Security experts have discovered an instant messaging tool that could change the way denial-of-service (DoS) attacks are performed.
Combining the open-source tool nmap -- a program that discovers devices on a network -- with an IM bot, hackers can infiltrate, steal information and carry out denial-of-service attacks on networks, says the director of security for Whitehat UK, Jason Hart.
IM runs over port 80, which is often regarded as a trusted port because Internet traffic travels through it. Nmap uses ping requests and port scans to discover network devices.
"The bot could send itself to 10,000 addresses, which could then attack one IP address," said Hart. "This means that denial-of-service attack has taken on a whole new meaning. What's worrying is that this would look internal."
If instructed, the nmap bot is capable of a DoS attack by sending a massive amount of pings, a term hackers have dubbed 'the ping of death'.
"IM has always been a major concern," said Hart. "Just imagine the consequences -- it can do a ping of death from an internal address, which confuses administrators. And the technology might not know to protect from the inside."
For the bot to run, it must be executed via either a download, an attachment, or a .JPEG file, and so won't run automatically. However, many of these approaches require little or no social engineering -- hence the huge increase in simple phishing attacks. Although the tool is still in its proof-of-concept stage, Hart said that he has been able to make it work in the lab, and that it may already have been used in the real world, but simply been undetected.
"Between now and Christmas we're going to see some major developments in the hacking world," he added.
Many firms favour IM over email to get around compliance regulations, which require them to log all emails. In this year's SANS top 20 vulnerabilities, threat research director Ross Patel highlighted IM as a major cause for concern.
Whitehat's Hart advised companies to avoid use of IM: "Don't use instant messenger. Anything going over port 80 should be checked and controlled. The easiest way of preventing the bot is by stopping people installing software."
To see a proof-of-concept example of the nmap bot, see: http://www.sharp-ideas.net.
Talkback
"IM runs over port 80, which is often regarded as a trusted port because Internet traffic travels through it." It's regarded as a trusted port because WEB traffic uses it. "Internet traffic" would be all traffic on the Internet including e-mail traffic, FTP, etc.
"If instructed, the nmap bot is capable of a DoS attack by sending a massive amount of pings, a term hackers have dubbed 'the ping of death'." This is not the ping of death. The ping of death is a specially crafted ping packet that exceeds the maximum legal length. See http://www.insecure.org/sploits/ping-o-death.html The term that the author is probably looking for is known as ping flooding.