Chapter 7 Instant Messaging Attacks

1
Chapter 7Instant Messaging Attacks

• June 30

2
Instant Messaging Attacks

• IM is a real-time communication popularly known
  as chat
• Nearly every pc platform (and mobile devices
  PDAs, cell phones, etc) have some form of IM.
• Most popular Internet Chat programs
• AOL Instant Messenger (AIM)
• MSFT
• MSN Messenger
• Net Meeting
• Chat
• Vchat
• WinChat
• WinPopUP
• Yahoo Messenger
• Lotus
• Instant Meeting
• Same Time
• Unix
• Many flavors

3
Instant Messaging Attackscontinued

• Most IMs allow users to create buddy lists or
  friends list
• IM clients can be configured to alarm or alert
  other users in their buddy lists as to when you
  are on the internet.
• Enables chatting
• Keyboard
• Voice and video
• File sharing
• Some IM clients enable public channels and
  private chat rooms or channel

4
Figure 7-1Types of Instant Messaging Networks

• All IM clients enable keyboard chats
• Newer versions have far more functionality
  enabling
• File Sharing
• Private Chats
• Internet Telephone
• Radio Channels
• Video Cams
• On-Line Gaming
• Real Time Collaboration
• Email

5
Network Models

• Two basic network models
• Peer to Peer
• Peer to Server
• Variants
• P2P
• Messages are broadcast from one client across the
  network, intercepted by destination client S/ W.
• Model works well on Local Area Networks

6
Message Server Model

• Most popular network model
• Incorporates message servers that keep track of
  users and fonte messages to/from source and
  destination
• Larger IM networks will group servers within a
  network to distribute the load.
• Requires synchronization
• Figure 7-2

7
P2 Server IM
8
Variations Network Model

• Client to server model for location and messaging
  service.
• Peer to peer for private conversations, file
  transfers, video, audio.
• Types of IM
• AIM
• Proprietary format
• Largest number of users
• Variation network model
• Many hacks

9
ICQ

• Israeli-based Mirabilis
• Assigns a number
• Audio, video, email
• Fair amount of hacker activity
• Now owned by AOL
• IRC
• Oldest and most popular IM
• Not owned by anyone public
• Defined in RFC 1459
• Web Chats
• Numerous
• Some browser only (refreshing)
• Many using Java Applets

10

• IRC
• Standardized IRC protocol (RFC145)
• Each server belongs to a series of IRC servers to
  form a network
• Variations Network Model
• Must use an IRC client to connect

11

• IC Networks
• Many malicious code programs use IRC
• Popular networks
• EFnet (Eris Free Net)
• IRCnet
• Undernet
• Dalnet others
• Size range from one server for private networks
  to over 100 interconnected servers tens of
  thousands of online users
• Each network is a separate IRC community
• Public groups are formed as channels
• In general, users need to know what network and
  what channel to be on.
• Some networks will attempt to perform some type
  of authentication
• Each channel has an operator or ops

12
IRC Hacks

• Mal hackers are and have used IRC to both hack
  the network and use IRC infrastructure to support
  other hacks going on.
• A great anonymizer

13
IRC Clients

• MIRC
• Pinch
• irCII
• WSIRC
• Interface
• Chatman
• Virc
• Eggdrop
• BitchX
• Many more

14
IRC Commands

• Connect to a network
• Basic commands
• /JOIN joins an existing channel
• /PART leaves a channel
• /LIST Lists all available channels
• MSG send a private message to an individual
  user
• /WHOIS shows info on a user
• /INVITE invite a user to join a particular
  channel
• /NICK change your nickname on the fly
• /NAMES show nicknames of non-invisible users
• /KICK force someone off the channel
• /MODE OPS change admin channel options

15
Other IRC Features

• DCC Direct Client to Client allows a user to
  connect directly with another IRC user. DCC send
  command send a user a file. DCC chat private
  conversation
• CTCP
• Client to client protocol
• Communication between two IRC clients which
  allows a user to expand their own IRC clients
  functionality

16
Examples

• Grant operator status to a friend when you are
  absent
• Find out more info on a user
• What version client S/w he is using
• Remotely control an IRC client
• Remotely execute any command .into their IRC
  client PC
• Often used to remotely pick-up and drop off files
• A feature hackers LOVE!

17
Hacking IM

• Hacking the medium itself
• Knocking people off the chat network
• Taking control of a channel
• Joining a private chat
• Cause disruption
• Using it as a method of attacking computers
  attached to it.
• Using IM as a transport mechanism
• Moving viruses, worms, trojans onto remote
  computers and compromising their security
• Using IM as a zombie trigger, or agent control.

18
Maliciously Hacking AIM ICQ

• Hundreds of rogue hacking utilities
• Punters Busters
• Punters goal
• knock off other users from the chat medium
• Multiple invitations (many popup windows)
• Antipunters (defense)
• Busters
• Programs which allow rogue hacker to gain access
  to a private chat without being invited.

19
Malicious File Transfers

• Send user a trojan file
• Turn off file accept prompt
• Automated uploads for trusted buddies (then
  impersonate)
• Dozens of Trojans specifically built to exploit
  AIM users

20

• Name Hijacking
• All IM services are prone to name hijacking.
• ICQ uses sequential numbers as names
• AIM used limited number of letters of name of
  uniqueness (easily diverted)
• IP Address Stealing
• Run netstat
• IP hiding
• Wel Buffer Overflow
• URL Association overflow
• AIM goim? ltAAAA,,,,AAAgt - restart

21
Hacking IRC

• Script files
• Bots
• Lag
• Flooding
• Netsplit
• Nick Collision kill
• Channel DeSyncs
• Channel Wars
• Network Redirection

22
Script files

• Extend the functionality of IRC clients
• Malicious scripts can be written
• Some clients have default scripts (mIRC)
• Downloadable scripts (can be trojanized)
• Scripts are at the heart of nearly all IRC worms
• mIRC used SCRIPT.INI

23
bots

• Robots
• Automated scripts or compiled programs
• Bots appear as users within a channel (bot or srv
  in their names)
• War bots flooding, hacking, and enforce rules

24
Lag

• Latency within the network or servers
• Speed and congestion problems
• Can cause net splits

25
Flooding
26

• Script files
• Bots
• Lag
• Flooding
• Netsplit
• Nick Collision kill
• Channel DeSyncs
• Channel Wars
• Network Redirection