dx4.org :: security :: aimads

01/Oct/2005 05:45
Category: /security Hijacking AIM ads by Elliot

In the last two weeks or so, I've disconnected more than 100 computers from the network that were infected with various malware they'd picked up on AIM. The problem is really one of user education: how to get people to stop running untrusted programs when traditional avenues of communication are notoriously unreliable?

The specifics vary from case to case, but typically the user gets an IM from a friend saying something like "LOL CHECK THIS OUT". The link is to a .pif file that infects his computer and sends out IMs to everyone on his buddy list. No real "exploit" is used - the user has to choose to download and run the file.

Education through traditional means was not very effective. For the most part, mass email was deleted unread, and notices on high traffic internal websites ignored. The number of shutoffs each day was greater than the number of reactivations of cleaned machines.

My solution is to take advantage of the ad functionality that already exists in the official AOL AIM client by making your own ads. You'll need a webserver (preferably Apache) and an internal DNS server that all your users query.

After capturing some packets with tcpdump, I figured out how the ad content works. The ad area of the AIM client is really just an embedded Internet Explorer browser, which fetches http://www.aim.com/redirects/inclient/AIM_UAC.adp with some GET variables. That's just a plain HTML file, and whatever's in it gets displayed in AIM's ad area.

Now you need an internal web server to serve up a modified version of that file. Unless this is all that web server is doing, you should set up a named virtual host for www.aim.com. In addition to serving up the modified AIM_UAC.adp file, it would be ideal to pass all other traffic through to the real www.aim.com, so that users can still download the AIM client. In Apache, the virtualhost might look like this: 

ServerName www.aim.com
DocumentRoot /var/www/aim
ProxyPass /AIM_UAC.adp !
ProxyPass /ad.gif !
ProxyPass /redirects/inclient/AIM_UAC.adp !
ProxyPass / http://www.aim.com/
ProxyPassReverse / http://www.aim.com/

RedirectMatch ^/redirects/ "http://www.aim.com/AIM_UAC.adp"

Replace the IP address in the virtualhost declaration with the IP address of your web server. With this config, all requests for files other than /AIM_UAC.adp, /ad.gif and /redirects/inclient/AIM_UAC.adp get passed through to the real www.aim.com, and requests for those files are served out of //var/www/aim. The ad.gif file is the content you're referring to in your custom AIM_UAC.adp file, hosted on the same server for the sake of simplicity. Your AIM_UAC.adp file might look something like this: 

<a href="http://your.link/here/"></a>

Now all that's left is to change the DNS for www.aim.com to point to the IP of your web server. With ISC BIND, you would create a new zone file for www.aim.com and define a blank A record in it that points to your web server's address, then add that zone to named.conf. Also, be sure to define the REAL address of www.aim.com in the /etc/hosts file on your web server, or else its proxy functionality won't work after you've changed the DNS.