MoMusings

How many of you use instant messaging?

Loads if not all of you, I suspect, and probably you all have accounts on the top two or three IM services too?

I hear you ask “Why is he writing about instant messaging, is there a problem?”

And my reply would be “You bet there is a problem, and it is getting bigger everyday.”

So, let me shed some light on the issues:

Instant messenging clients are vulnerable to worms, trojans and other malware. You did know that didn’t you?

Well, if you did or didn’t, the last time I looked there were over 1,700 known pieces of malware that used IM as either their primary, secondary or tertiary, etc. infection vector.

So far the main ones targeted are:

• Microsoft
• Yahoo
• AOL
• ICQ

In most cases the IM malware arrives as a link or a file in the IM client window, once the recipient clicks on it [runs the file], the malware will carry out its programmed tasks. These may include dropping or downloading other components and installing them on the compromised system and sending copies of itself to all people in the victims buddy list to further the malware’s propagation.

If it drops and installs a backdoor or remote access trojan [RAT] or a bot, then you have probably lost control of your system. These backdoors may allow the malware author or bot herder to steal or upload data/files from/to your system, use your system to send SPAM through, use you system as a proxy or webserver to host cracked software, porn or a phishing site.

The possibilities are only limited by the malware authors programming skills. Your compromised system could also be used to attack others as part of a DDoS [Distributed Denial of Service] attack.

Don’t scrap your IM client just yet

Why? Because most IM viruses and worms can’t propagate automatically, they [currently] require the recipient [potential victim] to click a link or download the infected file or dropper and run it. You can avoid many of the threats if you practice safe computing [SafeHex]. Also, many anti-virus companies now have either plugins to detect/protect against these threats or the features are built-in in the main anti-virus application.

I purposely haven’t covered IRC here as it [IRC] is widely used as the communication and control mechanism for botnets, so is a complete topic on its own.

To minimise the chance of infection, keep your IM client updated and follow these tips:

• Be wary of files sent via IM, especially those with .exe, .pif, .bat, .cmd and .scr extensions, or ones purporting to be games. For best protection, verify with senders before opening.
• Never click an unsolicited link fed via IM, or one lurking in another member’s profile or away message.
• Check your antivirus company’s home page or a general virus site for news on current threats.
• Evaluate your protection at Eicar.org, which has an antivirus test.

Links to papers/articles:

• http://www.trendmicro.com/en/security/white-papers/overview/w32-rodok-a.htm
• http://securityresponse.symantec.com/avcenter/reference/secure.instant.messaging.pdf
• http://securityresponse.symantec.com/avcenter/reference/malicious.threats.instant.messaging.pdf

So, why am I covering this now?

Simple, a new IM worm was released this year which seems to be actually working and causing problems, in fact I was sent a new variant this morning that someone spotted. Even more worringly, it is a new version that is not widely detected. In other words only a few AV products currently detect it.

So what does it look like?

This worm arrives as a IM which contains the infected dropper, this when clicked on will drop an Sdbot variant, but otherwise works in much the same way as earlier variants.

Details on the original version can be found here:

• McAfee
• F-Secure

Details on samples seen:

FileName: LOL.scr
FileDateTime: 26/01/2005 11:48:50
Filesize: 196608
MD5: e8435f10643f2a53f29afe443d9b0d0d
CRC32: BDDE64B0
File Type: PE Executable
Detected By: KAV IM-Worm.WIN322.vb.C, McAfee W32/Bropia.worm.d

Here’s a Snort signature that should detect it until the Av vendors get updates out. Samples have been sent to them for analysis.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”W32/Bropia.worm.d [McAfee] - IM”; content:”|87 CC DF C6 CB 99 63 53 05 2E CF 96 AF FC BC 41 96 4E 6E 7E 76 3C B9 27 3A 4F AD 33 99 66 CF 11|”; classtype: misc-activity;rev:1;)

At this time only two [listed above] vendors detect this out of the 14 scanners I have at hand.