The what-bot

Late on Monday, a lot of Russian ICQ users got sent this message:

If you’ve been using ICQ for a while or are even remotely security savvy, you know not to just click on links that get sent to you, even if they appear to come from a known contact. Instead, you’re going to try and check in some way whether it’s really a person who sent you the link, or just a bot. Turing tests are designed to distinguish humans from bots, and everyone’s come across CAPTCHAs, a reverse Turing test. Of course, if you’re on ICQ, you’re not going to use an image to check who’s on the other side of the screen, but you can ask a challenge question – after all, a computer can’t actually answer questions, can it?

But there’s a problem with this – if you get sent a link to a file, you’re going to automatically ask “What is it?” And this is where it gets interesting: the bot behind the link didn’t have any trouble answering this question.

This answer sounds pretty human, so why not download and run the file? The puzzle looks like this:

The frogs are just there to divert your attention. Working out which way they should jump is a nice little time-waster. But while you’re doing that, some malware (we detect it as Hoax.Win32.IMPass.al/ Hoax.Win32.IMPass.am) bundled in the package is quietly stealing your ICQ login and password. And once it’s got those details, your password gets changed, and then the same link starts being sent to all your contacts from your account.

The bot’s not as intelligent as it first seems: it’s only able to answer questions which contain one of the following words: «что», «чо», «чё» , «че» , «шо» , «що» и «чито». (The first is standard Russian for “what” – the others are slang widely used on the Russian Internet.)

The whole thing is a neat little lesson: security doesn’t just depend on checking whether links were really sent by your friends, but also on thinking up challenge questions that no bot could ever answer!