On November 16, AOL added a “AIM Bots” group to AIM users buddy list. This group contained buddies Moviephone and ShoppingBuddy. A popup indicated that the bots had been added, but it was not clear who really added the new buddies or why. Apparently AIM was seeking to promote knowledge about the bots, which are a way to query movie times and shopping info via IM.
This intrusion is much worse than when aim first started adding ads to the aim client. The protests against this action were even mentioned on Drudge. I dont use third party IM clients like Trillian or software to remove the ads from AIM. I wonder if they are free from this annoyance.
While we are able to delete the bot buddy group manually, you may want to let AOL know what you think by sending a message to megabotfeedback@aol.com. I’d use a disposable email account for that email.
Posts tagged ‘AIM’
AIM Bots
IM Security
Lots of IM Security noise this week. From technews “Your Next IM could be Your network’s last by Gregg Keizer:
Facetime is issuing a “Worm Free Guarantee” on tuesday as it released Facetime Auditor 6.5. AFAIK they rely on thresholding to watching clients sending too many messages in a short period of time. When I evaluated an earlier version of Facetime’s product in October, I was plagued by problems.
IMLogic pointed out theyuse RTTPS technology to detect odd behavior and block the transmission. RTTPS is an add-on piece for their IMLogic product. It was not available when I tested IMLogic in September. I asked about getting a new beta and was told they don’t do that because evals are limited to 50 users and RTTPS doesn’t eval well with that number of users. When I evaled IMLogic file transfer did not work with AIM and MSN Messenger.
The article says that it is possible to create an IM exploit that automatically runs exploit code using keystroke macros found in MSN and AOLs product. (I haven’t heard of this before)
I had Akonix on site today and will be beginning an eval of them next week. They have been doing IM Security for a while now. They are still using updating block lists. Its a better defense than what IMLogic and Facetime gave me to demo. However, I find myself wondering if these two vendors haven’t jumped right back into the game with their new releases.
Being dependent on updates as Akonix is, is not a good place to be. Think of it like email. When there were a low number of email virues and they spread slowly, it was rare for a virus to get by. But as the volume of email viruses increased, their speed increased and more got by. Today viruses target specific companies and industries. The update model of security is not good enough for that. But based on my poor experience in evaluating IMLogic and Facetime, I really dont trust their press releases. Hopefully my eval of Akonix will fare better than these previous two.
IM virus
I had some users passing around an IM virus today. I’m still trying to get a handle on what virus it was to make cleaning it easier.
The users sent “YAY!! http;//home.earthlink.net/~lzingelmann/IMG0099.com” to each other. I downloaded img0099.com and submitted it to Symantec (haven’t heard back yet) as well as virus total. Virustotal.com saw a few heuristic detections and one detection as a kelvir.
I see over at Harry’s blog that there is a new IM virus out today called virkel. That’s really not good. It does more than attempt to spread. It tries to download other updates and act as a bot. I tried to be the nice guy and let the user take the laptop home with them instead of taking it from them (with the caution that they not log into aim). What a bad choice that was.
I’m still waiting on a useful IM security writeup. I may have to run this in a vm environment just to see what it does if the antivirus industry doesn’t get off their collective butts.
The funny part about this is some of the people who got infected were part of my Facetime evaluation. The version of Facetime that I am running did nothing to help this other than create a log trail for later cleanup. 
SPIM Prevention
SPIM (Spam over IM) Prevention techniques from the IMLogic threat center: Set your client to not accept messages from people not on your buddy list.
IM Client How to stop messages from anonymous users
AOL IM (v5.9.3690) Sign in
Click “My AIM” > “Edit Options” > “Edit Preferences”
Click “Privacy” in the left-hand column
Click “Allow only users on my Buddy List” under the “Who can contact me” heading
ICQ Lite (v4.1) Sign in
Click “Main” > “Preferences and Security”
Click “Spam Control” in the left-hand column
Check “Accept messages only from users on my Contact List”
Ensure both options under “Not in List Messages” are checked
Check “Do not accept World Wide Pager Messages”
Check “Do not accept Email Express Messages”
ICQ Pro (v2003b) Sign in
Click “Main” > “Security and Privacy Permissions”
Click “Communication Events”
Select the yellow check mark for each line item (be sure to scroll)
MSN Messenger (6.2.0137) Sign in
Click “Tools” > “Options”
Click on Privacy Tab
Check “Only people on my Allow List can see my status and send me messages”
Ensure the “Alert me when other people add me to their contact lists” is checked
Windows Messenger (v4.7.3000) Sign in
Click “Tools” > “Options”
Click on Privacy Tab
Ensure the “Alert me when other people add me to their contact lists” is checked
Yahoo! Messenger (v6.0.0.750) Sign in
Click “Messenger” > “Preferences”
Click “Ignore List” in the left-hand column
Click “Ignore anyone who is not on my Messenger List.”
W32.Velkbot.a – IM Virus
W32.Velkbot.a when executed sends a message to all MSN Messenger, Yahoo Messenger, and AIM contacts on the compromised computer. The message is as follows:
“rofl
http://albound.com/pictures.php /r[email_address]”
The recipient must click on the link and download/execute the file to become infected.
Once infected you’ll have %system%\winmsg.exe along with the usual run registry keys.
Additional bits of fun:
disables task manager and the regedit.
Connects to an irc server at afil.canadiangov.info and waits for commands.
They can do pretty much whatever they want at that point.
Links:
http://www.symantec.com/avcenter/venc/data/w32.velkbot.a.html
I can see how this is listed as high severity and high impact. But the contagion potential doesn’t seem that high. It relies on one website that is likely shut down by now. If you are going to rely on a distribution mechanism that can be shut down hit your targets monday morning, not saturday night. During the week you’ll get the office workers.
This virus is of concern because it is sending IMs to all buddy lists on the top three networks instead of just targeting MSN. Also the mesage likely comes from someone you know (strangers generally dont have me on their buddy list, and people can only contact me if they are already on my list).
Updated AIM Terms of Service
AOL quietly updated their AIM terms of service on February 5th according to eweek.
Users who download AIM software after 2/5/2005 are under this policy.
According to the article, the new policy states:
“You waive any right to privacy. You waive any right to inspect or approve uses of the content or to be compensated for any such uses,” according to the AIM terms-of-service.
Although the user will retain ownership of the content passed through the AIM network, the terms give AOL ownership of “all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this [user] content.
“In addition, by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium,”
Looks like the bottom line is:
1. Use the encryption to prevent them from reading your message.
2. Refrain from posting anything to IM you wouldn’t want to see published in a IM compilation, a court of law, or given to your competitor.
Sounds like good advice in general.
IM Security Challenge
Instant Messaging presents the same vulnerabilities as email, yet it is not protected in nearly the same manner. Corporations have dumped money on preventing email viruses but every other port is left untamed.
Potential Problems:
1. Application attacks. Such attacks are possible if IM client software is not kept up to date. Generally speaking companies stay on top of Microsoft patches but not as many patch their other applications. Since IM is generally ad hoc and user installed, it is not likely to be kept up to date.
2. Viruses sent via file transfers – There are many viruses such as Bropia that spread through IM networks and have effected corporate customers.
3. SPAM – (SPIM) Spam to IP accounts is fairly easy to control. Dont accept IMs from people not on your buddy list.
4. URLs. This is where a link to an exploit or virus is sent.
Solutions:
1. Ban IM. It can be blocked at the firewall, but you may find yourself looking for a new job if you choose to implement that solution.
2. Implement an internal IM server with Antivirus such as Microsoft LCS with Sybari Antivirus for IM. With LCS SP1 coming out this spring you can force Yahoo and AIM users to go through your server so that public traffic i protected.
3. Implement IMLogic to hijack public IM sessions so you can scan and control IM traffic.
AOL’s Security Ads, Another View
I recently posted about my love for the new series of AOL ads. They highlight the fact that users don’t set out to have security disasters and lose their term papers and family photos to a virus. They don’t set out have their online experience be horrible because of porno spam and spyware. They just want to email grandma the pictures they took at christmas. Is that so wrong?
Tom Liston takes a different view over in today’s SANS Diary. I’m so glad I got my post in first (a month ago actually). This way I know I’m not just having a knee-jerk reaction against what the “experts” have to say.
Liston, claims the ads calls AOL customers idiots. Further that computers are tools that must be used skillfully. Basically he’s playing the old blame the user game. Don’t we yell at Microsoft for not making patching easier, and for not making stopping viruses and spyware easier? Here is AOL stepping up and helping keep the home users system secure. In the past they’ve done things like turn off the Messenger service. Now they are including anti-virus and antispyware. If the updates for this are as easy as the updates to AOLs own software they have the potential to make people much much more secure.
AOL IS FILLING IN THE SECURITY GAP. THEY SHOULD BE COMMENDED.
I would highly recommend, reading the following entry from the Microsoft Monitor Blog. It tells of the writers grandma, Windows XP and AOL Security Edition.
The sole problem I might have with the ad campaign is it implies, Get AOL Get Secure. When it reality the AOL Security Edition is necessary.
aimBot
Saw this posted over on NTBugtraq. Sharp-ideas.net has an example program that uses AIM to run programs and send the result back to the requester. Basically a wrapper interacts with the person sending the message and it runs a basic set of commands. The example uses nmap, but a fleet of hacking/reconnaissance tools could potentially be used. AIM works very hard at traversing firewalls. So someone outside a firewall could send a command to a computer inside the firewall.
This solution doesn’t sound like it will scale very well. I suppose with AIM groups you could control a bunch of bots. A one-to-one connection could already be pulled off by sending someone a Trojan and then waiting for it to connect back on a specific port.
AOL Instant Mayhem
iDefense announced today a vulnerability in AOL Instant Messenger. It seems there is a buffer overflow in the Away Message feature which at best will cause a denial of service condition, at worst will allow an attacker to run code of their choice.
Since AIM hooks the browser allowing the user to use aim:// commands like http:// commands, this is exploitable by links you might follow and by remote websites.
When an I.T department loses control of its computers often the first sign is personal use IM clients showing up. Many companies don’t have the fortitude to fight that battle. Now as a result there is the potential for a network worm exploiting this vulnerability.
