotbr]

My family has figured out that I don't do tech support.

Re:

[Rob T Firefly]

Maybe you've told them a thousand times about the dangers of clicking on that link, but do it again anyway. I mean, you love them, right?

I love them a tiny bit less every time I have to do a PC rescue because "it was from someone who would never send me a virus!"

Re:

[protohiro1]

With friends and family who ask me for computer advice I have a new policy. When they tell me they are thinking of getting a new computer and ask for advice I always recommend a Mac Mini or Macbook. When they tell me that a dell or something is cheaper I tell them my new policy: no free support for Windows, sorry. (I'm not a mac zealot either...I don't use any macs anymore, but my wife, sister and parents do because of this policy)

Re:

[Technician]

And if you don't guess who they'll call first about how their computer has gotten SLOW again.

After the second rebuild in 6 months, I put Ubuntu on my kids computer. End of problem. The kids like the uptime.

using aim

[thedrunkensailor]

using aim is like being kicked in the balls

Tubes Dammit!

[GillBates0]

It's TUBES dammit not PIPES!!11!

And the definition of Tubeworm [wikipedia.org] probably needs to be rewritten.

I love these kinds of attacks

[JoeyJoeJo]

I'm a student employed by the university to fix students' computers in my dorm building. Everyone will click on these links, some more than once. But why do I love these attacks? The hot chicks that will inevitably click the link. I love this job.

Re:

[JoeyJoeJo]

Dear Penthouse, I never thought it would happen to me....

fuckers stole my system32 folder

[quonsar]

lessee... /, bin, boot, debootstrap, dev, etc, home, initrd, lib, media, mnt, opt, proc, root, sbin, srv, sys, tmp, usr, var - nope, it's GONE!

uuddlrlrba

[Deanalator]

Boyd likened the technique to the fight combos common in martial arts video games.

Now all we need is a nice graphical interface and a joystick control system, and the fun can really begin :-)

OS specific then

[smoker2]

At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks.

What if you don't run DOS (or any derivatives)?

Ha ha, it's a joke. I set up a linux box for my sisters kids to use, and kept an eye on the logs. One of the first things they tried to install was AIM. Ooops, too bad. Some kind ***soul was even trying to help them to do it while chatting though GAIM. Which is kind of funny

This rings a bell

[Bostik]

From the article: What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files!

The basic idea of using multiple, completely unrelated vulnerabilities and attacks to achieve total control is not exactly that new. In fact, the ideas that feel so obvious to us today were quite novel back in the turn of the century. Michael Zalewski described [coredump.cx] a worm prototype that worked in somewhat similar manner more than six years ago.

On the occasions that I get to give lectures about computer security, I try to illustrate these very ideas. The rule #1: There are no local exploits; All vulnerabilities are remote, some may just require a piggy-bag step of first delivering extra code via other holes.

Didn't pass the filter

[Phaid]

A quick glance at the headline and stuff like this stands out: At a bare minimum, you will become a Botnet Zombie -- if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Excessive use of capitalized jargon like that always indicates that it's going to be a nothing story, and sure enough, that's exactly what it is. Although, if you think the fact that your PC can be compromised by something you download on purpose is news,

Wake up please!

[cortana]

http://lists.freedesktop.org/archives/xdg/2006-Ap r il/008012.html [freedesktop.org]
http://lists.freedesktop.org/archives/xdg/2006-Apr il/008025.html [freedesktop.org]
http://lwn.net/Articles/178411/ [lwn.net]
http://lwn.net/Articles/178409/ [lwn.net]

Re:

[Mattintosh]

It's in /dev/null where it belongs.

Re:

[Sloppy]

A better way around it is to not run AIM, and instead, run an app where it's always safe to click on things, because the programmer decided that messenger apps do not need to also function as program launchers.