Hackers learn to attack networks with IM

Security experts have discovered an instant-messaging tool that could change the way denial-of-service (DoS) attacks are performed.

Combining the open-source tool nmap - a program that discovers devices on a network - with an IM bot, hackers can infiltrate, steal information and carry out denial-of-service attacks on networks, says the director of security for Whitehat UK, Jason Hart.

IM runs over port 80, which is often regarded as a trusted port because internet traffic travels through it. Nmap uses ping requests and port scans to discover network devices.

Hart said: "The bot could send itself to 10,000 addresses, which could then attack one IP address. This means that 'denial-of-service attack' has taken on a whole new meaning. What's worrying is that this would look internal."

If instructed, the nmap bot is capable of a DoS attack by sending a massive amount of pings, a term hackers have dubbed 'the ping of death'.

"IM has always been a major concern," said Hart. "Just imagine the consequences - it can do a ping of death from an internal address, which confuses administrators. And the technology might not know to protect from the inside."

For the bot to run, it must be executed via either a download, an attachment or a .JPEG file - so won't run automatically. However, many of these approaches require little or no social engineering - hence the huge increase in simple phishing attacks. Although the tool is still in its 'proof of concept' stage, Hart said he has been able to make it work in the lab and that it may already have been used in the real world but simply been undetected.

"Between now and Christmas we're going to see some major developments in the hacking world," he added.

Many firms favour IM over email to get around compliance regulations, which require them to log all emails. In this year's SANS top 20 vulnerabilities, threat research director Ross Patel highlighted IM as a major cause for concern.

Whitehat's Hart advised companies to avoid use of IM: "Don't use instant messenger. Anything going over port 80 should be checked and controlled. The easiest way of preventing the bot is by stopping people installing software."

To see a proof-of-concept example of the nmap bot, see: http://www.sharp-ideas.net.

Dan Ilett writes for ZDNet UK