Pipeline Worm Floods AIM With Botnet Drones 196
Several reader write about a new AIM threat
dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."
And the lesson is... (Score:5, Insightful)
I am sorry if I don't yawn (Score:5, Insightful)
The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.
Re:Simple risk mitigation (Score:4, Insightful)
Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.
And the lesson is, don't use omnipod, use jabber (Score:5, Insightful)
Re:And the lesson is, don't use omnipod, use jabbe (Score:2, Insightful)
I guess that's against corporate policy, too, then, since it's quite possible to block file transfers while still allowing people to socialize.
But then, it's so much easier to use "security" as an excuse to clamp down on imagined "productivity threats".
Re:Simple risk mitigation (Score:3, Insightful)
(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.
Re:And the lesson is... (Score:3, Insightful)
Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.
Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
Re:Simple risk mitigation (Score:3, Insightful)
you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.
The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.
Re:And the lesson is... (Score:3, Insightful)
A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to
Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm.
If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.
Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns.
How does it know who's infected? After its started its botnet spamings? That trojan has already forwarded it's link on to dozens of other people by then. You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.
Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations.
At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL? You may as well just shutdown their interface. That means downtime for at least one person, then if anyone is relying on them for information, they've got downtime. Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?
The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.
And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
If IM is just like email, why not just use email? What's wrong with the phone?
So this brings me back to my original reply up top. Any company with an actual IT department...would not allow this to be open. There isn't a 100% way to filter out malicious traffic. Sure, technologies like IPSs are coming along, but they're still a long way off, and rely way too much on signatures. The more possibilities you leave open for attack, the more likely you are going to be attacked. Close everything, then open up as necessary. When you have so many other options for relatively secure communications (phone/email/snailmail), why add the unnecessary risk?
Re:And the lesson is... (Score:3, Insightful)
Many, many companies block AIM at the firewall.
Should that not be "Many, many companies think they block AIM at the firewall."
Nuff said if your security people think they have it all plugged it all up.
But WHICH keyboard and chair? (Score:3, Insightful)
Yes, at some developer's desk.
Some brilliant programmer asked: What if the user of my messenger application, clicks on something? And his answer was: well, if it's a URL, download the file. [Ok, so far, so good. A little risky, but not totally stupid at first glance.]
Then the followup question was: what if the file turns out to be an executable program? And his answer was: execute it, of course! Oh, and with the same privileges as the user.
?!?! A problem between keyboard and chair, indeed.
Re:And the lesson is... (Score:3, Insightful)
-K