Archive for the ‘IM threats’ Category

Instant Messaging Threats

March 31st, 2008

Instant messaging programs are used at home, at work or on the road and they’re a great way to keep in touch with friends/family, meet new people or just waste time. They are fairly easy to figure out, and people of all ages are on them. The most popular ones are Yahoo! Messenger, Windows Live Messenger (formerly MSN messenger), ICQ, AIM (AOL Instant Messenger). Most feature file transfers, webcam and voice functionalities, as well as traditional text chats.

Every now and again, we hear about the dangers of online predators who, under fake identities, try to lure kids into giving them personal information and more. That is definitely a concern for all parents to have. Kids don’t always realize that there are disturbing and sick people out there, looking for their next victim.

Parents should not only be concerned about their kids, but also themselves or anyone for that matter.
Instant messaging is a very easy way for a person to spread malicious programs very quickly. In a sense it can be compared to email with malicious file attachments or dangerous spam. Both rely on social engineering techniques, which is basically using tricks (free stuff, porn etc.) that people will fall for.

In our SWAT department we researched a little bit how this all works. We created a “bait” account, which allowed us to advertise ourselves under a typical identity. Rapidly, we had a lot of people adding our profile to their friend list. Soon, the trap worked its magic and we received our first message:


Figure 1: Infected file transfer

The file sent to us was zipped and contained a Trojan. The kind of program that can infect your PC in many different ways such as installing a keylogger to secretly capture your keystrokes, or modify your Internet browser to redirect your searches to an affiliate site. You may assume that whoever sent you this instant message is evil. Well, in most cases they didn’t. There very well may have been no one in front of the computer. An already infected machine can send spam and instant messages automatically, without the user’s knowledge. This is called a Bot, a compromised PC part of a group of PCs (a Botnet), participating into illegal activities.

Another social engineering technique is to send an IM with a link to a malicious website. We also received one sample that we analyzed:


Figure 2: IM with malicious URL

The trick is to have the person click on the link to see the promised naked photos or whatever the bait is… The site in question hosts malware, and will infect most users’ PC with a drive-by download as they land on it.
Our study would not be complete if the entire infection process wasn’t exposed. Our test machine got infected, and to our surprise and “excitement” we noticed we were sending to all our good contacts the same malicious link!

Of course, we quickly stopped this because our experience was successful enough and we did not want to be part of a botnet.

Jerome Segura

Location

You are currently browsing the archives for the IM threats category.




RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 

© 2009 ParetoLogic Inc.