Updated

Security researchers have traced October's W32/Sdbot-ADD worm attack against AOL's Instant Messenger network to a rootkit-powered botnet controlled by hackers in the Middle East.

With the botnet seeded, researchers at FaceTime Security Labs say the hacker group is now using a remote IRC (Inter Relay Chat) server to distribute a new malware payload with the potential to steal Microsoft Outlook Express e-mail passwords and log keystrokes.

The infected computers can also be used as a platform for launching attacks on Web sites or networks, he said.

"What is scary here, is the potential for mass damage that we have seen through monitoring this group nearly 24-7. They are slowly but surely building one of those huge botnets," said Chris Boyd, the researcher who broke the SDbot code and discovered the hidden rootkit.

Boyd said the second wave of attacks confirmed that the worm opened a back door for additional malware to be downloaded. It includes a "ster.exe" file that contains six additional files to provide the attacker with the capability to upload, download and monitor the infected host PC.

He said more than 17,000 users were found to be compromised on a single server. Multiple servers worldwide are under the control of the botnet owners, he added.

In the aftermath of the first detection of a rootkit component in an IM worm attack, FaceTime said that computers infected by the "lockx.exe" rootkit file are being further compromised by a group in the Middle East.

"We have delivered detailed research information to the U.S. federal authorities and are fully cooperating with their efforts," said FaceTime chief executive Kailash Ambwani.

Boyd said the second wave of attacks confirmed that the worm opened a back door for additional malware to be downloaded.

In an interview with Ziff Davis Internet news, Boyd said hackers in several known Middle East countries are using IRC (Internet Relay Chat) servers to communicate with the rootkit and install programs that are capable of stealing usernames, passwords and other personal information from infected systems.

Citing the ongoing FBI investigations, Boyd declined to provide specifics on his findings.

He said the hackers left specific traces in the malware code, including "the affiliate money trail" associated with commissions paid for spyware program installations.

"Certain things we found inside the files left very strong trails. We've given all the evidence to the FBI and they're aggressively investigating," said Boyd, who used the "paperghost" moniker.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.