Security companies issued warnings yesterday (May 2) regarding a new computer worm that spreads through instant messaging (IM) networks.
The primary target of this worm is to “cultivate” bot systems – also known as networks of PCs that have been compromised by hackers.
The Nagache.a worm – as named by McAfee and Symantec – primarily spreads through the AIM (America Online Instant Messaging) system, MSN Messenger, email systems, and peer-to-peer sharing networks.
Simultaneously, this worm installs a “drive-by download” application on the infected system, which allows malware to download anything onto the system without the user’s knowledge, especially if the user’s PC has not been carefully patched with security updates.
The main objective of the Nagache.a worm is to install a “bot” – a control component – that facilitates communication with the operator.
However, unlike most bots today that are typically controlled through IRC channels, the bots installed by the Nagache.a worm are controlled through peer-to-peer networks. The information exchanged between the bot network and the operator is encrypted or, at the very least, not easily readable.
The commands and control channels used here are particularly unique. The peer-to-peer control and command channels make it very difficult to block commands sent to the bots or data transferred through these channels, allowing them to evade intrusion detection systems.
This poses a new challenge for experts researching ways to trace the control points of bot systems.
Although AOL has taken steps to block some IP addresses spreading the virus, numerous systems have been found to be infected with this worm.
Hoàng Dũng
