Sign in to comment!

Menu
Home

Instant-Messaging Worms Try to Talk Their Way In

A new malicious worm squirming through America Online Inc.'s AIM network has the ability to carry on an instant-messaging conversation with potential victims.

Researchers at IMLogic Inc.'s Threat Center spotted the new threat and warned that virus writers are continuing to push the social engineering envelope to trick computer users into downloading nasty malware programs.

The newest worm, identified as IM.Myspace04.AIM, is coded to chat and persuade the victim to click on a malicious URL embedded in the IM message.

If the first attempt at infection is unsuccessful and the victim replies to doubt the legitimacy of the link being sent, the worm replies with the following message: "lol no its not its a virus."

Like other IM worms spreading over AOL's instant messaging network, the bot uses an infected user's buddy list to propagate itself, carrying on a conversation with new victims without the infected user's knowledge.

"This sophisticated bot attack is programmed such that infected users cannot see the messages the worm is sending on their behalf. When recipients of the malicious message reply to the infected user, the bot running on the infected machine sends follow-up messages," IMlogic said in an advisory.

By ratcheting up the level of social engineering techniques, the company said the new breed of malicious bot attacks represents a shift toward interactive communication with intended targets, more effectively simulating a live user and thereby increasing infection rates.

The appearance of a talking worm comes on the heels of AOL and Microsoft Corp. releasing legitimate IM bots on the IM networks.

Two consumer bots from AOL — MovieFone and ShoppingBuddy — were added to the buddy lists of AIM users last month as part of the company's use of IM Robots to deliver news and other content on behalf of advertising partners.

Interactive IM bots have been around for years, but this is the first sign that malware writers are latching onto the concept to use in social engineering attacks.

"As [consumer] bots gain popularity, hackers have also recognized the potential for bot technology to assist in their attacks," IMlogic said.

The talking worm is just one of two new threats targeting AIM users.

Akonix Systems Inc. has issued an alert for a worm posing as a holiday greeting card to lure users into launching a harmful executable.

Akonix identified the worm as W32/Aimdes.E and warned that the worm is executed once the IM user clicks on a link purporting to be a greeting card.

Upon execution, this memory-resident worm propagates and sends the following message to other users listed on the infected user's buddy list:

"The user has sent you a Greeting Card, to open it visit: http://g{BLOCKED}aol.com/index.pd?source=christmastheme?my_christmas_card.com"

Once the link is clicked, the worm automatically installs itself on the affected system and opens random ports to receive instructions from a remote attacker.

Aimdes.E also comes with a built-in IRC (Internet Relay Chat) client engine that connects the machine to an IRC channel to wait for several commands from a malicious user. This routine then compromises system security.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.