September 24, 2008

Worms that attack instant messenger

An IRC worm is usually a standalone program that uses IRC networks to spread itself. Such worm either tries to spread itself by establishing connection to an IRC server or it can drop specific scripts to an IRC client directory. The most affected IRC client is mIRC.

Usually an IRC worm replaces some INI files in mIRC directory with its own scripts and when a user connects to an IRC server and joins any channel, these scripts instruct a client to send a worm's executable file to everyone in that channel. Some IRC worms have backdoor and trojan capabilities.

Instant messaging attacks originated in the abuse of the mIRC /DCC Send command. This command can be used to send a file to users connected to a particular discussion channel. Normally, attackers modify a local script file, such as script.ini used by mIRC to instruct the instant messaging client to send a file to a recipient any time a new participant joins a discussion.

Modern implementations of IRC (Internet Relay Chat) worms can connect dynamically to an IRC client and send messages that trick the recipient into executing a link or an attachment. In this way, the attacker can avoid modifying any local files.

For example, the W32/Choke worm uses the MSN Messenger API to send itself to other instant messaging participants as a "shooter game"27. Although several instant messenger software programs require the user to click a button to send a file, worms can enumerate the dialog boxes and "click" the button, so the actual user does not have to click. It is also expected that computer worms will exploit buffer overflow vulnerabilities in instant messenger software. For example, certain versions of AOL Instant Messenger software allow remote execution of arbitrary code via a long argument in a game request function

No comments: