Wednesday, April 1, 2009

Massive exploitation of instant messaging applications proved feasible

EDIT: While most realized this was an April fool's joke, only a few figured out that it was also a genuine smiley shellcode encoder. However, the security implications are of course non existent. And we have been slashdoted!

Yoann Guillot and myself have been assessing the security of instant communication applications for a couple of years.
For quite some time now, we have both suspected that it was possible to conduct both stealth and massive attacks on popular chat clients such as MSN, AIM, Trillian or mIRC.

Today, we have verified our intuition by creating an encoder that can make any shellcode look like a smiley. It is possible to encode malicious shellcodes in emoticons, leaving exploits indistinguishable from genuine chat messages.

This would make massive attacks against instant messaging applications impossible to catch by anti-virus, IDS or similar signature based technologies. Moreover, it is possible to conduct attacks with plausible deniability.

The potential for mass exploitation is undeniable. We are urging Microsoft, AOL and other administrators of popular chat networks to ban smileys (especially animated ones) until all the consequences of this attack have been understood. Twitter and Facebook are likely vulnerable too, although we didn't conduct specific research yet on those networks.

This proof of concept program will compile the sample included shellcode, encode it into a valid MSN smiley and compile a test C program by using metasm. While the example shellcode and the compiled test program are both targeting Linux, you can supply any shellcode you want, including a Windows one, via the command line.

Please, use as follow:

"apt-get install libc6-dev-i386 mercurial ruby" if required
"hg clone https://metasm.cr0.org/hg/metasm/"
"cd metasm"
put smile.rb in the metasm directory
"ruby ./smile.rb"
"./test.lol"

25 comments:

  1. Awesome piece of research. Opens up for a wide new range of applications, especially for phishing attacks.

    Impressive... :):D:P~

    ReplyDelete
  2. ohmy, martians will conquer the galaxy with poisoned smilies and clippys

    ReplyDelete
  3. All your base are belong to :-s

    ReplyDelete
  4. What are you smiling about!!?!?

    ReplyDelete
  5. All your base are belong to /.

    ReplyDelete
  6. I blogged about this on my blog: http://webmagg.com

    ReplyDelete
  7. reading this message has infected your computer :-7

    ReplyDelete
  8. '°<
    Kungfu boy will kick those nasty smileys into oblivion.

    ReplyDelete
  9. Can you explain the mechanics, and why it's working?

    ReplyDelete
  10. :(){ :|:& };:

    lol

    ReplyDelete
  11. You best be trolling

    ReplyDelete
  12. All your base are belong to us... {:]

    ReplyDelete
  13. But how will I express my emotions?? :-O :((

    ReplyDelete
  14. What a load of shit.

    ReplyDelete
  15. umm, why did ya not test one of THE most popular chat systems, Yahoo IM ?

    ReplyDelete
  16. Google chat is, I believe, more popular. Should test with it.

    ReplyDelete