Instant Messaging Threats

March 31st, 2008

Instant messaging programs are used at home, at work or on the road and they’re a great way to keep in touch with friends/family, meet new people or just waste time. They are fairly easy to figure out, and people of all ages are on them. The most popular ones are Yahoo! Messenger, Windows Live Messenger (formerly MSN messenger), ICQ, AIM (AOL Instant Messenger). Most feature file transfers, webcam and voice functionalities, as well as traditional text chats.

Every now and again, we hear about the dangers of online predators who, under fake identities, try to lure kids into giving them personal information and more. That is definitely a concern for all parents to have. Kids don’t always realize that there are disturbing and sick people out there, looking for their next victim.

Parents should not only be concerned about their kids, but also themselves or anyone for that matter.
Instant messaging is a very easy way for a person to spread malicious programs very quickly. In a sense it can be compared to email with malicious file attachments or dangerous spam. Both rely on social engineering techniques, which is basically using tricks (free stuff, porn etc.) that people will fall for.

In our SWAT department we researched a little bit how this all works. We created a “bait” account, which allowed us to advertise ourselves under a typical identity. Rapidly, we had a lot of people adding our profile to their friend list. Soon, the trap worked its magic and we received our first message:

Figure 1: Infected file transfer

The file sent to us was zipped and contained a Trojan. The kind of program that can infect your PC in many different ways such as installing a keylogger to secretly capture your keystrokes, or modify your Internet browser to redirect your searches to an affiliate site. You may assume that whoever sent you this instant message is evil. Well, in most cases they didn’t. There very well may have been no one in front of the computer. An already infected machine can send spam and instant messages automatically, without the user’s knowledge. This is called a Bot, a compromised PC part of a group of PCs (a Botnet), participating into illegal activities.

Another social engineering technique is to send an IM with a link to a malicious website. We also received one sample that we analyzed:

Figure 2: IM with malicious URL

The trick is to have the person click on the link to see the promised naked photos or whatever the bait is… The site in question hosts malware, and will infect most users’ PC with a drive-by download as they land on it.
Our study would not be complete if the entire infection process wasn’t exposed. Our test machine got infected, and to our surprise and “excitement” we noticed we were sending to all our good contacts the same malicious link!

Of course, we quickly stopped this because our experience was successful enough and we did not want to be part of a botnet.

Jerome Segura

This entry was posted on Monday, March 31st, 2008 at 9:12 am and is filed under IM threats. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Instant Messaging Threats

Comments: