Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Sunday, September 17, 2006

Instant Messaging Worm Floods AIM Pipeline

Yeah baby, it's new infection time!

Only in this case, it's not the payload that's important, it's the method of delivery.

You can read all about this thing in a blow by blow account here.

If you don't click the above link - shame on you, you naughty people - here is the condensed version.

For the longest time, IM attacks have worked like this.

1) I send you a stupid link that leads to a single file
2) You click stupid link
3) Stupid link downloads single file
4) You run single file and then all kinds of garbage gets dumped onto your PC

....that's pretty much it. You'll get variations on this, certainly, but by and large, you're talking one file, one download, one moment of craziness - and that's all she wrote. It's always about getting that file onto the PC in as quick a time as possible, then move onto the next PC.

There's never much technical sophistication, because the emphasis is on tricking someone into opening the link in the first place - the files themselves are usually pretty crude, and the plan for hosting the files is usually just as bad. What's that, we gotta' nail some people with an IM virus? Okay, let's lob the file on Geocities, it'll never get pulled offline there!

...lol.

Not here, however.

This scam works in the following manner:

1) I send you a stupid link to any of a wide number of files in the "chain"
2) You click stupid link
3) Stupid link downloads the file of my choice
4) My file runs, then (depending on its position in the chain) acts differently than if you'd started off with one of the others. It'll also download different files from other parts of the chain, too and there's also some completely random behaviour thrown in for good measure.

See the difference?

It's not just about hitting you with one file anymore - I can kick things off with any one of a number of pieces of crud, depending on what wonderful things I want to happen to you.

Rootkit time? We'll start things off with File A, and it'll also dump you into a Botnet for extra Instant Messaging Spam attacks. File storage with a hint of mass mailing? Ah, that'll be File B you want. Though File B will also send a different IM message that leads to infection File C, and if you get that one, it'll install File D on your computer which will pick either File A or File E as the next download. Mind you, if you want to be really clever, you'll start with file Z and it might kick off with a keylogger, before randomly deciding to download File A for giggles and finish off with File F, which doesn't actually exist yet.

Regardless of where you begin, these chains have been designed to do maximum damage based on the hacker's needs. Maybe one week they'll want to whip up a tasty Denial of Service attack, so they'll have a bunch of File A infected PCs start adding to the Botnet while the File Z boxes continue to steal banking data without having to worry about Botnet aspect. Or maybe they might want to use a bunch of infected machines as guinea pigs for a new infection, but don't want to risk hosing them all in one fell swoop and they don't have multiple Botnets to test them all on. No problem, use the File B computers to download the test infections with no risk to the others, and if it works out, you can start shipping the new files over to the others (via file, uh, R2-D2) when needed.

Now, this kind of thing has been tried before - but previously, I've only seen it done with one or two files. Even then, the results were kind of shaky. And it only took a host to pull a file, and that was it - with one file gone, it was game over man, game over. File A needed File B to operate correctly.

Here, however, these guys have made their files interact with one another, yet managed to keep their standalone functionality intact so they don't go pear-shaped if a link in the chain goes down. The file simply moves onto the next one - or it just gets on with it's business. Randomness is at the heart of this attack. The thousand-strong Botnet at the heart of this operation would suggest a thriving business, too.

The saving grace here is that we've caught this as these guys are starting their mass crawl across the web - there's a lot of things that aren't in place yet, and for that we should probably be thankful. With just three tests of the same handful of files, we got very different results each time (and different levels of interaction) depending on which file we started off with. And on top of that, rerunning the same tests would not give us the same results, either. You can see the testing examples here - if you haven't checked out the Spywareguide writeup yet, that's your last chance to do so before I get confused and go for a lie down.

For me, what's impressive is that these guys have managed to get this whole scheme working in a wonderfully coherent fashion. Usually someone will get a bit right but screw that part up, or mess up with the first piece and spend six weeks tweaking something else. Here, they've got it all running like a conveyor belt and it doesn't really spell anything particularly wonderful for regular web users. As always, be careful what you click on!

More Coverage: Slashdot TechWeb SecurityProNews SecurityFocus Digg.com RealTechNews

Labels:

posted by paperghost at 7:50 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.