[ISN] AIM worm plays nasty new trick

InfoSec News isn at c4i.org
Mon Oct 31 07:25:20 EST 2005


http://news.com.com/AIM+worm+plays+nasty+new+trick/2100-7349_3-5920403.html

By Joris Evers 
Staff Writer, CNET News.com
October 28, 2005

A worm found spreading via America Online's Instant Messenger is
carrying a nastier punch than usual, a security company has warned.

The unnamed worm delivers a cocktail of unwanted software, including a
so-called rootkit, security experts at FaceTime Communications said
Friday. A rootkit is a tool designed to go undetected by the security
software used to lock down control of a computer after an initial
hack.

"A very nasty bundle is downloaded to your machine" when you click on
the worm link, said Tyler Wells, senior director of engineering at
FaceTime. "This is the first time that we have seen a rootkit as part
of the bundle of applications that is sent to your machine. It is a
disturbing trend."

IM worm and malicious code attacks are happening more than ever
before. The number of threats detected for instant-messaging and
peer-to-peer networks rose 3,295 percent in the third quarter of 2005,
compared with last year, according to a recent report from security
provider IMlogic.

In addition to the "lockx.exe" rootkit file, the new worm delivers a
version of the Sdbot Trojan horse, said FaceTime, which sells products
to protect instant-messaging traffic. Sdbot opens a backdoor on the
infected PC. The worm also places several spyware and adware
applications, including 180Solutions, Zango, the Freepod Toolbar,
MaxSearch, Media Gateway and SearchMiracle, the company added.

All that unwanted software can eat up system resources, slowing down
the PC, Wells said. Also, the malicious applications will attempt to
disable security programs and change the search page on the user's Web
browser, FaceTime said.
 
The worm was spotted in an AOL IM chatroom and infected one of the PCs
that FaceTime uses for worm bait. The company said it also has seen
the pest hit other computers. "It is still out there, and it is
definitely something the user should be leery of," Wells said. "The
rootkit is designed to not be detected, and that is the scary part."

Worms on IM networks can spread rapidly. They appear as a message from
a buddy with a link that looks innocent, but in fact points to
malicious code somewhere on the Internet. Once the user clicks on the
link, malicious code is installed and runs on the computer. The worm
then spreads itself by sending messages to all names on the victim's
contact list.

The advice to users is to be careful when clicking on links in IM
messages--even when they seem to come from friends--and to use
up-to-date antivirus software. When receiving a link in an instant
message, the best practice is to verify with the sender if the link
was sent intentionally or not.





More information about the ISN mailing list