Hackers can launch attacks over IM

Hackers have created a 'proof-of-concept' instant messaging tool that can scan and disable networks

Security experts have discovered an instant messaging tool that could change the way denial-of-service (DoS) attacks are performed.

Combining the open-source tool nmap -- a program that discovers devices on a network -- with an IM bot, hackers can infiltrate, steal information and carry out denial-of-service attacks on networks, says the director of security for Whitehat UK, Jason Hart.

IM runs over port 80, which is often regarded as a trusted port because Internet traffic travels through it. Nmap uses ping requests and port scans to discover network devices.

"The bot could send itself to 10,000 addresses, which could then attack one IP address," said Hart. "This means that denial-of-service attack has taken on a whole new meaning. What's worrying is that this would look internal."

If instructed, the nmap bot is capable of a DoS attack by sending a massive amount of pings, a term hackers have dubbed 'the ping of death'.

"IM has always been a major concern," said Hart. "Just imagine the consequences -- it can do a ping of death from an internal address, which confuses administrators. And the technology might not know to protect from the inside."

For the bot to run, it must be executed via either a download, an attachment, or a .JPEG file, and so won't run automatically. However, many of these approaches require little or no social engineering -- hence the huge increase in simple phishing attacks. Although the tool is still in its proof-of-concept stage, Hart said that he has been able to make it work in the lab, and that it may already have been used in the real world, but simply been undetected.

"Between now and Christmas we're going to see some major developments in the hacking world," he added.

Many firms favour IM over email to get around compliance regulations, which require them to log all emails. In this year's SANS top 20 vulnerabilities, threat research director Ross Patel highlighted IM as a major cause for concern.

Whitehat's Hart advised companies to avoid use of IM: "Don't use instant messenger. Anything going over port 80 should be checked and controlled. The easiest way of preventing the bot is by stopping people installing software."

To see a proof-of-concept example of the nmap bot, see: http://www.sharp-ideas.net.