A Thrill-Packed Tale Of A Virus Near-MissA Thrill-Packed Tale Of A Virus Near-Miss

I just got hit with my very first instant-message attack, the Oscarbold/Doyorg Trojan. One thing I found interesting about the experience was the way that the attack circumvents our normal mental security defenses.

Like most of you, I pride myself on having developed a fairly good ear for phishing and other forms of e-mail attacks. I follow some common-sense rules:

- Nobody at Washington Mutual, eBay or PayPal really wants to have my login and password information. I don't even do business with WaMu, and I hardly ever use eBay or Paypal.

- If I get an e-mail seeking valuable information like a credit-card number or Social Security number, the first thing I ask myself is whether I was expecting this e-mail. Is it coming from a company I actually do business with? Did I just do a transaction with these guys recently? Does it make sense they'd be e-mailing me now? If the e-mail is expected, I check the URL carefully to see if it matches the legitimate URL I know.

So far, no e-mail message has ever passed the previous test. I rarely get e-mail purporting to be from a company I actually do business with seeking my Social Security number or credit number. And when I do get such a message, it turns out the URL in the message is obviously fraudulent.

- In addition to those tests, I rely quite a bit on writing style to determine whether a message is legitimate. When Microsoft sends a security alert, it doesn't read like it was written by a 17-year-old from Eastern Europe with only a rudimentary grasp of English.

You should also rely on technical security barriers, of course, including anti-virus, anti-spyware, anti-spam, and firewall software and hardware. But don't disregard the importance of the security wetware between your ears.

But the Oscarbold/Doyorg Trojan almost got through my defenses anyway.

The attack came to me in the form of an AOL IM message that appeared to come from a co-worker. "i thought youd wanna see this," is what the message said, and the word "this" was a hyperlink to an external site.

This guy usually sends me valuable stuff. And the message seemed legit. So I clicked the link. And was sent to a page in my Firefox browser that said the Web page was sending me a file — did I want to download it, or open it right away? I spoke the words of the immortal Lt. Uhura: "Sorry, neither," and I clicked "cancel."

And avoided a major pain in the neck.

If I'd been running different software, I'd be cleaning the mess off my computer right now. One of my colleagues is. Like me, he runs the Firefox browser, so we can't blame this one on Internet Explorer. The difference between his set-up and mine: he runs the America Online instant message client, and I run the GAIM IM client. GAIM saved me.

Lessons learned: Think about giving up public instant-messaging networks like AOL's. Instead, use a private network for business instant messaging. If you must use a public network, avoid the standard client if you can; use a multi-purpose client like GAIM (the one I use) or Trillian.

More importantly: We have to start using our mental security defenses on IM messages now. With e-mail, we can be careful of messages that seem to come from illiterate people. In IM, it's trickier because people often write IMs in haste, and neglect to proofread, capitalize, correct spelling and use proper punctuation. So the usage errors in the earlier IM wouldn't have clued me in even if I were on the lookout for them.

One clue that I'll watch for in future IMs: Hyperlinks in the message, like this. Nobody I know sends hyperlinks like that, we all just send links as plain text, like this: http://www.securitypipeline.com/.

This was my first personal encounter with an instant message infection. I'm sure I'll be seeing more.

Mitch Wagner is editor of Security Pipeline (Permanent link to this article.)