ICQ is considered by most to be a security threat to its users. During the course of its evolution, it has suffered from many serious bugs and vulnerabilities, such as vulnerabilities that allowed malicious users to probe another user for a lot of information, or to launch attacks with serious effects, ranging from flooding the user's ICQ client with messages, causing it to crash, stealing passwords or even breaking into computers.

Vulnerabilities have come and gone, but many have stayed. During this tutorial, we will focus on the simple vulnerability, which is caused by the way that ICQ works, and therefore hasn't been patched. It's the vulnerability that allows anyone to view your IP address, and it exists because ICQ is a client-to-client program.

Even if you tell ICQ not to reveal your IP in the preferences dialog box, under privacy, there are other ways a malicious user might try to find it other than looking at your info and expecting to find it there. Since ICQ is a client-to-client program, messages and other ICQ events are transferred directly from one host to another, without the interference of a server, meaning that if you send someone a message or someone sends you a message, a socket is created between your computer and the other person's computer. What does this mean? This means that anyone who sends or receives an ICQ event from you can use programs such as netstat to view all existing connections, spot the one that belongs to you and get your IP address!

Try it for your self. Press start, run, and then type command. A DOS window will appear. Type netstat -A and you will receive a list of existing connections, their status and other basic information about them, as well as the IP of the other host which is connected to you through that socket (unless this is a listening socket, which is waiting for a host to connect to it. A listening socket will not give you a "Foreign Address".

So why doesn't Mirabilis (founder of ICQ) change that? Why doesn't it change ICQ so all events are transferred through the server, so attackers will send and receive events to and from the server and thus will be unable to find other people's IPs? Simple. Because what kind of a mad man would want all those millions of ICQ users moving their traffic through his server? And though AOL (the current owners of Mirabilis) has a lot of money and can probably pay for all this bandwidth, why would they do that? They don't care about your security, and they won't spend an extra cent to improve it. As a result to that, new versions of the ICQ client are released without being properly tested, and new holes are being frequently discovered.

Of course, the fault is not Mirabilis's alonel. There are also several user-inherent problems, caused by users that reveal private information by writing it into their user account info. Everyone can view your info, so don't reveal anything that you wouldn't like to when you fill out the form in the ICQ account preferences dialog box.

Remote_Access_

Originally posted by Remote_Access_
Since ICQ is a client-to-client program, messages and other ICQ events are transferred directly from one host to another, without the interference of a server, meaning that if you send someone a message or someone sends you a message, a socket is created between your computer and the other person's computer.

I THINK there is an option somewhere in there to always send stuff through the server. (So messages won't cause a connection in Netstat) They can still see your IP in netstat if you accept a file though. And there are third-party tools to let you see the IP address even if you haven't had any sort of communication before. (In other words, when even netstat won't show you what you want.)

I would guess that AOL is the main cause. ICQ started out as a pretty efficient system, in the sense that it didn't require a ton of servers to run it. It was pretty cheap to use. Now that AOL bought them, and they have the money... I think they're more interested in getting all the money they can out of it (Banner ads), and watching it slowly die and hoping the users move to AIM.

I would guess that AOL is the main cause. ICQ started out as a pretty efficient system, in the sense that it didn't require a ton of servers to run it. It was pretty cheap to use. Now that AOL bought them, and they have the money... I think they're more interested in getting all the money they can out of it (Banner ads), and watching it slowly die and hoping the users move to AIM.

i agree with you. ICQ, to my recollection, is free... but none the less, aol has bought them out inorder for the for ICQ's clients to move to AIM. Thus, the increas in lack of security, banner ads, and various other thing and allowing ICQ to go to the pits.

Remote_Access_

To be honest RA, I think it would be more interesting to read a tutorial regarding how the MSN Messenger 'magic link' worked. ;)

While ICQ has had it's share of vulnerabilities, you neglect to mention that most, if not all, the IMs have had vulnerabilities, a couple of them far more severe than anything ICQ has had.

Also, the particular 'vulnerability' you discuss is not limited to ICQ, or even IMs in general, but to anything wherein there is peer-to-peer communication. Anytime someone establishes a connection to your computer, you can find out their IP -- that's how it's supposed to work.

Originally posted by chsh
To be honest RA, I think it would be more interesting to read a tutorial regarding how the MSN Messenger 'magic link' worked. ;)


I must admit i'm curious about this 'magic link' as well! If anybody cares to elaborate on this, many thanks! Yahoo IM is also like this with netstat. How exactly does this socket work? why? Does anybody know more? (does a firewall prevent netstat from working????)

While ICQ has had it's share of vulnerabilities, you neglect to mention that most, if not all, the IMs have had vulnerabilities, a couple of them far more severe than anything ICQ has had.

i am aware of this. Aol has had numerous vulnerabilities in their IM system. A user used to be able to "punt" or "kick" a user off line with a single message. The bug has been fixed. If i remember correctly, a program called "Blue Cross" contained several methods of doing so. As for yahoo and msn, i've yet to hear of any insidents like this.. And for the "magic link" i'm not exacally sure how it werks ;)

Remote_Access_

Well, the 'Magic Link' IIRC basically let anyone view the contents of your drive....

Oops, my bad. ;)

It was the MSN Communities website that had the 'magic link'....
http://www.theregister.co.uk/content/4/20578.html

At any rate, I hardly think that ICQ is "the worst thing that ever happened to privacy and anonymity" any more than any other IM. That's a pretty steep thing. Maybe you should replace ICQ with 'Internet' in that sentence, because it's a lot closer to the truth. :)

I didn't intend for the topic of my post to read:
" ICQ- the worst thing that ever happened"

It was supposed to read:
" ICQ- the worst thing that ever happened to privacy and anonymity"

I didnt realize that till i posted it.

Remote_Access_

Did you write this tutorial yourself Remote_Access_?

Why yes, yes i did... :D

Remote_Access_

Hmm. You mean you didn't find it at www.astalavista.com/library/onlineprivacy/basics/general1.shtml about 2/3rds the way down the page in Chapter IV: ICQ - the worst thing that ever happened to privacy? Does your name happen to be Raven, founder of SWG (Security Writers Guild)?

Try a text search on google on the first line of the original post.

Man, plz give credit where credit is due.

ok, i copied a portion of it. Bla, big deal. It's useful and informative and bla bla bla bla.

Remote_Access_

Originally posted by Remote_Access_
ok, i copied a portion of it. Bla, big deal. It's useful and informative and bla bla bla bla.

Ok. You are allowed to copy stuff from other sites but do not try to pass it off as your original work. Like I said, give credit where credit is due. Thank-you for posting this article but next time please state where you got it from.

:D okie dokie :D

The full report over anonymity can be viewed at

http://www.astalavista.com/library/onlineprivacy/basics/general1.shtml

But the article I coppied it from was from blacksun. ;)

Remote_Access_

Damn. I shoulda caught that. I did a quick check, but I guess I didn't check the right places. Remote_Access_, Plagarism is bad, and you should prepare for flames if you do it. (http://www.antionline.com/showthread.php?s=&threadid=118780)

hehe :D That whole icident was kinda funny! But it was a good article, so I can understand why Remote_Access_ wanted to take credit for it. Best thing, it made me laugh!

Originally posted by Terr
Damn. I shoulda caught that. I did a quick check, but I guess I didn't check the right places. Remote_Access_, Plagarism is bad, and you should prepare for flames if you do it. (http://www.antionline.com/showthread.php?s=&threadid=118780)


I thought it strange that you were replying to this thread


rofl

Not cool dude, don't plagerize. Give credit to whom ever helped you aquire this knowledge. I don't beleive being an all Uber-Leet Hacker gives you the right to plagerize. The hacking society (at least this one) is a close-knit family. We share and exchange information. And give credit from those who have found it first...

Originally posted by Terr
Damn. I shoulda caught that. I did a quick check, but I guess I didn't check the right places.

Ya, you are usually pretty good about this kinda stuff Terr.

Not cool dude, don't plagerize. Give credit to whom ever helped you aquire this knowledge. I don't beleive being an all Uber-Leet Hacker gives you the right to plagerize. The hacking society (at least this one) is a close-knit family. We share and exchange information. And give credit from those who have found it first...

ok, i would like to state in my defence that i've acknowledged in a previous post that i got the information from a previously writen article. I did not post what i did to be cool, dude... or an "uber-leet hacker"... and i have gave credit where it was due.
:rolleyes:

Remote_Access_

thats the second time uve been cuaght remote
btw stealing from one of the best security writers i have ever seen raven is not COOL that is your second time u will loose respect very soon if you keep it up please as terr and Stronzo stop it

RiOtEr: please visit this form:
http://www.antionline.com/showthread.php?s=&threadid=131948

Thanks,
Remote_Access_

To those of you who are wondering if this flaw from the peer to peer architecture of ICQ isn't beatable. There are alot of proxy servers that you can go through that are built for this EXACT reason. Just so you know, and so you don't think ICQ is helpless. Post if you want the link to the list, i've gotta search for it..

I know that isn't a solution for all of the problems, because there are alot of bugs out there. But this is just something to provide more security if your ever in the need or mood to use ICQ..