Pipeline Worm Floods AIM With Botnet Drones 196
Several reader write about a new AIM threat
dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."
Simple risk mitigation (Score:3, Informative)
2- Back up your profile regularly.
If you ever get bitten by something like this, it's easy to recover from.
Re:And the lesson is... (Score:3, Informative)
Re:Good thing it's AIM ... (Score:5, Informative)
www.dodgywebsite.com/really_interesting_picture.j
Note that the last part of the URL was ".com"
You gotta watch yourself
Solutions (Score:4, Informative)
Within the reach of an expert, RegMon and FileMon can point you to the isolated places where changing ACLs will allow the stupid program to run. The most frequent bug is for a program to try to write to one or a few protected locations.
Re:Simple risk mitigation (Score:3, Informative)
Re:Good thing it's AIM ... (Score:3, Informative)
Re:And the lesson is... (Score:3, Informative)
Run a jabber server and filter the connections through there? GET REAL! Besides, most of these things have web based clients anyway, and admitidly I dont know exactly how this "jabber server proxy" would work but I doubt it even goes near port 80.
What I have done to combat this problem is block instant messenger with group policy, and change the dns pointing for the web clients.
"technical employees are likely to bypass security by SSH tunneling their IM communications"
bwahahaha. yes. maybe you have these sorts of employees where you work, but mine can barely determine if their monitor is plugged in.
This rings a bell (Score:3, Informative)
From the article: What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files!
The basic idea of using multiple, completely unrelated vulnerabilities and attacks to achieve total control is not exactly that new. In fact, the ideas that feel so obvious to us today were quite novel back in the turn of the century. Michael Zalewski described [coredump.cx] a worm prototype that worked in somewhat similar manner more than six years ago.
On the occasions that I get to give lectures about computer security, I try to illustrate these very ideas. The rule #1: There are no local exploits; All vulnerabilities are remote, some may just require a piggy-bag step of first delivering extra code via other holes.