7.4 Hacking Instant Messaging

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 7.  Instant Messaging Attacks

Malicious hacking Instant Messaging means either attacking the medium itself or using it as a method to attack the computers attached to it. Attacking the medium means knocking other people off the chat network, taking control of a channel, joining a private chat, or causing enough disruption to a chat channel that the other participants simply give up. Attacking computers using IM merely as a transport medium involves moving viruses, worms, and Trojans onto remote computers and compromising their security.

7.4.1 Hacking AIM and ICQ

There are hundreds of web sites, mostly run by teenagers, offering hundreds of rogue hacking utilities to compromise AIM or ICQ.

7.4.1.1 Punters and busters

Many AOL- hacking utilities are aimed at knocking off other users from the chat medium. These programs are called punters . Punters generate hundreds of information inquiries to a legitimate user's client, such as invitations to chat. The multiple invitations causes a window to open up for each request. This will either overwhelm the user 's local computer resources, or end up with them being disconnected from the server because of the congested traffic. The user is punted from the channel, and must rejoin to gain access. Some hackers have even developed anti-punters, which automatically respond to and close information requests , so that the system cannot be overwhelmed. Busters are programs that allow rogue hackers to gain access to a private chat even though they have not been invited.

7.4.1.2 Malicious file transfers

The thing a malicious hacker wants to do most with an IM user is to send them a Trojan file. Most IM clients will allow a client machine to both send and receive files. Clients will usually prompt the user for approval when a file is being uploaded or downloaded, but this feature can be turned off. This is not recommended. AIM even has a feature that allows file uploads to be automated between people listed on a user's buddy list. But because someone can be impersonated, even this should not be allowed. Besides the normal viruses, Trojans, and worms that can be uploaded to an IM user, AIM has dozens of Trojans specifically built to exploit AIM users. If installed, the remote hacker can completely compromise a user's system.

7.4.1.3 Name hijacking

All IM services are prone to name hijacking . ICQ, which assigns all users a sequential number, allowed rogue hackers to pick an account number and use various tricks to learn the account's password. The hackers could then hijack the account and use it for their own purposes. There was even a case where a hijacked account was held for ransom. In another exploit, an AOL name registration tool allowed rogue hackers to hijack AIM user's accounts. The hacker would register a new account name with the same letters as the victim, but minus the first two letters. For example, the legitimate user's name was Test User. The hackers would register the new name "st User" (with the first two characters being indented). Then, using the widely available administration tool and manipulating an environmental variable used during the registration process, the hacker could contact the AIM name registration server and add the first two missing letters to their account name (bypassing the initial check of uniqueness) and hijack the legitimate user's AIM account. AOL implemented stronger account and password validation schemes and significantly cut down on name hijacking.

7.4.1.4 IP address stealing

Most IM services allow other participating users to learn the IP address of participating computers, if not during a normal chat session, then certainly during a file transfer between two peer workstations. In most cases the rogue hackers learn the remote chatter's IP address by running the NETSTAT command on their local PC. As we learned last chapter, NETSTAT will return the active IP ports opened and the source and destination IP addresses. This process can be automated with special programs to produce a list of all the participating chat clients and their IP addresses. Learning this information then gives the hacker the ability to attack the remote machine using a variety of other attacks, usually starting with a probe for existing weaknesses. Many IM clients, including ICQ, include an IP Hiding option that attempts to hide the user's IP address from other chat participants.

7.4.1.5 Web buffer overflow

When AIM is first loaded on a PC, AOL adds aim:// as valid URL syntax to the installed browser so a web page or HTML-enabled email can invoke it and pass information. In December 2000, it was revealed that the AIM client suffers from many unchecked buffer overflows that can be initiated by simply clicking on a malicious web link. And AIM does not need to be open in order for the exploit to happen, it just needs to be installed. The malicious overflow examples were as simple as aim:goim?<AAAAA...AAAA>+-restart, which would allow a remote hacker to take complete control of a compromised machine. Although AOL released a new version shortly after the weaknesses were publicized, the popular AIM client continues to attract the interest of mischievous hackers.

AOL and its Instant Messaging services are attacked frequently. However, AOL spends a considerable effort policing their channels and are quick to deny access to accounts who are found to violate its rules. AIM and ICQ users who have not accepted untrusted file uploads, have done a lot toward preventing mischievousness. IRC, with its unregulated nature is a different beast altogether.

7.4.2 Hacking IRC

To many computer security experts, the IRC and hacking goes hand in hand. Certainly, the hacker community is thriving and using the channels to their fullest potential. They use IRC to exchange hacking tools and information. Some hackers, hack the channel itself. They want to abuse the channel and make themselves channel operator of all channels. If they can't become a channel operator, then they want to shut it down. Hackers use the channels to spread the details of their latest exploits. Using an IRC server program, many hackers set up a new IRC server on the very servers they have hacked their way into. Unknown to the host company, their Internet server has now become an IRC server advertising to hackers galore that unauthorized entry has been made. Hackers use IRC to spread Trojans, worms, and viruses to the unknowing masses. IRC scripts execute viruses and allow hackers to gain access to the IRC user's computer. Password files are downloaded and run against cracking tools. It seems that IRC is being used in every way it can to spread malicious mobile code.

7.4.2.1 Script files

Scripts automate, customize, and extend the functionality of IRC clients and channels. Scripts are written in a macro language unique to each IRC client, although they all share the same basic commands and functionality. A simple script could say "hello" for you whenever you joined a channel and " goodbye " when you PART (leave) a channel. A script would do this automatically without you typing any keystrokes other than the JOIN and PART commands. Or perhaps, those commands could be shortened to /J and /P , respectively. Scripts can be used to make trivia quiz show games , create virtual restaurants , and transfer files.

Scripts are used by channel operators to accomplish tasks quicker and to enforce rules. Basic scripts are usually included with the IRC client, but thousands are available all over the Internet. Just be sure to trust the place you are downloading the script from. The cute little script that says it will play a song for joining channel users might be a malicious script that spreads a Trojan. Malicious scripts can disable your client's security settings and even perform attacks against new sites using your computer. If you get infected with a bad script, you can then infect every single person joining the channel. Example 7-1 shows a normal, nonmalicious IRC script file.

Example 7-1. Example of a normal IRC script file

 [aliases] n0=/j /join #$ - n1=/p /part # n2=/n /names #$ n3=/w /whois $ n4=/k /kick # $ n5=/q /query $ n6=/hop /part #  /join #$ n7=/send /dcc send   n8=/chat /dcc chat  n9=/ping /ctcp $ ping n10=/echo ! $+ $me $+ ! - 

If an IRC user was running the script shown in Example 7-1, the user could use the /hop macro to leave one channel and join another. Scripts are also used by hackers to spread malicious code and take operator privileges away from the legitimate channel ops. Like their macro virus counterparts, malicious scripts can infect other scripts. It only takes three lines of code. The most powerful part of any script is when it utilizes the extended functionality of an IRC client to run an external program. Along with automatically initiating file downloads, this feature allows a hacker to do almost anything they want.

Scripts are at the heart of every IRC worm. The scripts infect or replace other scripts and then call a malicious subroutine or action. Some will write vicious commands to your AUTOEXEC.BAT file so that your next reboot will format your drive or erase all your files. Others will initiate a DCC request and download and execute a virus or Trojan. Many malicious scripts drop a backdoor program onto the user's hard drive that then contacts the hacker via IRC naturally, and gives them complete access to everything you type and every file you have.

mIRC used to come with a default script called SCRIPT.INI , which has since been removed (versions 5.51 and later) killing the first generation of IRC script attacks. Today, mIRC can use multiple script files. Most, like REMOTE.INI , define the behavior the client exhibits during a particular action. Other script files can be created by the user and loaded as needed. If you use an IRC client, make sure it does not contain a SCRIPT.INI file unless you are just asking for trouble.

7.4.2.2 Bots

IRC bots (short for robots) are automated scripts or compiled programs written to automatically respond to the needs or commands of a particular channel or network. Channel bots are used by operators to maintain the channel. The simplest bot is one that keeps the channel open while no one is using it. There are thousands of popular channels used every day for years that would disappear overnight because no one was actively participating in it every minute to keep it open. Bots help channel operators keep their operator status. Bots can grant or remove operator status from users, or KICK or BAN mischievous users. Bots appear as users within the channel, and typically, they contain the words bot or serv within their nicknames, or simply appear as w , x , or k9 .

There are also War bots for the hackers to use. They flood channels or users, and automatically ban and kick off legitimate users and operators. War bots, if written appropriately, can automate a hacker's attempt to take the control of the channel. The best networks have channel bots that enforce the rules and automatically deny certain types of hacks. Many IRC servers and networks ban unauthorized bots. If they detect a hacker trying to run a bot, they will automatically be banned.

7.4.2.3 Lag

Lag refers to data latency within the IRC network. Lag is the time it takes for a typed message to be replicated to every server within a particular network and be viewed by channel participants. Lag can be caused by the speed and congestion of the local link to the IRC server, or by the inherent time it takes to replicate a message across multiple distributed servers. IRC networks with low lag are desirable. Pinging is constantly done throughout the IRC network to measure lag and optimize routing algorithms. Many users love DCC chats because they do not suffer the lag of normal chats. They also provide a direction connection, peer-to-peer, for the hacker to exploit.

7.4.2.4 Flooding

Malicious hackers will create network traffic floods to overload servers and user connections. A typical IRC server only has a tiny data buffer and will drop a connection or channel if it sends too much data or too many bytes per data packet. Hackers often use CTCP with DCC or PING commands to send hundreds or thousands of messages to saturate the channel (called punting in ICQ and AIM). Many IRC networks handle flooding quite well these days. Anti-flooding bots kick off users, causing floods, and many IRC clients have built-in "flood control methods ," which limit the amount of data a single connection can send to a server. Unfortunately, some hacking routines use other people's computers to send the floods, thus getting the innocent users kicked off.

7.4.2.5 NetSplit

Netsplits are a normal, recurring fact of life in IRC. IRC networks are made up of many servers with users and channels spread across multiple servers. A user typically connects to only one server, but the channel, and the user's messages, cross all servers within the network. The servers are connected in a serial fashion. Server A is connected to server B. Server B is connected to server C, etc. If Server B goes down, communications to server C is disrupted.

Frequently, a particular server will become congested and disconnect itself from the other network servers. When this occurs, a netsplit happens. All the users on one side of the netsplit suddenly stop talking to all the users on the other side of the event. Each side sees the other side as doing a mass PARTing . All the users on each side of the split can continue chatting with each other until the network recombines. After recombining , the individual servers will try to update channel information, such as channel operators, messages, nicknames, etc. Hackers can steal channel ops when a netsplit occurs.

7.4.2.6 Nick collision kill

Nicknames must be unique per network. After a channel splits , it's possible for a similar nickname to exist on each side of the split. When the networks recombine, the duplicate nicknames will be detected and all users with the duplicate nicknames are disconnected. The first person to reconnect to the network with the nickname gets use of it, and its associated rights. Hackers love to cause netsplits. They even have utilities, like Link Looker , sending alerts when a particular channel is splitting. They learn the name of all the channel operators, then cause or wait for a netsplit, join one of the splits using the nickname of an operator, and wait for the rejoin and subsequent nick collision. Both the hacker and the real operator are KICKed off the channel. The hacker rushes to log back in to become an operator and then works quickly to remove the operator privilege from the other operators. The hacker now has complete control of the channel. The tables have been turned. All of this is automated using warring bots, of course. Some savvy operators will change their nickname during a split to avoid just such an attack.

Nickname Registration Services (Nickserv) are used by certain IRC networks and allow a user to register their nickname. They help keep nicknames unique on the network. Typically, a registered nickname must be used within 30 days or risk being doled out to someone else. More and more servers are using Identification Servers (Identserv) to perform a partial authentication of the user. They help prove that roger@hostdomain.com is a valid user located on the domain with valid credentials. A Channel Registration Service (Chanserv) can be used to register channel names and operators so that in the event of a netsplit, the appropriate rights are given to the appropriate users on the rejoining.

7.4.2.7 Channel desyncs

Netsplits and lag can cause a channel to become unsynchronized. Thus, the members , channel operators, and commands issued on one side of the network are not recognized by the other, and vice versa. A common symptom is when a member can be named on the channel and they can see all the chatting activity, but they can't send messages. It can get more confusing when the chatting aspect of the channel seems completely normal because everyone can see each other and chat, but other channel control mechanisms fail. It is usually the operator privileges and command modes that differ . Hackers love netsplits, nick collisions, and desyncs, because each gives them an opportunity to take control of the channel. Oftentimes, when these events happen, banned users can rejoin the channel.

Nickserv's, Chanserv's, and Identserv's are all great tools for maintaining order and control with an IRC network, but they aren't universally used by all IRC networks. EFnet, Undernet, and IRCnet don't use registration servers, whereas, Dalnet and others do. You can trust an IRC network using registration servers to be hacked less. In some cases, well run IRC networks have been able to successfully use security bots and registration servers to virtually eliminate channel attacks.

7.4.2.8 Channel wars

When malicious users or hackers abuse a particular IRC channel, the operator kicks them off and bans further participation. The banned individual may begin a series of reentries, using different nicknames, in an effort to become an operator himself and ban the original operator ( deop ). This culmination of this process is known as a channel takeover . Banned members will attack the channel with floods, desyncing, and netsplitting -- all are automated with bots. When control is gained by the malicious hacker, he may decide to shut down the channel just to spite the original operator.

7.4.2.9 Network redirection

In cases where IM wars start taking place, you might think that the offended party could locate the malicious party's ISP and complain. Unfortunately, rogue hackers frequently use network redirection in order to hide. This is especially true in IRC wars. Third party computers are compromised and IRC proxy daemons are utilized. They allow the hacker to bounce their commands, bots, and attacks from the proxy computer against the destination site. If the destination site ever tracks back the attack, the trail will stop at the proxy host. The hacker simply picks his next compromised proxy machine and the attacks begin again.