The unexpected emergence of a rootkit within a computer worm that attacks via instant messaging (IM) networks has sparked fears that hackers are now capable of orchestrating fully automated worm attacks on IM platforms.
In a recent attack on the AIM network of American Online, rootkit lockx.exe was embedded with the W32/Sdbot Trojan, which is designed to download and install a variety of hidden malicious software. This marks the first time SDBot has been detected in an attack via IM.
“The situation indicates that the current landscape is ripe for automated worm attacks on IM networks. Typically, such attacks can cause significant damage,” stated Jose Nazario, a senior software engineer at Arbor Networks Inc – a security-focused company.
Nazario, who is also a computer worm researcher, noted that the presence of SDBot in the recent IM attack highlights the growing trend of malicious software. Once it infects a user’s computer, it will download a range of other tools, including rootkits and spyware, and then utilize an IRC network to control the botnet and continue spreading.
According to Nazario, those who program computer worms to attack via IM have become adept at manipulating users’ computers and their contact lists on instant messaging applications to spread various viruses and dangerous software.
Chris Boyd, an expert from FaceTime Communications who discovered the rootkit and SDBot in the recent AIM attack, shares Nazario’s viewpoint.
Boyd believes that embedding rootkits into the “spyware virus toolkit” is a new attack method – a way of spreading backdoor Trojans to gain control over users’ computers. For example, the rootkit “lockx.exe” is programmed to connect to an IRC server to execute commands from the attacker who wishes to remain anonymous.
Earlier this year, Microsoft expressed serious concerns that its MSN Messenger could also be used for automated worm attacks. The company immediately had to patch all security flaws in its IM application. At that time, exploit codes for MSN Messenger vulnerabilities were widely disseminated before Microsoft could patch the security holes within 24 hours.
Tyler Wells, senior technical director at FaceTime Communications, suggested that buffer overflow vulnerabilities in IM applications are a recipe for disaster. “We have seen documents describing how to exploit security flaws that allow the remote execution of malicious code in IM applications. When aggregated, these are not much different from automated worm attacks. Moreover, in this type of attack, hackers don’t need to trick anyone into clicking on a hyperlink.”
“Attackers will initially target inherent vulnerabilities in IM applications. For instance, AIM has added a feature to update the avatar image next to each user ID on the friends list or play a song without needing to click. All modern instant messaging applications combine features like VOIP, file transfer, photo sharing, or internet radio. Such additions always raise security concerns. Whenever an IM application adds a third-party feature, the good news is that you gain a new function, but the downside is that you inherit all the security issues of that application.”
Nazario further explained that detailed research shows that automated worm attacks on IM networks can spread very rapidly. “The worst-case scenario revealed by these studies is that any IM application connected online at the time of the attack will become infected; it’s merely a matter of time.”
“Automated IM worm attacks are inevitable and can happen at any moment. I am surprised there hasn’t been such an attack yet. This is a very effective and fast method of spreading dangerous software. Users need to be even more vigilant,” Nazario concluded.
HVD – (eWeek)
