***HEADS UP**** AIM Users

[Tiger Shark]

from ISC

The handlers have received several reports that AIM messages are being used to entice users to download and view jpegs that match current signatures for the GDIplus.dll exploit.

The basic method is to attach GDI exploits to profiles on AIM. The attacker then sends messages to get the user to go look at the user profile that has a jpg with the gdiplus.dll exploit in it.

This is the message being seen "Check out my profile, click GET INFO!" But of course that would be easy to change so it is probably not worth adding to your IDS signature list.

Easy one.... Social engineering, but it can still work.

[hogfly]

I was talking to a few of the guys that were seeing those. Kind of scary actually..since AIM users are the same people that click click click on everything.

[Tiger Shark]

Hog:

Absolutely.... The effectiveness of any exploit relies upon two things, a broad enough user base to have a significant infection rate and the ability to identify and "transport" the exploit throughout the vulnerable systems. In this case the user base is the problem in both criteria. Lot's of people use AIM and the people who do have a tendency to be brainless.....

[caphrim007]

This (among other reasons) is exactly why I have AIM privacy set up to allow only those on my list to IM me

[jinxy]

This would work equally for any of the chat clients, would it not? Yahoo messenger,msn etc. They all contain the ability to view users profiles.

[Soda_Popinsky]

http://www.k-otik.com/exploits/09252...gOfDeath.c.php

The creator of this tool says that it requires someone to download a jpeg and view it in explorer, when I was led to believe that IE itself was vulnerable. (aren't they supposed to be the same anyway)

Couldn't someone upload that JPEG above as an avatar or signature, and wreck havoc upon the unpatched users of this forum?