digg

Facebook Connect Join Digg About

Pipeline Worm Floods AIM with Botnet Drones

blog.spywareguide.com A new worm is crawling through AIM - using a sophisticated network of "chain" installs, the bad guys can start the process of infection with any of the files and still hit you with the rest. Or they can target you with a certain selection of files depending on what they want you to do as part of their Botnet. Its like a 10-hit Tekken combo...

Who dugg this? Made popular Sep 18, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

64 Comments

show profanity settings
expand all
  • NinjAlt, on 10/12/2007, -0/+17Stupid people, the bane of EVERYTHING
  • kidc, on 10/12/2007, -1/+11"Its like a 10-hit Tekken combo..."

    And the award for nerdiest analogy goes to...
  • iFrank, on 10/12/2007, -0/+10The people getting infected by these kinds of viruses are the same people who use RealPlayer, Gator, and have 28 toolbars in their browsers. Makes me sick.
  • inactive, on 10/12/2007, -1/+9I love when I get those messages from people. I respond with the words "Pwned." which usually confuses them as they don't know they've IMed everyone on their buddy list. When will the newbs learn :
  • sporkwitch, on 10/12/2007, -0/+7To quote one of my favourite t-shirt: "Social Engineering: Because there is no patch for human stupidity."
  • ronin2040, on 10/12/2007, -1/+8try grabbing ProcessExplorer, finding the exe/thread thats connecting, suspend it, kill all file handles referencing the EXE, delete the file, kill the thread, and check all registry startup entries with Autoruns.

    Universal method for roasting worms. Autoruns and ProcessExplorer can be gotten here:
    www.sysinternals.com

    note that theyre only for non-commercial use :(
  • goflyers, on 10/12/2007, -2/+8format C: usually does the trick.
  • chubbymidget, on 10/12/2007, -0/+6Otherwise known as 'users' to those who have to support them.
  • rjg1021, on 10/12/2007, -0/+6Gaim won't protect you. But Linux...One time when I came home late from a party I saw one of those "click my picks" messages. Slightly drunk, I clicked it and within .5 seconds I was horrified with my wasted self. Luckily, I was booted into Linux. Nothing happened.
  • fumanchu101, on 10/12/2007, -1/+6I just drop them from my list and never speak to them again. i used to try helping them but theyd get clean and then the next day...."hi look at my pics, click here!"

    you just cant help some people. still sux that these viruses are out there though :(
  • neko, on 10/12/2007, -0/+5In other news, a new AIM worm turns AOL into a swarm of zombies.
    No-one notices.
  • hadak, on 10/12/2007, -1/+6+ digg for "Its like a 10-hit Tekken combo..."
  • TeMerc, on 10/12/2007, -0/+5If people followed simple IM advice, 99% of these worms wouldn't even make news. But then again, if people didn't open unknown emails, the same thing would happen. Social engineering, the bane of security researcher everywhere.
  • inactive, on 10/12/2007, -2/+7People are stupid. I deleted my MySpace just because I couldn't stand the self perpetuating bulletin "worms." There's a new one every week.
  • holeinthesky, on 10/12/2007, -2/+6wonder when foreign powers are going to wake up to the powers of sleazy botnets?
  • azrael13666, on 10/12/2007, -0/+3Said like a true texan!
  • toastgodsupreme, on 10/12/2007, -0/+3Dugg for the usage of the phrase "10-hit Tekken combo".

    I laughed.
  • fumanchu101, on 10/12/2007, -2/+5from what i've seen, its all win32 exes so you're safe :)
  • duewydo, on 10/12/2007, -0/+3Also people that go by the name of Mom, and sister, oh yeah, and wife. When the kids are old enough, I will add kids...
  • jessethouin, on 10/12/2007, -0/+3I wonder if the lethal protection law truly applies to cybercriminals? I don't know the law, but that would certainly cut down on spam. Where do I vote?
  • duewydo, on 10/12/2007, -1/+3You ever watch Terminator 3? When we wake up, it would be too late.
  • sweetnjguy29, on 10/12/2007, -0/+2I stupidly got this nasty bugger on my computer, and aimfix worked. But, I eventually reinstalled Windows XP since the whole operating system was shot after the infection. Ended up losing a whole bunch of important files as a result of the install, not the worm though. Bastards.
  • inactive, on 10/12/2007, -2/+4Im just curious.. does this effect us linux guys with Gaim? (I doubt it)
  • sandbagger, on 10/12/2007, -0/+2how the hell has AOL "blocked" this when theres still people being hit WAY after the ninth? search engines are your friend http://www.tremek.com/forum/showthread.php?t=25107

    i double that BS call and i'll raise you ten shenanigans
  • holeinthesky, on 10/12/2007, -0/+2yeah right. from what i understand its not just one URL and modular and someone I know got infected on Friday.

    BS CALL and AOL SPIN.
  • Tiak, on 10/12/2007, -0/+2Well, you'd obviously still get just as infected with the instalation, and as much of a part of a botnet as anyone else, the only possible variable would be not spreading it via AIM, which in my mind wouldn't really matter... But considering that trillian uses the same protocols to communicate with AIM, and this worm doesn't directly affect an AIM installation, I'd assume yes, it'd have full effect on a trillian user.
  • Tiak, on 10/12/2007, -0/+2Actually, it said "disguised as an image file" i.e. it'll look like an image file to the uneducated in the URL in some way. I've seen this before and it'll usually be something like http://www.url.com/profile/images.php?image=evilmaliciousattack.jpeg. It ends in jpeg, so people say "oh, that can't POSSIBLY link me to something that'll download a virus... And then when the download prompt appears they apparently think "Hey, this must be how I download the image...". Anyway, you don't have to actually open the malicious code on your PC, it'll do that automatically and add itself (and the 8 copies of itself) to start with windows.
  • pairanoyd, on 10/12/2007, -4/+6The end all cure to this ***** is this,
    First offense for hacking, HACK OFF THEIR HANDS.
    Second offense, PUBLIC BEHEADING. HACK OFF THEIR HEAD.

    I guarantee you that this ***** would come to a complete stop in days, if not sooner.

    You want to steal my identity and rip me off? I'll hunt you down. And I promise you, you will never hack a computer ever again.
    In Texas when someone tries to rob you it's legal to use deadly force to protect yourself. As far as I'm concerned, I don't care if you're behind a gun or a keyboard, if you are trying to rip me off I'm going to ***** you up.

    Best thing you can do, in public, carry a weapon. And don't use windows.
    I use Linux and OSX. I got sick of this ***** about 6 years ago and switched. I don't regret it for one single second.
    But the rest of you, keep on using windows, that's cool. I make money from fixing your problems.

  • chubbymidget, on 10/12/2007, -0/+2I can find no reference to to this on mcafee, trend, symantec, etc.
    Anyone have any other info?
  • porkstacker, on 10/12/2007, -0/+2Coolness!!! The use of instant messaging is responsible for the downfall of the written English language. May the botnets take over!
  • sporkwitch, on 10/12/2007, -1/+2Exactly. Though I must say, I do love them, they keep me making plenty of money.
  • tao52nyc, on 10/12/2007, -2/+3I just hope the government doesn't declare "War on botnets"...we'll be doomed for sure...
  • inactive, on 10/12/2007, -2/+3I know what you mean. How stupid can these people be to get the same virus over and over again?
  • kingkool68, on 10/12/2007, -0/+1sweetnjguy29 - Tried AIMFix multiple times yesterday. It worked for about 2-3 hours then came back. Which makes sense after reading this article about how it works.
  • socokoolaid, on 10/12/2007, -1/+2People taking advantage of less inteligent people. And is the way the world works.
  • fumanchu101, on 10/12/2007, -1/+2"This story left out the most important bit. Is the simple act of clicking the link execute the malicious code, or does the user have to execute the malicious code?"

    fta: "Click the link and allow the file to execute" - that says to me it works like any other IM attack - you can download it, but you still need to run it.
  • Skinner72, on 10/12/2007, -1/+2Does anybody know if this will affect users of Trillian?
  • sooperdooper, on 10/12/2007, -0/+1"First offense for hacking, HACK OFF THEIR HANDS."
    ROFL. Would the second "hacker" in this case have to give the first hacker's hands back? Because otherwise that would be stealing. Or no wait... HACKING!!! GET HIS HANDS!!!
  • socokoolaid, on 10/12/2007, -0/+1It said clearly that clicking the link downloads a image file that is infected. (it has an executable file bind'ed to it)
  • eclip5e, on 10/12/2007, -1/+2This story left out the most important bit. Is the simple act of clicking the link execute the malicious code, or does the user have to execute the malicious code?
  • mancat, on 10/12/2007, -0/+1I would like to do some testing on this "trojan" to see if Windows restricted user accounts are susceptible to infection. Does anyone know where to obtain the binary, short of receiving an IM from an infected client?
  • holeinthesky, on 10/12/2007, -0/+1AOL is lieing or incompetent. read tech forums. they can't block this attack!
  • socokoolaid, on 10/12/2007, -1/+2Once infected with a trojan...the only way to be truely sure its gone...is to reformat. I prefrer to use DBAN to nuke the drive..then format and reinstall..... lots of trojans like to have a lame dummy trojan, like sub7 or something common...that is purposely easy to find...so the user can easily find the dummy and remove it....leaving the real trojan intacted, and the user confident that nothing is wrong...
  • fumanchu101, on 10/12/2007, -1/+2"You realize that these bots have tend to have very, very, very little to do with identity theft... right?...

    Not true - botnets are often used for identity theft and data fraud.

    http://www.informationweek.com/hardware/sysman/showArticle.jhtml?articleId=183700804
  • dutter, on 10/12/2007, -0/+1Fair enough, I'm just telling you what a spokesperson for AOL is telling me.
  • fumanchu101, on 10/12/2007, -0/+1wow, broken link ahoy. try this http://www.finextra.com/fullpr.asp?id=8488
  • inactive, on 10/12/2007, -0/+1A quick fix is to format the hard drive and install a proper operating system. Your stupid girlfriend can then do all her Instant Messaging in Gaim and there will no more infections, no matter how stupid she is.
  • dbr_onix, on 10/12/2007, -0/+1Well that's certainly a fair punishment.. Anyone caught hacking will be mutilated.. Well at least you proved American Stereotypes are still alive and well..
    - Ben
  • dbr_onix, on 10/12/2007, -0/+1I think Botnet owners are suitably paranoid, thusly very hard to actually find, which makes arresting them slightly difficult
    - Ben
  • jer2eydevil88, on 10/12/2007, -0/+1Or if you use an AIM client (ichat, Adium, AIM) on a Mac you would be safe for now. So quick there is still time for you to get drunk enough to jump on a Mac click all those links.
  • Fetching more discussions...
    Show 51 - 64 of 64 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.