January 7th, 2008 by Roderick Ordoñez (Technical Communications)
A worm is making use of MSN messenger to ring in the New Year — by spreading copies of itself, of course.
It sends any of the following messages:
- Hey, Can i put theese on facebook?
- Hi, have u seen my New Year pics yet? if not, this you gotta see!
- Hi, this you gotta see!
- Hey, Some pics from New Year at my place :)
- Hey, happy New Year, heres som pics from New Year! :)
These messages are accompanied by a link that downloads Photos1-2008.zip which, when opened, drops the file happy2008.exe together with the ZIP file. Trend Micro detects both files as WORM_IRCBOT.EL.
If installed successfully, the worm tries to repeat the process: it sends a link to the malicious .ZIP file to all contacts listed in the currently logged-on user’s MSN Messenger account. The worm may also allow a remote malicious user to execute commands on the affected system.
Malware authors have long relied upon the human element as the “weakest link” in system protection. The popularity of MSN Messenger, and any other instant messaging application in circulation, makes it a highly appealing vector to spread their malicious wares. However, similar to spam email, most attacks in this avenue require the user to manually click a link.
Use of IM clients may be impossible to avoid in today’s tech-ingrained culture. The best users can do is to either avoid clicking links received via IM, disable links from being clickable at all if their IM clients allow it, or to simply ask a follow-up question to the sender, like: “hey, is this file safe?” Chances are, it won’t answer if it’s malware doing the sending.
True, good cheer spreads fast but unfortunately, so does malware, if one is really not careful.
January 7th, 2008 by Robert McArdle (Threats Analyst)
Over on Sla.ckers.org, a security researcher who uses the handle Rsnake (a.k.a. Robert Hansen) proposed a competion (due to end on Jan 10th) to create the smallest, self-propogating XSS worm possible. Cross-site scripting (XSS) is a type of computer vulnerability associated with Web applications and which allows an attacker to inject code into the Web pages viewed by other users.
There have been previous examples of XSS worms in the wild. The most famous is most likely the “Samy is my Hero” that affected MySpace, but recently we post about another threat that targeted Google’s social network, Orkut.
Rsnake’s idea is that by promoting the writing of such a worm, it will better help researchers to protect against them. This idea opens up the same debate that started in 2003, when Professor John Aycock of the University of Calgary in Canada announced that a module in “Computer Viruses and Malware” would be taught in his course. This issue divided security experts back in 2003, and it’s likely Rsnake’s challenge will do the same. On one side of the fence we have people like Ken Barker, Head of Calgary Computer Science Dept., who argue that “the better we understand something, even if we radically disagree with it, the more likely we are to provide effective mechanisms to counteract it.” The other argument of course is that we do not need to actually create malicious code in order to understand how it works.
This debate will not wrap up anytime soon, with both sides making interesting points. There is no doubt however that XSS attacks are a major security concern for Web users today, and will continue to increase. So far we have been lucky that majority of XSS worms have been non-malicious in their motives (with the exception of JS_YAMANER.A).
Unfortunately I doubt that this trend will continue in the future.
