Back doors in AIM security tool irk pros

The security group w00w00, which discovered last week's serious flaw in AOL's instant messenger software, said Tuesday that a program that could act as a temporary Band-Aid for the AIM problem had in reality been misrepresented by the person who posted it to the Bugtraq mailing list late last month.

"Any software that is released to the public, or even privately, should do what it's advertised to do and nothing else," Tim Yardley, a software engineer and w00w00 member, said in an e-mail.

On the good side, the program, AIMFilter, intercepted data sent to and from AOL's instant messaging servers and threw away potentially harmful code used by hackers. Yet, the application also sent the IM user's Internet address to its author, connected to two different pay-for-click sites to generate income for the author and gave potential intruders the ability to redirect the AIM user to a small number of different porn sites.

Yardley and other w00w00 members were particularly put out by their discovery, as the group had said the tool provided a solution to the hole they had found in AOL's AIM software last week. That flaw could have given potential intruders full control over an AIM user's computer.

"People should not be coding in back doors, money-generating schemes, or other covert options into applications," Yardley said.

Still, a host of potential security risks remain in AIM, and a tool like AIMFilter could actually make a computer more secure, so Yardley cleaned up the code and posted a modified version of it to the Bugtraq list.

For his part, AIMFilter's author, 16-year-old high-school student Robbie Saunders, said he had no malicious intent.

"It started out as a little thing to crash my friends," he said in an e-mail to CNET News.com. "My intentions were to get AIM to fix the exploits and for people to enjoy my software."

Saunders posted the original message, which had a link to his site and the code, on Dec. 30. In that message, he described several bugs in AOL's Instant Messenger application that could have potential security implications. He claimed that his tool would block any attempts by online vandals to exploit the bugs.

Yet Saunders admits the tool does a lot more. "All my software really did was contain admin commands, letting my (AOL) screen name get an (annoying) user's IP address to report them to an ISP and to kick a user off of the filter," he wrote in the e-mail. In addition, he said that w00w00's claim that the program sent data equivalent to a mouse-click to two click-for-profit sites on his behalf was also true.

"The cash-paid click-throughs are because I need money," he said in a statement on his Web site. They only go in once (when you open the filter) and not on time intervals like w00w00 claims."

In various postings, members of w00w00 said they believed the program would attempt to connect to the sites every so often.

As for the porn, Saunders said on his site that the ability to remotely cause the software to redirect browsers to the porn pages was intended to punish anyone who "mess(ed) with my friends."

Despite the admissions, though, Saunders seemed unrepentant. "I didn't expect people to care," he said in his e-mail. "Only I could use (the backdoor functions), and no damage or lost information could come to (people's) computers through using the filter."

Yet, w00w00 members were not appeased.

"Being poor is certainly no excuse for building in and not disclosing the existence of personal profit-generating code," said Jordan Ritter, a consultant and member of w00w00, pointing out that companies get routinely lambasted for putting such surreptitious functions into their programs.

Part of the group's ire, however, springs from its faux pas in recommending a piece of software that they had not thoroughly checked out.

"We apologize to the security community at large for this mistake," Ritter wrote in an e-mail to the Bugtraq list. "We think this is a very apt example of why closed-source programs can be deadly."

Originally, Saunders only released the actual AIMFilter program, not the code. Open-source advocates view such "closed" programs as more difficult to inspect, making their security harder to verify. It was only after Saunders released his code that the w00w00 programmers were able to audit it and find the problems.

The lesson for the average user, as always on the Internet, is a caveat emptor: Let the buyer beware, said Elias Levy, chief technology officer for SecurityFocus, the company that runs the BugTraq list.

"If you are going to be recommending a certain tool to plug security holes, you have to be sure that it's not going to be introducing new vulnerabilities," he said.