Mar 27, 2008

Instant messaging attacks

Lately I've been getting hit by worms that propagate over the instant messaging networks (mainly MSN). The scheme for such worms is pretty simple. An attacker would send a malicious link or file to a victim. When the victim opens the attacker's content, the victim's machine and IM client get compromised. Once that's done, the attacker uses the victim's own IM credentials (e.g. MSN username and password) to send the same malicious link or file to some or each of the victim's contacts. Symantec has a pretty nice story about this.

When observed from the side, this activity will look like the following:
12:05:01  The infected user logs in as if he/she
is logging in for the first time
12:05:02 The infected user sends a link to its contacts
12:05:03 The infected user logs out

As the whole idea for such worms is to create big size botnet, most of the worms focus only on propagating and dropping trojans inside compromised machines without really paying attention to who the contacts are and how can they be exploited. Going back to an article by pdp about duplicating an identity in a social network environment, it leads me to think that something of this nature can potentially be pulled off in a instant messaging setting.

1 comment:

Thanasis K said...

Even easier attack:
Infected computer pastes a url to all buddies.
Buddy goes to website, it usually is along the lines of enter your MSN credentials to see if your pals have blocked you etc.
Off go your credential (you are now the infected of step1)
You message your pals with the URL etc etc

No exploitation required and it is amazing how many people will fall for even simple social engineering attacks. One guy once registered an email like get.password.support@hotmail.com asking for a users login and password in order to crack an account. He is still getting mail in this account...