ICQ is undoubtedly the most-popular instant messenger. It is
no longer limited to simple text chat; file transfers, greetings, telephony, SMS
messages, and tons of other features make using it great fun. But on the darker
side, ICQ is also a major security threat to desktop users as it provides the
port of entry into your machine.
If you want to access a PC over the Internet, then the first
step is to connect to that machine using its IP address and a port number. The
next step is to gain access privileges on that machine. In a desktop operating
system, there are hardly any access restrictions. But it’s more difficult to
connect to a desktop operating system like Win 98 than a network operating
system like Linux or Win NT. Technically, connecting to a machine means
connecting to a service running on the machine on a particular port. Network
operating systems run a number of such services like Telnet at port 23 and a Web
server at port 80. But what services does Wins 98 run, which you can connect to
remotely? It doesn’t even bundle a Telnet server. This is where ICQ comes to
the help of the would-be intruder by providing an entry point into your PC.
How ICQ works
ICQ is based on the client-server architecture. You run the
client on the desktop and connect to one of the Mirabilis servers like
(icq1.mirabilis.com, icq2.mirabilis.com) at a port above 1,024. When you do a
search for users or any other such activity, which doesn’t involve another
user, then you are communicating with a Mirabilis server. But when you send a
message or transfer a file to a person, the Mirabilis server goes off the stage.
The ICQ applications residing on the desktop make connections to each other. In
this case ICQ acts as a client as well as a server. A clever workaround by
Mirabilis to reduce the load on their servers! But this direct connection
between the ICQ users has led to many security issues. Had the server been in
between, some security measures like filtering or virus checking could have been
centrally deployed.
Your IP and ports are revealed
If you are using a dialup connection, each time you connect
to the Internet, you get a dynamic IP address. For a person to establish a
direct connection with you, his ICQ needs the IP address of your machine So, the
ICQ installed on your machine relays your IP address to him. In ICQ, you have an
option to ‘Publish your IP address’. You must never go for it. But even this
precaution is not full proof. A malicious person can find your IP address using
downloadable tools like ICQ Sniffer, which take your ICQ UIN as input and show
your IP address. Then he can run a port scanner by feeding your IP address and
find out all the open ports on your machine, if you are running any services.
Your IP can then be used to operate a trojan remotely (see below). The only
solution here is to disable all the services which you don’t need, as well as
patch up any bugs in the services, which can give access to a remote user.
ICQ home page gives hard disk access
ICQ’s home page feature, if enabled, hosts a Web server on
your machine, to which an ICQ user can connect to. This Web server is used to
quickly create a Web page, which display your information and maybe your
photographs. Earlier versions of ICQ ( ICQ 99a) had a bug which would give
access to anyone to directories on your hard disk other than the document root
(where the ICQ homepage files are stored). So if you use an older version, do
upgrade to the latest.
Transferred file can be a trojan
Scanned photographs and other files are commonly transfered
through ICQ. Picture files are generally JPEGs (.jpg) or GIFs (.gif). Here you
can be tricked. Suppose someone wants to install a trojan like the BackOrifice
or ICQ trojan on your computer. These Trojans would have an EXE extension. Now a
malicious person can rename the file as follows:
Pic.jpg .exe
Note the large number of spaces between jpg and exe. When
this file is sent to you through ICQ, the dialog box that shows the file
information wouldn’t be able to show the EXE extension due to limited length
of the text field. Most ICQ users are tempted to open the picture file (after
all it can be a pretty girl or a handsome boy), as soon as they get it. Once you
click the open button, there is no stopping the trojan from being installed.
Once the trojan is installed, the malicious person can find your IP address and
the port on which the trojan is running using techniques described above, and
subsequently issue commands from his machine, which can be used to transfer your
password files to his machine, delete files on your machine, and generally
create havoc.
The solution is not to accept files through ICQ. But then you
are sacrificing a major part of the fun of using ICQ in the first place. So it’s
advisable to save the file first and then run an anti-virus or trojan detector
(an ICQ trojan detector is available) on it. Also saving the file on the disk
rather than opening it straight away would reveal its extension by giving you a
different icon than the one used for JPEG or GIF files on your machine. Also the
option saying ‘automatically accept file transfers’ shouldn’t be checked.
Licq for Linux has a built-in BackOrifice client. So, you
need to be especially careful to ensure that the BlackOrifice trojan is not
installed on your machine
ICQ utilities, which also include hacking tools, can be found
easily on the Internet. A utility called MillenniumM combines many of these into
one. It also protects ICQ from common hacks. Apart from that, some of the ICQ
ports to other operating systems, especially Unix or Linux, have additional
built-in utilities. Licq on Linux, for example, has utilities like finger,
telnet client, ftp client and also a built-in BackOrifice client. These can be
double edged. If you know about them, and how to use them to protect yourself,
then you can get the better of the would-be intruder. If on the other hand you
not aware of their existence, or if you get careless, then you can be sending an
irresistible invitation to someone to come in and wreck havoc not only on your
machine, but also on other machines on the same network.
Shekhar Govindarajan