The Internet security company IMlogic is reporting on a new virus, titled IM.Myspace04.AIM. The virus, once it infects its host, disables anti-virus software and software firewalls, then sends out instant messages to everyone on the host computer’s buddy list.
See IMlogic Threat Center :: Threat Detail for details.
The user of the host computer is unaware that this is happening, and does not see any of the outgoing messages. However, people on that user’s buddy list will start seeing instant messages from the host’s computer. For all intents and purposes, these IMs seem to be coming from someone the user knows and trusts already.
The messages are simple, consisting of phrases such as “lol thats cool” and urging the “buddy” to click on a “cool” link, which is a download address for the virus. If the user queries the bot about the link, the virus will respond: “lol its not a virus.”
While IM.Myspace04.AIM is not currently widespread, it does represent a new method of “social engineering,” the technique hackers have long used to convince human operators to give out passwords, turn off security measures, or download and execute viruses or trojans. In this case, the entity doing the social engineering isn’t human, and can work tirelessly without end.
Bots pretending to be humans have been around for years. Web-based message boards have recently been inundated with bots registering to sign up just to post a link to their web site, prompting many boards to implement “captcha” authentication where the human must read a sequence of blurry, distorted letters and type in the correct response to register on the site.
Now here is the laugh, back in 1950 Alan Turing (possibly the first geek’s geek and also with a major appearance in a Neal Stephenson book) held that computers would in time be programmed to acquire abilities rivalling human intelligence. As part of his argument Turing put forward the idea of an ‘imitation game’, in which a human being and a computer would be interrogated under conditions where the interrogator would not know which was which, the communication being entirely by textual messages. Turing argued that if the interrogator could not distinguish them by questioning, then it would be unreasonable not to call the computer intelligent.
Turing’s ‘imitation game’ is now usually called ‘the Turing test‘ for intelligence.
So here we are fifty odd years on and we now have programmers writing really dumb programs that are smarter than the chat users who are their victims. In the world of IM, where spelling and grammar don’t count and “lol” is often the height of wit, it’s really really easy for a bot to simulate a human.