Pipeline Worm Floods AIM With Botnet Drones

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

Simple risk mitigation

[LinuxIsRetarded]

1- Don't run as an administrator.
2- Back up your profile regularly.

If you ever get bitten by something like this, it's easy to recover from.

Re:And the lesson is...

[$RANDOMLUSER]

Many, many companies block AIM at the firewall. Ask at your next interview.

Re:Good thing it's AIM ...

[russ1337]

This worm spreads by getting users to run a .com file which is disquised as a .jpg.

I was surfing pr0n^H^H^H^H^H the Internet the other night and mining some sites... I saw very clever(?) URL's on a couple of websites... they were along the line of:

www.dodgywebsite.com/really_interesting_picture.jp g_/session_ID=2383/wwwdodgywebsite.com

Note that the last part of the URL was ".com" .. not part of the website, but the suffix to the file - a COM file!!

You gotta watch yourself

Solutions

[Beryllium Sphere(tm)]

Within the reach of a normal person, shift-right-click and Run As... will get you temporary and per-process administrator privileges without the insanity of running Internet Explorer as root.

Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.

Re:Simple risk mitigation

[Software]

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Yep, do it all the time. Even taught the wife how to do it. See http://blogs.msdn.com/aaron_margosis/archive/2005/ 03/11/394244.aspx [msdn.com] for details, but the basic idea is to run a batch file when you want to be an admin. The batch file gives you admin privileges, starts a process (usually iexplore.exe file:///c:/ , which gives you a normal Windows Explorer), then takes away your admin privileges. Here's the file:

setlocal
set _Admin_=%COMPUTERNAME%\Administrator
set _Group_=Administrators
set _Prog_="C:\Progra~1\Intern~1\iexplore.exe file:///c:/"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
runas /savecred /u:%_Admin_% "%~s0 %_User_%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %1 to group %_Group_%...
net localgroup %_Group_% %1 /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /savecred /u:%1 %_Prog_%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %1 from group %_Group_%...
net localgroup %_Group_% %1 /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal

Instead of iexplore.exe, you can use Quicken.exe, for example. The advantages of using iexplore.exe is that you can launch other processes, such as installation programs, easily. Don't forget PrivBar [msdn.com], either, to show you what your current privilege level is.

Re:Good thing it's AIM ...

[OverlordQ]

dollars to dohnuts that that is just tracking info for what picture was downloaded where and how much. Keep in mind, just because it says .jpg/foo/bar/baz/quux doesn't mean that there's a picture instead of CGI sitting there returning the content to you

Re:And the lesson is...

[crabpeople]

No offense but are you nuts? People should be able to IM at work? Yeah we used to have that here. Then they made me disable all messengers because people chat on them all day long.

Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.

What I have done to combat this problem is block instant messenger with group policy, and change the dns pointing for the web clients.

"technical employees are likely to bypass security by SSH tunneling their IM communications"

bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.

This rings a bell

[Bostik]

From the article: What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files!

The basic idea of using multiple, completely unrelated vulnerabilities and attacks to achieve total control is not exactly that new. In fact, the ideas that feel so obvious to us today were quite novel back in the turn of the century. Michael Zalewski described [coredump.cx] a worm prototype that worked in somewhat similar manner more than six years ago.

On the occasions that I get to give lectures about computer security, I try to illustrate these very ideas. The rule #1: There are no local exploits; All vulnerabilities are remote, some may just require a piggy-bag step of first delivering extra code via other holes.