View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Social Engineering Attacks via IRC and Instant Messaging</h2>

Release Date: March 19, 2002<p>


A complete revision history can be found at the end of this file.

<a name="systems">
<h4>Systems Affected

Systems running Internet Relay Chat (IRC) or Instant Messaging (IM) clients

<a name="overview">
<h3>Overview</h3>
<p>The CERT/CC has received reports of social engineering attacks on
users of Internet Relay Chat (IRC) and Instant Messaging (IM)
services.  Intruders trick unsuspecting users into downloading and
executing malicious software, which allows the intruders to use the
systems as attack platforms for launching distributed
denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate
that tens of thousands of systems have recently been compromised in
this manner.</p>
<a name="description">
<h3>I. Description</h3>
<p>Reports received by the CERT/CC indicate that intruders are using
automated tools to post messages to unsuspecting users of IRC or IM
services.  These messages typically offer the opportunity to download
software of some value to the user, including improved music downloads,
anti-virus protection, or pornography.  Once the user downloads and
executes the software, though, their system is co-opted by the attacker
for use as an agent in a distributed denial-of-service (DDoS) network.  Other
reports indicate that Trojan horse and backdoor programs are being propagated
via similar techniques.</p>

Here is an example of one such message:

<font face="Courier New">
<blockquote>You are infected with a virus that lets hackers get
into your machine and read ur files, etc. I suggest you to download
<i>[malicious url]</i> and clean ur infected machine. Otherwise you will be
banned from <i>[IRC network]</i>.
</blockquote>
</font>
<p>This is purely a social engineering attack since the user's
decision to download and run the software is the deciding factor in
whether or not the attack is successful.  Although this activity is
not novel, the technique is still effective, as evidenced by reports
of tens of thousands of systems being compromised in this manner.  See
<a href="http://www.cert.org/incident_notes/IN-2000-08.html">IN-2000-08:
Chat Clients and Network Security</a>
for additional information.</p>
<a name="impact">
<h3>II. Impact</h3>
<p>As with any DDoS tool installation, the impact is twofold.  First, on systems
that are compromised by users running untrusted software, intruders may 
<ul>
<li>exercise remote control</li>
<li>expose confidential data</li>
<li>install other malicious software</li>
<li>change files</li>
<li>delete files</li>
</ul>
These risks are not limited to the installation of DDoS agents.
In fact, any time a user runs untrusted software these same dangers are present.</p>
<p>The secondary impact is to the sites targeted by the DDoS agents. Sites
undergoing a DDoS attack may experience unusually heavy traffic volumes or high packet
rates, resulting in degradation of services or loss of connectivity altogether.</p>
<a name="solution">
<h3>III. Solutions</h3>
<h4>Home users</h4>
<h5>Run and maintain an anti-virus product</h5>
<p>The malicious code being distributed in these attacks is under
continuous development by intruders, but most anti-virus software
vendors release frequently updated information, tools, or virus
databases to help detect and recover from the malicious code involved
in this activity.  Therefore, it is important that users keep their
their anti-virus software up to date.  The CERT/CC maintains a partial
list of anti-virus vendors at

<blockquote>
<a href="http://www.cert.org/other_sources/viruses.html#VI">
http://www.cert.org/other_sources/viruses.html#VI</a>
</blockquote>
<p>Many anti-virus packages support automatic updates of virus definitions.
The CERT/CC recommends using these automatic updates when available.</p>
<h5>Do not run programs of unknown origin</h5>
<p>Never download, install, or run a program unless you know it to be
authored by a person or company that you trust.  Users of IRC and IM
services should be particularly wary of following links or running
software sent to them by other users, as this is a commonly used method
among intruders attempting to build networks of DDoS agents.</p>
<h5>Understand the risks</h5>
<p>
Users are encouraged to review our "Home Network Security" tech tip,
which provides an overview of risks and mitigation strategies for
home users.

<blockquote>
<a href="http://www.cert.org/tech_tips/home_networks.html">
http://www.cert.org/tech_tips/home_networks.html</a>
</blockquote>
<h4>Sites</h4>

Site administrators are encouraged to review our report on denial of service
attack technology trends, as well as our recommendations for managing the threat
of denial-of-service attacks.

<p>Trends in Denial of Service Attack Technology

<blockquote>
<a href="http://www.cert.org/archive/pdf/DoS_trends.pdf">
http://www.cert.org/archive/pdf/DoS_trends.pdf</a>
</blockquote>
</p>
<p>Managing the Threat of Denial-of-Service Attacks

<blockquote>
<a href="http://www.cert.org/archive/pdf/Managing_DoS.pdf">
http://www.cert.org/archive/pdf/Managing_DoS.pdf</a>
</blockquote>
</p>
<p>
<hr noshade="" width="100%"/>
<b>Author(s)</b>: Allen D. Householder<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2002 Carnegie Mellon University.</p>
<p>Revision History
<pre>
March 19, 2002: Initial release
</pre>
</p></p></p></p></a></a></a></a></h4></a></p>