Online Security, a global provider of computer forensics and information technology risk mitigation since 1997   Original Source:    http://www.mercurynews.com/mld/mercurynews/business/8302801.htm Hackers, spammers targeting IM users Author:  Sandeep Junnarkar Nick Groleau, a 40-year-old technical manager from Mountain View, received a message last month from a friend on his AOL Instant Messenger buddy list alerting him that Osama bin Laden had been captured. When he clicked on a link ostensibly directing him to a news article, it took him instead to a site offering a game to download. Although Groleau declined to download the game, his friend admitted that she had done so. She was among the many IM users who unwittingly triggered a virus-like effect. Clicking on the link not only installed a game, Osama Found, but also added a slick trick to propagate itself across the AOL Instant Messenger network, known as AIM. When gamers accepted the terms and conditions for installing the application, they inadvertently let the program send the same invitation to contacts on their buddy list. Downloading the game also installed adware -- software that runs undetected, tracking users' Web habits and interests, presenting pop-up advertisements and resetting the home page. Knew the person ``This was not e-mail from some random person,'' Groleau said. ``It came through AIM from someone I personally know. I clicked on the link right away.'' It is that reflex that the perpetrators are counting on to transform IM services into a handy route to deliver spam (known as ``spim'' on IM), unleash viruses, create back doors into the systems of unsuspecting users and cause general mayhem across the Internet. ``Now that everyone is using Instant Messenger, it has become a popular target,'' said Sharon Ruckman, the senior director of Symantec Security Response, a provider of Internet security updates and solutions. The CERT Coordination Center, a computer security response team based at Carnegie Mellon University in Pittsburgh, has repeatedly cautioned that IM users are especially susceptible to ``social engineering,'' meaning attacks that prey on human foibles by enticing people with promises of free products, pornography and interesting-sounding links. In responding to strangers' offers, people may divulge personal information or leave their systems vulnerable. ``It's a tactic to get you to open your door and have people come in and take pictures around your house so they learn the weaknesses,'' Ruckman said. ``Then when you're at work they know exactly how to break into your house.'' One of IM's biggest attractions, file sharing, may also be its greatest weakness. IM users can transfer files to each other and give others access to their shared-files folder. These folders sometimes contain family photographs and documents with names, addresses and telltale financial information, ``all the little pieces of information that actually might help someone assume a person's identity,'' said Fred Felman, the vice president for marketing at Zone Labs. Consumers, he added, are ``blissfully unaware'' of the dangers. But consumers alone cannot be blamed for being victimized. The CERT Coordination Center and other security firms have often publicized flaws in the IM software from each of the top services -- AIM, Yahoo Messenger and MSN Messenger. The warnings have almost exclusively involved ``buffer overflow'' attacks, a common software error. This programming defect allows a hacker to overwhelm a system with a string of characters far too large for a particular input field and sometimes seize control of the machine. In January, Tri Huynh, a researcher at SentryUnion, a computer security firm in Woburn, Mass., reported just such a buffer overflow vulnerability in Yahoo's messenger service. Yahoo patched the flaw, which was one of several discovered in 2003 Huynh. Problems can extend beyond buffer overflow issues. This month, Microsoft disclosed that a bug in its MSN Messenger program could allow an attacker to rifle through a victim's hard drive without leaving a trace. How they're discovered Dan Moniz, a staff technologist at the Electronic Frontier Foundation, a civil liberties group, said most hackers and security researchers discover vulnerabilities through reverse engineering and trial and error because AIM, Yahoo Messenger and MSN closely guard information about their software. ``Open design and open protocols are the best insurance against future catastrophic bugs,'' Moniz said. ``They don't prevent them, but they do make them easier to find and, hopefully, easier to fix.'' In some ways, victims of the Osama Found spim can count themselves lucky. ``It didn't carry a nasty payload,'' said LaCour of Zone Labs. ``Imagine if that was an executable link that was actually malicious. It could have spread pretty fast.'' Troubled by the Osama Found experience, Groleau swept clean his AIM system. Of the 58 names on his buddy list, he discovered 33 that were unfamiliar and deleted them. ``How did they get there?'' he said. ``I don't want strangers on my buddy list.''