IM Worms "Epidemic" on MSN Messenger. Russian anti-virus and security vendor Kaspersky wrote Friday about an increase in spyware attacks on MSN Messenger users, an attack that succeeds in part due to a flaw in Microsoft's approach to blocking transfers of certain types of malicious files.
Last week, two out of three of the most active worms spread over MSN's instant messenger program, according to Kaspersky Labs. Microsoft at some point configured its Messenger network to block transfers of files ending in ".pif," responding to a rash of viruses, worms and trojans that disguised themselves as .pif images. By doing so, Microsoft sought to halt the progress of IM worms that spread rapidly to each of a victim's contacts after the recipient clicks on an exploit-laced Web link.
So why was Kaspersky saying new infections from the two MSN IM worms were "peaking above the radar to an extent you can probably call epidemic levels"? According to Kaspersky, both MSN worms that surfaced this week had devised an inscrutable guise for their exploits -- they came masked as ".PIF" files.
From Kaspersky's blog:
Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing ".pif"?
Yes they have, but... the MS block is case sensitive!
So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.
Looks like most MSN IM users will not have the protection afforded by Microsoft's filters, although Microsoft has been notified of the shortcoming and may address the problem. As always, no matter what instant message or e-mail software you use, think thrice about whether you really need to click on any link sent to you via IM or e-mail. When in doubt, message the sender and ask whether they meant for you to click on the link, and ask where the link might take you. [Security Fix]
12:56:36 PM  PermaLink /
|
