Pipeline Worm Floods AIM With Botnet Drones

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

And the lesson is...

[d3ac0n]

Don't use IM software unless it's part of a closed, managed network. For example: www.omnipod.com is what we use for inter-office IM here. It's a closed network, and all files sent are automatically virus scanned before they can be received. Safe and effective, and keeps our employees from IM-ing with people outside the company.

I am sorry if I don't yawn

[aepervius]

QUOTE (emphasis mine): How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad."

The method used after that sound interresting, but nothing beat "trusting" executable being sent by any source, anonym or not , on email or AIM. Do that and SOONER or later your day will turn bad.

Re:Simple risk mitigation

[(54)T-Dub]

1- Don't run as an administrator.

Have you ever done this on a windows machine for an extended period of time? I did it for about a week before I gave up. Some programs don't even run unless you are administrator.

Now if we are talking about a work enviornment then sure, give everyone in the building (except engineering) non-admin accounts, but I would never recommend doing it to someone who didn't have a high level of computer knowledge and patience or an equivalant IT staff on hand to help out with any issues.

And the lesson is, don't use omnipod, use jabber

[spun]

It's free and open source. It's scaleable. It's easy to install and manage. It runs entirely on your own infrastructure so your messages aren't vulnerable to prying eyes and bored sysadmins of some other company. You can set it up to interoperate with any other IM system if you want to. There's a ton of open source clients available. Safe and effective, and keeps people from spending money on crap "solutions" that aren't.

Re:And the lesson is, don't use omnipod, use jabbe

[Buran]

Apparently you don't allow people to have social lives. Apparently, you think all your workers need to be mindless drones while at work. Guess what -- people work better when they can let their minds wander a bit when they need to during the day.

I guess that's against corporate policy, too, then, since it's quite possible to block file transfers while still allowing people to socialize.

But then, it's so much easier to use "security" as an excuse to clamp down on imagined "productivity threats".

Re:Simple risk mitigation

[Buran]

The only reason this attack wasn't launched against Linux was

(3) Linux doesn't allow non-root users to install shit in vital system folders and be run at startup.

Re:And the lesson is...

[99BottlesOfBeerInMyF]

Then they took a look at that cost and found that it is actually less than what they get back from increased productivity that their employees get by IMing their friends/family from work, instead of simply emailing or using a phone.

Actually I know some of the security guys at one of those companies and I can make a good guess as to how the decision was made. It was probably at a much higher level. "Well should we try to lock down each application on every desktop and have everyone trying to cram everything over port 80 or should we actually let everyone run things on the proper port and then filter things out as we need to?" I'll tell you what one of those companies does when this worm hits their network. They see the propagation behavior as a traffic anomaly on their control panel. Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm. Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns. Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations. The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.

And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.

Re:Simple risk mitigation

[99BottlesOfBeerInMyF]

you right-click an executable and choose 'run as...' then the default option is to run it in an untrusted mode without giving it access to your files and settings.

The problem is, to do this you have to have set up a different user account and it has access to all of those files and settings. This is broken conceptually, and in practice for the average user does not create a second account and because the average user does not want a second account, they want run programs without letting them mess anything up. A file follows a desktop metaphor and is understandable. Likewise a user is understood to be a person with access to the machine. If there is only one person using the machine, it is counter-intuitive to create a second user account. Finally, it is unintuitive to have to right click to safely run a program, when it is a reasonable default behavior that most users assume the computer is already doing. Go ask 10 average people if they click on an image someone IM's them if they think that should let a program send e-mail from their computer without asking them. Go ask 10 users if they run a game they downloaded, if it should be able to read their e-mail address book without asking for permission. Most users not only think it shouldn't be able to, but they assume it can't. This is because computers are not designed to work sensibly and meet the reasonable expectations of the average user.

Re:And the lesson is...

[toleraen]

They see the propagation behavior as a traffic anomaly on their control panel.
A few requests out to a website for a picture would hardly be considered an anomaly. I'm pretty sure our corporate proxy sees a few dozen requests to /. every minute. I'm sure CNN is much higher than that.

Depending upon whether or not their is a signature, it will be listed by worm name or as an unknown worm.
If there is no signature, how would it be listed as worm at all? Are you talking signature based on an IPS? Because those things aren't exactly very reliable (read: not at all) on catching unknown attacks. Trust me, I spent about 5 months testing them.

Then, they quarantine the infected hosts using ACLs on the routers that segregate their network chunks, removing the propagation traffic any other traffic from those hosts that differs from "normal" recorded traffic patterns.
How does it know who's infected? After its started its botnet spamings? That trojan has already forwarded it's link on to dozens of other people by then. You're playing cleanup at this point. Being reactive to IT security is the last thing you want to do.

Workers can still get to what they need to to do their job, but can't connect out to random hosts anymore. IT gets an e-mail to clean the infected hosts, with a list of workstations.
At this point they'd have to be completely cut off until their computer is cleaned. How do you know what port to block with the ACL? You may as well just shutdown their interface. That means downtime for at least one person, then if anyone is relying on them for information, they've got downtime. Factor in the IT guy who has to clean it/rebuild the OS...etc etc. How much time does it take a few IT guys to clean a hundred computers again?

The worm signature is added to their filter for incoming traffic so it does not come in again over the pipes. The employees who ran it get yelled at by IT for running random executables from IM which violates their work policy.
Since when is taking a reactive approach to security ever a good thing? Slapping a corporate policy in a users face isn't going to do you jack for security.

And, I can still IM employees at that company to discuss business, which is a normal occurrence, since a lot of business happens over IM these days. IM is just like e-mail. Shutting it off, is not an acceptable answer anymore for most people, especially not in sales.
If IM is just like email, why not just use email? What's wrong with the phone?

So this brings me back to my original reply up top. Any company with an actual IT department...would not allow this to be open. There isn't a 100% way to filter out malicious traffic. Sure, technologies like IPSs are coming along, but they're still a long way off, and rely way too much on signatures. The more possibilities you leave open for attack, the more likely you are going to be attacked. Close everything, then open up as necessary. When you have so many other options for relatively secure communications (phone/email/snailmail), why add the unnecessary risk?

Re:And the lesson is...

[canuck57]

Many, many companies block AIM at the firewall.

Should that not be "Many, many companies think they block AIM at the firewall."

Nuff said if your security people think they have it all plugged it all up.

But WHICH keyboard and chair?

[Sloppy]

Seems to me that the main problem is between the keyboard and the chair.

Yes, at some developer's desk.

Some brilliant programmer asked: What if the user of my messenger application, clicks on something? And his answer was: well, if it's a URL, download the file. [Ok, so far, so good. A little risky, but not totally stupid at first glance.]

Then the followup question was: what if the file turns out to be an executable program? And his answer was: execute it, of course! Oh, and with the same privileges as the user.

?!?! A problem between keyboard and chair, indeed.

Re:And the lesson is...

[ktappe]

Blocking AIM is usually what happens at two kinds of companies, those that somehow think it will help productivity and those who are security paranoid.

You have one of my employer's credit cards in your wallet. Tell me again that we are "paranoid" to block IM...or would you be happy with the possibility of your personal account information being sent out via chat?

-K