Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fully Automated IM Worms on the Way?

CmdrTaco posted more than 8 years ago | from the only-a-matter-of-time dept.

Security 230

nanycow writes "The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks. Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

Sorry! There are no comments related to the filter you selected.

Jabber! (2, Funny)

caluml (551744) | more than 8 years ago | (#13923143)

We need to use Jabber. It will prevent against things like this. Oh wait. It won't. Still, use Jabber anyway, for it is Open Source goodness.

DEATH TO MICROS (0)

Anonymous Coward | more than 8 years ago | (#13923170)

I love all worms, rootkits and virii... shows what crap the microcomputer world has turned into. vm/370 forever!

Re:DEATH TO MICROS (0)

Anonymous Coward | more than 8 years ago | (#13923636)

it is viruses you insensitive clod.
In Soviet Russia the world turns crap into microcomputers

Re:Jabber! (3, Insightful)

Short Circuit (52384) | more than 8 years ago | (#13923274)

I was actually going to suggest the same thing. AFAIK, it's not IM protocol that are insecure to the point of allowing worms to propogate, it's the client. Jabber is a standardized protocol, allowing for a multitude of different clients.

Different clients are unlikely to share the same vulnerabilities, so, with a wide variety of clients in use, you're not going to have one single worm that can infect a huge portion of the network.

Re:Jabber! (1)

VxJasonxV (792809) | more than 8 years ago | (#13923477)

It's not the client as much as the OS.

PSI/Windows can be easily compromised by sending a user to an "image" with a .com file extension.
PSI/Linux cannot.

Re:Jabber! (1)

ashyanbhog (852510) | more than 8 years ago | (#13923329)

me just upgraded from Windows experience to Linux, me thinks me safe from this attack, what you say?

Re:Jabber! (1)

Mayhem178 (920970) | more than 8 years ago | (#13923450)

Why not take it a step further? Everyone bust out your virtual machines, plug in that second monitor, install your favorite Linux distro, and chat to your heart's content. Let's see that little "automated worm" (redundant term in the extreme) execute now, yar har har!

Of course, I'm not being totally serious. Though I can think of a few reasons to do this, unrelated to the article, of course. Either way, I'm not too worried about it.

energy is liberated through blasphemy (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13923153)

Jehovah fucking Yahweh, I curse you in the name of Satan the Almighty. Evil lives in me and I walk with Satan all the days of my life cursing and mocking you god (the dog), filthy fucking maggot. My hate grows by the second as I dream of the day when you are under my feet begging for my cock.

God I rape you and hurl blasphemy into your mind. I demand you to come down from heaven right now and get down on your stomach in front of me, lifting your asshole up to receive my cock. God I promise to fuck you and I long to rip your eyes out, kick you in the face, mutilate you, and bathing in your blood. Listen to me, I'm screaming
in your ears to come to earth and in this room for I will have my way with you, oh most cursed god of heaven (you foul piece of shit). Satan is my God and he will force you to drink cum from my dick. I will never stop sinning and blaspheming your name, presents, existence, and most of all the rotten, putrid holy spirit that fucked the mother of gOd and pregnanted that slut with jesus christ.

I stand before all the angles and saints, gOd, jesus fucking christ, mary the whore of gOd, the filthy holy spirit, and they are witnessing my denouncement of you gOd, and my ongoing blasphemy of the holy spirit. I am purposely cursing the holy spirit and its purity and will defy you god and the holy spirit all the wicked days of my sin filled life. My soul is full of evil thoughts and sins, its black with pure hatred of anything holy.

God, I will find new ways to defile and blasphemy you, because I'm seeking evil every second of my life. That is all my mind can think about. You're pain is my desire, you're name I mock, your son I defy, your mother I fuck, and your spirit I cum in.

The only prayers from me are prayers of hate and blasphemy, evil is a part of me, it dwells in my soul, cursing everything about you is the most important part of my existence, total darkness is inside of me. gOd I will rip you out of heaven and force you under my feet you fuck pig. You will listen to all my demands. I will slip into heaven and I will rape all the angels and saints and will kill them in your unholy putrid name. God I will kill you and bath in your blood. Holy spirit I demand you to listen to my hatred of your foul existence, drink my cum, and remember my blasphemy against you, you putrid, rotten, vile spirit of gOd.

I'm the meaning of gOd's pain. This is the way that you will die dog gOd. It will be a slow death, the joy of killing you will make my cock hard, I know you will feel my showers of hate and you will feel extreme pain as I beat your body and make every inch of your body black and blue. I force you bastard Jehovah to the ground and I will
put you under my feet where you belong, you putrid bastard. God you will try to run but I will strap you down and fuck your soul before I rip it out of your body. God "the dog", your life is worthless, for I'm the angel from your new God "Satan". I destroy everything holy, you are felling my hatred pierce your mind intensely, inferior god "dog" you fucking maggot. You will be screaming in pain as I strap you down under my feet, you will look up at me and I will piss down your throat.

I'm so consumed with hatred of you that I will masturbate, and when I feel that I'm about to cum, I force my evil cock full of Satan's cum down your mouth and fill it up with my vile hot cum. I will be pumping your body full of my hot cum. Inside your brain is my blasphemy. The pressure in your skull begins push through your eyes,
burning your flesh, and I laugh as it drips away. Heat burns your skin; your mind starts to boil with my blasphemy, and pure evil hatred of your fucking existence. You will not last long; it's just a matter of time until your ripped apart with my hands. You will be floating in a sea of your blood, smelling your death as it burns. My wicked cum is deep inside you as I skin you. You're eyes will bleed as you pray to me for the end of you're wide-awake nightmare. Waves of pain rap around you're soul, death is staring down at you, your blood is draining fast as I'm injecting hatred into your soul, and dying heart, with wicked sweet Blasphemy and hot cum. The demons are dancing with the thought of you in hell. Pathetic god "dog" how does it feel, you're dieing and I'm celebrating your
pain. I live to hurt and defile you the rancid god of heaven. Satan is calling you're cursed name, Satan takes you're soul dear god, and raps his cock around it. In my hand is you're heart and my cock is resting on it. I can't wait any longer so I cum inside your heart bursting it apart with my explosion of evil vile cum. I crush what is left of your heart into the dirt. The dog god is finally dead and he is burning brightly in hell as cum drips down my leg.

Re:energy is liberated through blasphemy (0, Funny)

Anonymous Coward | more than 8 years ago | (#13923196)

I stand before all the angles and saints.

This was my favorite part.

Re:energy is liberated through blasphemy (0)

Anonymous Coward | more than 8 years ago | (#13923602)

The Saxons feel left out, you insensitive clod!

One too many system crashes, eh? (-1, Offtopic)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13923208)

I feel your pain.

Re:energy is liberated through blasphemy (0, Offtopic)

doctorjay (860762) | more than 8 years ago | (#13923212)

Did somone take your lunch money again?

Re:energy is liberated through blasphemy (0, Offtopic)

grub (11606) | more than 8 years ago | (#13923472)

Re:energy is liberated through blasphemy

woo, I don't need that second cup of coffee this morning. Thanks!

Licensed to Program? (-1, Flamebait)

url80 (927250) | more than 8 years ago | (#13923165)

How about a forced license to compile? This is getting obsurd. People continuously pourying syrup on shit and selling pancakes. I've had enough.

Actually, software liability would work better (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#13923221)

If, for example, Microsoft could be held accountable for security problems in their software, such problems would quickly disappear.

And that will happen - whether it's 5 years or 50, people will eventually demand quality software with real warranties.

What is this? (0)

Anonymous Coward | more than 8 years ago | (#13923283)

What is going on here? Who is in charge? I want to make a complaint.

AIM rootkits are? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#13923168)

very GAI...

Sounds Like... (1)

W3BMAST3R101 (904060) | more than 8 years ago | (#13923172)

New OSS IM apps are going to be more popular soon ;-)

Re:Sounds Like... (0)

Anonymous Coward | more than 8 years ago | (#13923344)

OSS or alternative clients like GAIM, Miranda or Trillian are not as widespread, but make it into headlines a few times every year because of security issues, i.e. the last few releases of GAIM patched some vulnerabilities. Maybe it's time to re-emerge this Gentoo as hardened ...

I for one welcome our new hacker overlords (well folks, please but your names below)

Re:Sounds Like... (0)

Anonymous Coward | more than 8 years ago | (#13923460)

by the time you manage to re-emerge your gentoo system you will have to do another update because everything will be out of date :)

i use gaim everywhere i go (1)

sakura the mc (795726) | more than 8 years ago | (#13923179)

can i still get rootkitted?

I cant take any more of this (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13923184)

What saddens me is that it's not actually difficult to believe that the editors of Slashdot continually use the misnomer "rootkit" to define this latest (and somewhat inane) trojan/virus scare. These are not rootkits, partially because windows does not have a root account---but mostly because they are easily detected.

Quit it, editors. You're embarrassing yourselves. And you should really know better.

Re:I cant take any more of this (1)

LordSnooty (853791) | more than 8 years ago | (#13923213)

Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?

Re:I cant take any more of this (4, Informative)

Darkon (206829) | more than 8 years ago | (#13923311)


Is the 'administrator' account privilege - which a majority of Windows user accounts are - not an equivalent to root?

Strictly speaking the Windows equivalent of 'root' is the hidden 'LocalSystem' account.

Re:I cant take any more of this (3, Informative)

jav1231 (539129) | more than 8 years ago | (#13923603)

Oh brother. This is largely splitting hairs, people. In the general sense, admin equivilents are about as root like as they come. You're comparing two different systems so being precise is an impossibility.

Re:I cant take any more of this (5, Insightful)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#13923261)

The editors usage of the term rootkit is correct, and proper. You may as well argue that the usage of 'cockpit' for the pilot seat and control area of an airplane is incorrect. From the relevent wikipedia article. [wikipedia.org]

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).

Rootkit is no longer a term restricted to gaining "root" user access. The term now stands for any suite of hack and/or programs (the "kit") that enables the malware to disguise its presence in the OS in a more sophistocated manner than simply having obscurely named .exes and registry entries.

Furthermore, in my entirely humble and sincerely personal opinion, the term is an appropriate, apt, and succinct way of decribing these types of malicious programs, both in distinguishing them from the less deeply embedded malware types, and in emphasising the increased security threat these programs pose.

Re:I cant take any more of this (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13923321)

Ah.

Well then go ahead and re-invent the language as you please, turning precise terminology into market-driven, meaningless slag.

Don't let people like me--who actually work with this stuff (and for a living) stop you. Enjoy the latte though.

(As a by, you may want to finish reading that wikipedia article)

Re:I cant take any more of this (0)

Anonymous Coward | more than 8 years ago | (#13923423)

Ahh.

So you must be the dude in our engineering dept. that is a unix g0d that takes showers at work because he's too cheap to pay for his hot water.. How ya doin Ron? How's the hot water downstairs?

Re:I cant take any more of this (0)

Anonymous Coward | more than 8 years ago | (#13923523)

It's never a good idea to annoy any UNIX admin or engineer anywhere, ever. We're all watching, always.

Muahaha. hah.

Re:I cant take any more of this (1)

ZiakII (829432) | more than 8 years ago | (#13923656)

Don't be so quick to judge a lot of people I know bicycle to work and then take a shower once they get there.... me being one of them, its good exercise =x

Re:I cant take any more of this (2, Informative)

platyduck (915764) | more than 8 years ago | (#13923316)

According to the Slashdotter's god, Wikipedia [wikipedia.org] :

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).

I work in the IT department at my college, and in the last week, have encountered two machines infected with this worm. Easily detected as it may be to the expert user, it is a rootkit, hiding from detection. If I had not recognized it, it would have been undetected, as the automated scanning tools did not report it.

Re:I cant take any more of this (1)

WWWWolf (2428) | more than 8 years ago | (#13923683)

Erm... rootkits (the definition of which I usually think includes "set of tools/OS patches that hide specific files/processes from the sight of users") have just about nothing to do with "root" account as such. I don't know why the heck they're even called that - maybe it was "the k1t that you install after you get r00t".

If you want to call them "kernel modules and userland tool replacements for hiding files and processes", that's just fine with me, but also call them that on Unix as well then, too =)

Different from other open ports? (5, Insightful)

spencerogden (49254) | more than 8 years ago | (#13923193)

How is this any different any other services attached to a port on your computer? Whenever a listening program has an overflow vulerability there is the potential for "A fully automated worm." Granted there is a lot of IM software out there, but there have been plenty of ports and services on Windows that have been exploited in a fully automated way in the past. At least IM software is a _bit_ more heterogeneous than Windows.

Re:Different from other open ports? (3, Insightful)

trezor (555230) | more than 8 years ago | (#13923290)

Basicly it says "People are using IM. Buffer overflow in IMs is like any other buffer overflow also bad".

May I say "Duh"?

Re:Different from other open ports? (2, Insightful)

Crayon Kid (700279) | more than 8 years ago | (#13923616)

Why on Earth would an IM application, which is essentially a "client" application, maintain open ports, listening, service-style?

And if there really is some essential functionality that depends on such open ports, wouldn't one hope they were implemented FTP-style ie. open them randomly and tell the other party what they are via outgoing connection?

And if the above is true, how can a remote host cause a crash? It shouldn't be allowed to connect to my IM client just like that. There shouldn't be anything to connect to in the first place! The IM app should only connect to the IM central server and to accepted hosts in my buddy list.

The thing I see that would work is the bot prompting me to accept him in my buddy list and _then_ screwing my IM client. But that's quite different from all this "open port" business that people talk about, and can only be fixed by fixing the IM clients.

Re:Different from other open ports? (5, Interesting)

ColaMan (37550) | more than 8 years ago | (#13923300)

At least IM software is a _bit_ more heterogeneous than Windows.

In this case it doesn't really matter.
Consider a exploit that can get the buddy list out of MSN for example.
Now as most IM's only have one client used by the bulk of people, it becomes trivial to send a copy of the exploit to each person on your list and have a high proportion of them become infected, to progress outwards to friends
  geometrically (unless you have no friends)

This is a hell of a lot more sucessful than your usual pick-a-random-ip-and-hope-it's-exploitable method.

Re:Different from other open ports? (3, Insightful)

xtracto (837672) | more than 8 years ago | (#13923317)

I think an important point to note is the number of users (more than 195 million users acording to Wikipedia [wikipedia.org] [i know, i know... maybe it was better to get the number from my ass]).

And yet worse, unlike other software which keep open ports, Messenger software has the slight property that its users does not know a lot about computers to take precautions.

About heterogeneity, it would be nice to see if the "attacked because it is the most used" argument of MS Windows holds here. IIRC Aol IM is the most widley used messenger. Which one will get more viruses?? AIM? or MSNM? place your bets!

Re:Different from other open ports? (4, Insightful)

cowscows (103644) | more than 8 years ago | (#13923328)

It's not entirely different, but it's still interesting. Partially because a lot of people are running IM clients. Also interesting is the fact that an IM client generally has a built in list of other vulnerable machines, via a buddy list. Having this list of people could be pretty handy if the worm can manage to spread through the IM protocols themselves, since it could allow infections to spread without relying on sending out masses of random traffic looking for vulnerable machines. That could just make this sort of thing that much more efficient and harder to detect, because the offending traffic might not look all that different than normal IM chatter.

But then again, I don't know much specific about how this all is supposed to work, so I may be wrong.

Re:Different from other open ports? (1)

Tim C (15259) | more than 8 years ago | (#13923361)

In most cases, those services you mention should never have been exposed to the internet in the first place. IM services, in contrast, generally have to be to be of any use; you can't just hide them behind a firewall.

Re:Different from other open ports? (0)

Anonymous Coward | more than 8 years ago | (#13923454)

The problem with IM programs is that to function with NAT, they modified the protocol to allow no open ports on the client and everybody commutes through a relay server with just outbound conections to it.
Moreover, this outbound conection could be done to a "HTTP" interface, making it hard for low layer firewalls to notice a difference between IM program and a web browser.

Do these things affect non-AIM apps? (1)

jackcarter (884148) | more than 8 years ago | (#13923197)

I use Adium. Should I be worried?

Re:Do these things affect non-AIM apps? (3, Informative)

chroot_james (833654) | more than 8 years ago | (#13923296)

You're less likely to suffer from the attack, but you're not safe. Attackers would most likely go for Windows AIM / MSN / Yahoo long before they go for an open source im client on a mac.

Re:Do these things affect non-AIM apps? (5, Funny)

wvitXpert (769356) | more than 8 years ago | (#13923327)

Your safe. Not because Adium can't be compromised, but because no one cares enough to do it.

Re:Do these things affect non-AIM apps? (4, Informative)

Rocketship Underpant (804162) | more than 8 years ago | (#13923445)

"I use Adium. Should I be worried?"

I doubt it, because any malicious program that wants to alter OS X's settings is going to have to prompt you for an administrator password (unlike Windows). Besides, it's likely that any such worm will target official IM clients rather than third-party apps.

Re:Do these things affect non-AIM apps? (2, Interesting)

nothingbutcoupons (923501) | more than 8 years ago | (#13923479)

I use Trillian for Yahoo, MS, and AIM. Does this mean I am three times more likely to get hit by a worm, or are the worms IM-specific?

OMG!!! (0)

Anonymous Coward | more than 8 years ago | (#13923198)

This would mean that people wouldn't be able to instant message each other!

OMFG wut 2 do? u r about 2 c wut i mean cuz the end is near!

Re:OMG!!! (1)

voice_of_all_reason (926702) | more than 8 years ago | (#13923254)

Hey, if kids can't use the internets anymore, they'll start -- *groan* -- going outside again. And pestering the rest of us. You don't want that, do you? //and get them off mah lawn, too

Evolution baby (1)

Biking Viking (906259) | more than 8 years ago | (#13923200)

Interesting. In humans, a virus may be able to adapt to antibiotics or vaccines over time and continue to survive. Looks like it can happen with computer viruses too.

Re:Evolution baby (5, Funny)

stinerman (812158) | more than 8 years ago | (#13923246)

Ahh... not so fast.

These viruses seem to be intelligently designed. ;-)

Re:Evolution baby (2, Insightful)

Biking Viking (906259) | more than 8 years ago | (#13923284)

Intelligence is such a relative term isn't it?

Re:Evolution baby (0)

Anonymous Coward | more than 8 years ago | (#13923250)

In humans, a virus may be able to adapt to antibiotics

I would love to see you attack a virus with an antibiotic.

Re:Evolution baby (5, Insightful)

meringuoid (568297) | more than 8 years ago | (#13923256)

In humans, a virus may be able to adapt to antibiotics or vaccines over time and continue to survive. Looks like it can happen with computer viruses too.

Not quite. Biological viruses evolve. Computer viruses, however, are products of intelligent design, for certain values of 'intelligent'.

Computer viruses aren't a force of nature. Behind every one of them is a malicious programmer.

Eventually, I imagine we'll see polymorphic and self-modifying code reach the point where it can evolve in the same way as biological viruses, but that's probably quite a way off. The nearest I've heard of to that is viruses programmed to alter their appearance to avoid detection.

Re:Evolution baby (1)

psbrogna (611644) | more than 8 years ago | (#13923426)

Depending on what you circle with your pencil as "The System," I would say that computer viruses do evolve... better or more sophisticated ones get written over time and the best ones prevail. If you consider the human coders as an extension to the digital organism then the resulting aggregate entity is evolving. Semantics aside- the evolution is occuring. Haven't I read somewhere that even humans have distinct organisms embedded internally on a low level that cause effects, possibly even genetic effects?

Re:Evolution baby (1)

meringuoid (568297) | more than 8 years ago | (#13923647)

I would say that computer viruses do evolve... better or more sophisticated ones get written over time and the best ones prevail. If you consider the human coders as an extension to the digital organism then the resulting aggregate entity is evolving. Semantics aside- the evolution is occuring. Haven't I read somewhere that even humans have distinct organisms embedded internally on a low level that cause effects, possibly even genetic effects?

You may be thinking of mitochondria. They have their own DNA quite separate from that of the cell nuclei, and live their lives embedded in our cells providing chemical processing services.

The thing is, though, they aren't intelligent.

It may be interesting, from an epidemiological viewpoint, to consider the various hackers of the world as mutagens, features of a virus's environment that will cause it to change in some way, in the same way that a radioactive source might induce mutation in a biological creature.

However, the crucial difference is that the hackers are intelligent. They have an aim in mind when they alter the virus; mutation in nature does not. A hacker can alter a virus drastically, making a huge change to it all at once in order to achieve some enhancement he has in mind. Evolution must proceed by small steps, each one an improvement or at least not significantly detrimental.

So, be careful not to push the analogy too far. Computer viruses have a good deal in common with biological viruses, but not that much. We're dealing here with intelligent design, not evolution; don't confuse the two.

Re:Evolution baby (1)

somersault (912633) | more than 8 years ago | (#13923473)

err. They need intervention from humans to adapt just now. And it's obvious that people have been writing new viruses for ages. Why do I always feel like a troll? And in response to the other comment.. yes, they were designed.. but whether it was an intelligent decision to design them.. pfft :p

Re:Evolution baby (0)

Anonymous Coward | more than 8 years ago | (#13923680)

Virus do not get immune to antibiotic... antibiotics have no effects on virus (antibiotics usually affect metabolism; virus have no metabolism, they exploit the host metabolism).

Infection (3, Interesting)

kevin_conaway (585204) | more than 8 years ago | (#13923206)

Is it me or did the article not really explain how the users can become infected without some sort of user interaction? If not, I think the best way to combat this is user education. I know AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.

It glosses over good old fashioned buffer overflows, but not much else. Then again, what else do you need? :)

Re:Infection (5, Insightful)

LordSnooty (853791) | more than 8 years ago | (#13923257)

AOL IM can send out "system" instant messages that could be very useful in telling people to avoid these links.
I do hope you are being humourous, they are exactly the kind of unannounced "system" pop-ups which can lead to user confusion & miseduaction at best, or system infections at worst. Think of Windows Messanger - not IM - with its "you are leaking your address onto the Internet!". Or think of web banner pop-ups masquerading as OS messages. It's no surprise the average user has no understanding of what's a real message and what's malicious.

Re:Infection (4, Informative)

Red Flayer (890720) | more than 8 years ago | (#13923355)

From the summary:

"Researchers say the stage is set for a worm writer to use an unpatched buffer overflow in an IM app to unleash a worm that is capable of infecting millions or users without the use of malicious URLs that require a click."

FTA "'We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything,' Wells said."

User education won't help if propagation occurs without any action by them.

That is a how a worm or virus should be! (5, Interesting)

jurt1235 (834677) | more than 8 years ago | (#13923217)

No social engineering by seducing (l)users to click on a link. Real virus [wikipedia.org] multiply themselves!
So what is the issue with this?

Re:That is a how a worm or virus should be! (1)

dascandy (869781) | more than 8 years ago | (#13923451)

The issue is that you can't spell. It's virii or viruses, both of which are acceptable for the OED. You could consider rewriting the sentence to "A real virus multiplies itself!" of course.

Re:That is a how a worm or virus should be! (1)

SmurfButcher Bob (313810) | more than 8 years ago | (#13923600)

> You could consider rewriting the sentence to "A real virus multiplies itself!" of course. ...unless you're in Soviet Russia.

Very infectious. (4, Interesting)

Poromenos1 (830658) | more than 8 years ago | (#13923218)

If you take into account the Small world phenomenon [wikipedia.org] , this means that these worms will infect everyone in the world in at most six or seven hops.

Re:Very infectious. (4, Funny)

Minwee (522556) | more than 8 years ago | (#13923264)

Wow. Just think of how many times Kevin Bacon would get hit by that.

Re:Very infectious. (1)

saskboy (600063) | more than 8 years ago | (#13923352)

"will infect everyone in the world in at most six or seven hops."
Obviously they'll name this looming IM worm threat the Kevin Bacon Virus.

Workplace (5, Insightful)

GoodOmens (904827) | more than 8 years ago | (#13923226)

Its a shame that AIM is so widly used in the workplace even though is so vunerable
I know our IT department frowns upon it but walking around you still see it used ....
Its only a matter of time until something like this came out that has the potential to severly damage both corporate and private networks ....

Yeah, but... (0, Offtopic)

voice_of_all_reason (926702) | more than 8 years ago | (#13923232)

Can it find Sarah Connor?

Booo! (1)

kkovach (267551) | more than 8 years ago | (#13923240)

Wooooo! Fully automated! Ahhhhh! *runs and screams* Run for your life!

Wasn't Halloween yesterday?

- Kevin

The Disease is Awful (4, Insightful)

putko (753330) | more than 8 years ago | (#13923255)

This particular payload is awful -- automated rootkit install.

Maybe one day we'll get a series of destructive worms that will render hardware unusable (e.g. no boot, disk overwritten, fan turned off and processor cranked up to do permanent damage, boot flash cleared) -- resulting in successive waves of hardware replacement.

I talked to a guy at a computer store about the aftermath of a worm that cleared the bootflash -- they sold so many new computers!

At that point, I figure Micr$oft will be in big trouble; after you buy your fifth motheboard in a row (and try to recover your data) after "Bukk@keB1ll" versions A through X hit you, you'll consider getting a Mac so you can get work done.

 

Re:The Disease is Awful (3, Insightful)

antifoidulus (807088) | more than 8 years ago | (#13923563)

If you take nature at as a model(tenous at best) then actually the MOST virulent viruses are the least likely to cause pandemics. Why? Because they burn out so fast the victims aren't nearly as likely to spread them. Take ebola for example, it's a horrible virus but it killed it's victims so quickly it never spread very far outside of Africa. That is why they are concerned about the fact that the bird flu this time around is killing LESS people, gives it more of a chance to mutate and become wide-spread. Remember the Spanish Influenza that killed so many people only had a fatality rate of around 5%.
No, the sneakier viruses won't ruin your box, they will just sit there and gather information. I would much rather have my email and personal documents destroyed then had them read. Even if you read them then destroy them, I know they have been compromised and can take whatever steps deemed neccessary to mitigate my risk. The most sinister viruses would just read and transmit them without me ever knowing.....

The sky is falling! ( again ) (4, Insightful)

grasshoppa (657393) | more than 8 years ago | (#13923265)

Gee, wiz, a "fully automated" worm using a different attack vector.

Let me ask you something, what *doesn't* constitute a "fully automated" worm? Was there some guy in a back room somewhere, individually infecting people with Code Red?

And IM services are hardly a new vector. If anything, this story should be about how long it has taken these people to figure out that services like AIM and ICQ are used by people with little or no computer knowledge, who will randomly click on things. You know, sorta like email. That's the real new nugget out of all of this, and hardly worth the two pages of ads to read about.

Re:The sky is falling! ( again ) (1)

kkovach (267551) | more than 8 years ago | (#13923343)

Now that you mention it, I do remember feeling a little prick in my arm, turning around and seeing some weird guy behind me with a syringe right around the time of Code Red!

Next day, I was infected! I should have put 2 and 2 together! Damn!

They used "fully automated" 5 times in that article. Stood out like a sore thumb.

- Kevin

Re:The sky is falling! ( again ) (3, Informative)

Red Flayer (890720) | more than 8 years ago | (#13923389)

"Let me ask you something, what *doesn't* constitute a "fully automated" worm? "

Any worm that requires the user to click on a link on order for the worm to propagate. The scary thing about this class of worms is that it installs a rootkit without activity from a user, so the only rate-limiting step in the infection cycle would appear to be buddy lists. So, you're on someone's buddy list... you get infected without taking any action. Then, boom, all your buddies are belong to them. &c.

Educated users know better than to click just any link they see -- we depend on that to limit propagation. But it doesn't apply here.

Re:The sky is falling! ( again ) (1)

jfengel (409917) | more than 8 years ago | (#13923627)

Let me ask you something, what *doesn't* constitute a "fully automated" worm?

Unfortunately, we've long since stopped being clear on the distinction between "worms", "trojans", and "viruses". (Actually, I'm not entirely clear on the differnce between worms and viruses myself. Wikipedia draws a distinction between the two.) But many things that are called "worms" require some sort of user intervention in order to run.

For exmaple, the "Loveletter" worm is called a worm, and it wasn't fully automated: it depended on the user to click on a file. The social engineering aspect was that people didn't expect a .vbs file to do any harm.

It's become increasingly hard to get users to assist that way, so the propagation is a little slower. Virus checkers scan email attachements, and even Microsoft Outlook no longer just runs any attachment that comes into the mailbox. There are dead ends wherever a user is smart enough not to run the attachment, and even if you could con the user into running the attachment the worm may have to wait hours or days for the user to get around to it.

A fully automated worm, on the other hand, propagates without the help of users on any unpatched system. So it spreads fast, very fast.

IM viruses are not a new vector, but as other vectors are gradually plugged it sounds like the next one in line. The Windows OS is a great vector because there's so much of it around, but IM tools are also pretty common. Sure, users will randomly click things, and there's only a little you can do about that, but if you can exploit a security hole automatically, your worm will get everywhere it's gonna go in hours. Sweet, if you like that sort of thing.

This is news? (0)

Anonymous Coward | more than 8 years ago | (#13923271)

lol
Seriously, it was only a matter of time, and I bet that this really isn't the first example of such activity.
I for one welcome the day that my instant messenging software was added to the list of software I have to periodically get security updates for :/

Problem with older hardware, operating systems (2, Insightful)

Anonymous Coward | more than 8 years ago | (#13923282)

With new hardware and operating systems supporting NX (no execute), wouldn't the effects of a buffer overflow be minimized? I may be crazy, but I thought that this was the entire point behind NX.

Java! Java! Java! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13923289)

This is just more buggy network code with buffer overflows. When will people learn? Applications should NOT be written in assembly language. C and C++ are assembly language!

I have the solution... (2, Funny)

0110011001110101 (881374) | more than 8 years ago | (#13923307)

Simply IM me at w0rMzH0seTer and I'll give you all the details...

Re:I have the solution... (1)

FuriousBalancing (903038) | more than 8 years ago | (#13923357)

Watch out, he's lying! I just tried IMing him, and he wasn't even online.

What tech is required to build them ? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13923342)

Playing as Napoleon I am now in the twentieth century and still can not build IM worms. Do you need a wonder to build them ?

I am cautious about automation features as I have stacks of workers wandering around my land doing stupid things. Hopefully IM worms work much better.

Okay, one more turn and I quit.

Grammer Time... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13923349)

Make up your mind. Will it infect "millions" or "users"?

Re:Grammer Time... (0)

Anonymous Coward | more than 8 years ago | (#13923732)

Grammar, you moron.

Why does the OS let software be invisble? (4, Insightful)

G4from128k (686170) | more than 8 years ago | (#13923386)

This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? I really want to know.

It seems to me that a well designed OS should NEVER let a piece of code be invisible. There should be some part of the OS that knows what is running, what invoked it, what file it came from, etc. A well designed OS would know the provenance of every segment of code. This information should be read-only to anything outside of this protected monitoring function. Thus ALL running code would be visible to the user and anti-malware software. And if you add hash-code locks on installed software, then malware wouldn't be able to masquerade as some other normal bit of code or damage anti-malware apps. Malware could still hide in a user-downloaded software, but the tracking function would aid the detection and removal of any unwanted code.

Is there ever a good reason to let software be invisible?

A rootkit doesn't need the OS to "let" it... (2, Insightful)

Rocketship Underpant (804162) | more than 8 years ago | (#13923512)

"This rootkit hides itself from the user and anti-malware. Why should any software be allowed to run invisibly? ...It seems to me that a well designed OS should NEVER let a piece of code be invisible."

The point of a rootkit is that it alters the behaviour of the OS. Sure, a pre-rootkit kernel wouldn't have let just any code run. But once the rootkit gets in (one way or another), it alters the OS's behaviour. Just like the Sony audio CD rootkit (mentioned in a previous Slashdot article) alters the behaviour of Windows to keep certain kinds of files invisible.

Re:Why does the OS let software be invisble? (1)

Grey_14 (570901) | more than 8 years ago | (#13923516)

It's not actually hidden to the OS, it's hidden to the user, and yes, there are many good reasons to let software be invisible to a user, I agree though that there should be an easier way to audit processes as the super user.

Re:Why does the OS let software be invisble? (2, Insightful)

LiquidCoooled (634315) | more than 8 years ago | (#13923652)

So, you want to create a Function entry point to return a table of ULTIMATE_PROCESS information.
What do you think happens when some miscreant (with root access) replaces that jumppoint in memory with one of his own UTLIMATE_PR0CESS function?
Remember, we are not talking about ROM systems here, all system commands are loaded into RAM.

Consider a much simpler situation:

You use the dir command to list the contents of a folder.

Somebody could replace that command on disk with a dodgy one that runs the original dir command, but filters its results and hides all files starting with "hax0r_".

The only real way to be able to check and identify if a system has been rooted is to examine from the outside.
Keep a boot cd handy.
Currently however, rootkits have bugs and limitations in their scope and do not cover every track, hence rootkit detection is semi feasible for now (in Windows at least).

The most sneaky bit of malware I have heard about recently is the semirootkit included inside some Sony protected CDs.
Have a read here [sysinternals.com] for an investigation (this story may explode in the next few days - it looks really telling).

Isn't this about who controls the Spice? (2, Funny)

butterwise (862336) | more than 8 years ago | (#13923400)

When dealing with a worm, always remember: You must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration.

Re:Isn't this about who controls the Spice? (1)

flosofl (626809) | more than 8 years ago | (#13923544)

And always walk without rhythm!

lol (1, Funny)

Anonymous Coward | more than 8 years ago | (#13923475)

So,

Any developers out there looking to create a mod_msn_chroot ?

OSS IM transparent filter? (1)

jaylee7877 (665673) | more than 8 years ago | (#13923520)

I've been looking for some time for a OSS based transparent filter that would scan for viruses/malware on IM ports. It would alleviate a lot of these problems, anyone seen or heard of anything like that?

Wow another vector. (1)

caffeinex36 (608768) | more than 8 years ago | (#13923567)

Another vector. Big deal....move along...nothing more to see here. g2g..just got an IM from "37337Hax0r 06" gotta see what this dude wan...shi.uh.oh........

IM worms go undetected (4, Informative)

rizzo420 (136707) | more than 8 years ago | (#13923575)

i think a bigger part of the problem, and hopefully this will open their eyes, is that thus far, the big anti-virus companies (symantec and mcafee) will not include IM worms in their definitions. this means that even if you have the most up-to-date windows security patches, and the most up-to-date anti-virus software, you can still be infected by the IM worm. i don't understand why they won't include them as they are, in my opinion, just as dangerous and propogate on their own just like normal email viruses. i deal with the "AIM virus" on a near-daily basis. i keep sending people to download AIMFix [jayloden.com] . this guy is getting some serious hits to his site, and he's not getting paid for it... these are real viruses, since the definition of a virus is that it gets onto your computer and propogates on it's own. this just doesn't use traditional means (email, network ports). even if you uninstall instant messenger, it's still there waiting to send itself to everyone on yoru buddy list.

Partial cheap solutions: low-profile + firewall (4, Interesting)

davidwr (791652) | more than 8 years ago | (#13923608)

A cheap albeit incomplete solution, one which will make the virus-writers work much harder:

1. Encourage people to use non-high-profile clients. It's a lot easier to "take over the world" if 90% of the people are using the same client with the same vulnerabilities than if 30% are using client A, 20% each are using clients B, C, and D, and the remaining 10% are using a variety of other clients.

2. Put a firewall between the application and the network. Again, don't have 90% of the world use the same firewall. It's best if at least part of the firewall sits in front of the OS, i.e. a hardware firewall or a "host-OS-based" firewall in virtual/emulated-hardware environment.

Here's what I see happening in a few years time, when virtualization becomes the norm:

1) everyone has a hardware firewall built into their cable/dsl/whatever box
2) PCs boot into a hypervisor, see #4 below
3) apps run in different security contexts, each having the network, memory, and disk-access privilages that they need and no more. For example, Solitaire will have no disk or network access. A Web browser will have very limited disk access and outgoing-only network access only over certain ports. A "local-only" web browser will be available for reading local html files.
4) The user will be encouraged to run certain applications like web browsers in a "lock box" which will in reality be a virtual machine, with its own firewall mechanism. Multiple VM implimentations or VM-hardening-products will be available so no single VM-related exploit will be shared by "90% of the world." The user will be able to "reset" his lock box at any time, erasing any viruses and malware that have infected it but which haven't "escaped" the VM environment.

Yes, the user can still be infected and yes, he can still be contagious, but instead of "everyone" being vulnerable only a part of the world will be. Furthermore, if people use the VM-lockboxes, they can "cure" themselves quite easily from the most common problems. They'll still need security software for the really nasty stuff, and they'll always need a "boot CD" or equivalent to do a full scan of their system for rootkits and such.

Remember: The goal isn't to wipe out viruses - that's practically impossible. It's to reduce your risk and decrease your recovery time.

Here's an example of how #4 can reduce exposure for web browsing:
Say 90% of people run Windows-2010 or whatever. When they run their web browser, they get to pick from:
IE under Windows VM
Opera under Windows VM
Opera under {pick one of many} Linux VMs
Opera under {pick one of many} BSD VMs
Firefox under {pick one of many} {pick Linux, Windows, or BSD} VMs
{insert other web browser here} under {insert operating system here} VM.

The VM would be bare-bones, just having essential services - including a built-in firewall - and a "screen" that just displayed the web browser. The user wouldn't necessarily see he was under a VM if he was merely browsing. If the web-browser screen output were "exported" to the "main" OS a la X, so much the better, assuming that didn't introduce security holes of its own.

Newsflash... (1)

Jack Earl (913275) | more than 8 years ago | (#13923623)

This is really so hard to believe? IM software is no different than any other network facing software, so the same types of exploits are going to work against this just as they would against Ethereal, Apache, RDP; anything.

Just because you are only using the program to chat doesn't make it any different than anything else network facing. All any network application does is send data back and forth, it's what that program does with the data that makes it unique.

First line of defense... (0)

Anonymous Coward | more than 8 years ago | (#13923648)

Well, at least with virtually every IM client, you can block messages from everyone that's not on your buddy list.

I do use AIM (with DeadAIM) because so many folks use it, and AdiumX on my Mac. I don't expect anyone to IM me at random, so I'm simply going to block IMs from anyone not on my list.

from AIMS "security central" (1)

caffeinex36 (608768) | more than 8 years ago | (#13923659)

Q: Can I get a virus through AIM? How do I safely share files with AIM? A: Viruses can't be transferred through an Instant Message itself, but it is possible that files attached to an IM may contain viruses or trojans. Also, links sent in an IM may point to webpages that contain viruses and trojans. Even if you know who is sending you a file or a link, you should use caution in opening it. Some viruses/trojans can send harmful links that appear to be from a buddy you know. You should always use good virus protection software, such as McAfee VirusScan, for automatic scanning of all attachments. See AOL Keyword: AOL Virus Protection Center for more information or visit McAfee's Website.

Unless there's an exploit of course (2, Interesting)

davidwr (791652) | more than 8 years ago | (#13923697)

ANY network-facing application with an exploit should be presumed vulnerable to an automated attack until proven otherwise.

ANY network-facing application should be presumed to be exploitable until proven otherwise.

ANY application should be presumed to be network-facing until proven otherwise.

Alternative IM system without an IM client... (1)

Deven (13090) | more than 8 years ago | (#13923711)

I might as well take this opportunity to plug my open-source "IM" system (CMC), Gangplank [freshmeat.net] , which doesn't require an IM client.

Gangplank was written to support the standard TELNET protocol, meaning any standard TELNET client can be used to connect to the system. Despite not using a custom client, the server supports remote character echo, full (RFC-compliant) TELNET protocol support, Emacs-style line editing, input redrawing when output occurs, and a full input history buffer -- all in a nonblocking, single-process server driven by a select() loop. The system lacks some features (like file transfer), but it is well-suited for a community of people to communicate with each other via text messages. The server is fast and efficient, and it should be able to support thousands of users on a single server. (I've never been able to test the limits of the server, but it uses negligible CPU time...)

And to stay on topic, using a TELNET client should protect you against "IM worms" since there are a wide variety of independent TELNET client implementations on various operating systems, TELNET has been around for decades and standard clients are probably fairly well debugged by now...

So? (1)

Gibsnag (885901) | more than 8 years ago | (#13923730)

Uh, hands up who didn't see this coming? No-one?

Its a service used by a large amount of computer illiterate people, has ports open to the net and an easily accessable list of other users to attack. Seriously, what makes this news that someone is exploiting it? Kinda obvious tbh.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?