Chapter 7

Slide 1:Chapter 7Instant Messaging Attacks

June 30

Slide 2:Instant Messaging Attacks

IM is a real-time communication popularly known as chat Nearly every pc platform (and mobile devices � PDAs, cell phones, etc) have some form of IM. Most popular Internet Chat programs: AOL Instant Messenger (AIM) MSFT MSN Messenger Net Meeting Chat Vchat WinChat WinPopUP Yahoo Messenger Lotus Instant Meeting Same Time Unix: Many flavors

Slide 3:Instant Messaging Attackscontinued

Most IMs allow users to create buddy lists or friends list IM clients can be configured to alarm or alert other users in their buddy lists as to when you are on the internet. Enables chatting Keyboard Voice and video File sharing Some IM clients enable public channels and private chat �rooms or �channel�

Slide 4:Figure 7-1Types of Instant Messaging Networks

All IM clients enable keyboard chats Newer versions have far more functionality enabling: File Sharing Private Chats Internet Telephone Radio Channels Video Cams On-Line Gaming Real Time Collaboration Email

Slide 5:Network Models

Two basic network models Peer to Peer Peer to Server Variants P2P Messages are broadcast from one client across the network, intercepted by destination client S/ W. Model works well on Local Area Networks

Slide 6:Message Server Model

Most popular network model Incorporates message servers that keep track of users and fonte messages to/from source and destination Larger IM networks will group servers within a network to distribute the load. Requires synchronization Figure 7-2

Slide 7:P2 Server IM

Slide 8:Variations Network Model

Client to server model for location and messaging service. Peer to peer for private conversations, file transfers, video, audio. Types of IM AIM Proprietary format Largest number of users Variation network model Many hacks

Slide 9:ICQ

Israeli-based Mirabilis Assigns a number Audio, video, email Fair amount of hacker activity Now owned by AOL IRC Oldest and most popular IM Not owned by anyone � public Defined in RFC 1459 Web Chats Numerous Some browser only (refreshing) Many using Java Applets

Slide 10:IRC Standardized IRC protocol (RFC145) Each server belongs to a series of IRC servers to form a network Variations Network Model Must use an IRC client to connect

Slide 11:IC Networks Many malicious code programs use IRC Popular networks EFnet (Eris Free Net) IRCnet Undernet Dalnet & others Size range from one server for private networks to over 100 interconnected servers & tens of thousands of online users Each network is a separate IRC community Public groups are formed as channels In general, users need to know what network and what channel to be on. Some networks will attempt to perform some type of authentication Each channel has an operator or ops

Slide 12:IRC Hacks

Mal hackers are and have used IRC to both hack the network and use IRC infrastructure to support other hacks going on. A great anonymizer

Slide 13:IRC Clients

MIRC Pinch irCII WSIRC Interface Chatman Virc Eggdrop BitchX Many more�

Slide 14:IRC Commands

Connect to a network Basic commands /JOIN � joins an existing channel /PART � leaves a channel /LIST � Lists all available channels MSG � send a private message to an individual user /WHOIS � shows info on a user /INVITE � invite a user to join a particular channel /NICK � change your nickname on the fly /NAMES � show nicknames of non-invisible users /KICK � force someone off the channel /MODE � OPS: change admin channel options

Slide 15:Other IRC Features

DCC � Direct Client to Client allows a user to connect directly with another IRC user. DCC send command � send a user a file. DCC chat � private conversation CTCP Client to client protocol Communication between two IRC clients which allows a user to expand their own IRC client�s functionality

Slide 16:Examples

Grant operator status to a friend when you are absent Find out more info on a user What version client S/w he is using Remotely control an IRC client Remotely execute any command .into their IRC client & PC Often used to remotely pick-up and drop off files A feature hackers LOVE!

Slide 17:Hacking IM

Hacking the medium itself Knocking people off the chat network Taking control of a channel Joining a private chat Cause disruption Using it as a method of attacking computers attached to it. Using IM as a transport mechanism Moving viruses, worms, trojans onto remote computers and compromising their security Using IM as a zombie trigger, or agent control.

Slide 18:Maliciously Hacking AIM & ICQ

Hundreds of rogue hacking utilities Punters & Busters Punters goal: knock off other users from the chat medium Multiple invitations (many popup windows) Antipunters (defense) Busters: Programs which allow rogue hacker to gain access to a private chat without being invited.

Slide 19:Malicious File Transfers

Send user a trojan file Turn off file accept prompt Automated uploads for trusted buddies (then impersonate) Dozens of Trojans specifically built to exploit AIM users

Slide 20:Name Hijacking All IM services are prone to name hijacking. ICQ uses sequential numbers as �names� AIM used limited number of letters of name of uniqueness (easily diverted) IP Address Stealing Run netstat IP hiding Wel Buffer Overflow URL Association overflow AIM: goim? <AAAA,,,,AAA>+ - restart

Slide 21:Hacking IRC

Script files Bots Lag Flooding Netsplit Nick Collision kill Channel DeSyncs Channel Wars Network Redirection

Slide 22:Script files

Extend the functionality of IRC clients Malicious scripts can be written Some clients have default scripts (mIRC) Downloadable scripts (can be trojanized) Scripts are at the heart of nearly all IRC worms mIRC used SCRIPT.INI

Slide 23:bots

�Robots� Automated scripts or compiled programs Bots appear as users within a channel (bot or srv in their names) War bots � flooding, hacking, and enforce rules

Slide 24:Lag

Latency within the network or servers Speed and congestion problems Can cause net splits

Slide 25:Flooding

Slide 26:Script files Bots Lag Flooding Netsplit Nick Collision kill Channel DeSyncs Channel Wars Network Redirection