Worms and Instant Messaging

Community

Email Notifications

Write-Ups

Security Blogs

Miscellaneous Blogs

Security Sites

Security Manifest

Benjamin Johnstone-Anderson, Microsoft MVP - Windows Security

It has been nearly four years since the first worm to spread via an instant messaging program, the Hello worm, appeared on the AOL Instant Messenger network. At that time, IM program worms were more of a curiosity. Despite a significant number of doomsday predictions from the media, few of these worms actually ended up becoming common. Those that made it in the field were typically quick burners, dropping off the radar in a few days when most worms last weeks. However, recent worms have proven that IM programs are a significant potential distribution area for new worms.

Instant Messengers vs. Email
One thing to consider when assessing the risk of instant messaging worms is that the target audience is different from that of email worms. Users of instant messaging programs are typically younger and much less likely to be corporate users. As IMing is generally more fast-paced than emails, it is also more likely that users will accept files without much discretion. However, it is also easier to ask about a suspicious file via instant messenger than it is in email.

With only a small range of major instant messengers out there, there is opportunity to solve many of the problems that have plagued email as an open standard. Together, AOL Instant Messenger, MSN Messenger, Yahoo Messenger, and ICQ make up the lion's share of the US IM market, with similar programs popular throughout the world (Asia is the home to many alternative IM programs). Three companies thus control almost all of the IM market (AIM and ICQ are both owned by AOL). These companies can, and have, enforced security standards and provided warnings. However, it has been demonstrated that, despite warnings, users will gladly accept files if they do not understand what they are. Education is a major problem on the IM front.

Case study
On the morning of March 6, 2005, I received a report of a small outbreak of an undocumented AOL Instant Messenger worm among roughly a dozen users belonging to a group interested in climatology and Internet broadcasting from one of the infected users, who resides in Ohio. The worm (which I will refer to Ostow here for the sake of simplicity) appeared to randomly set away mode. In the away message was a link to a .pif file on a remote Internet server (at this time, the file remains up) and a promise that the file contained “beach photos.”

The user explained that he had opened the file, assuming that the .pif extension stood for “something like Picture Image Format.” Since the file was offsite, not send via AOL Instant Messenger, there was no notification that the file opened could be damaging other than the download notification in Internet Explorer. He opened the file and became infected with Ostow; subsequently, a number of other members of the community clicked on his away message and became infected. None realized that anything was wrong until the Ohioan user observed that his status was changing to away randomly.

Eventually, HijackThis was installed on an infected machine in Louisiana and a suspicious file masquerading as the BitDefender antivirus program was discovered to contain what was detected as a “variant W32/Spybot“ and a dropper from the web site, detected as a “variant W32/SDBot.“ Despite several hits on Google that mentioned the AIM away message, it appeared that all detections were generic and Ostow was not recognized specifically by antivirus programs (neither W32/Spybot nor W32/SDBot are described as AOL Instant Messenger worms). Manual removal instructions were created and followed by all infected users, and no infections have been since reported.

This case is not exceptional other than that it shows the confusion that can result from unknown worms spreading via AOL Instant Messenger. Without assistance from knowledgeable users, the average person infected by a worm like Ostow could do nothing to fix their problem and likely would ignore the problem, allowing the worm to spread further. It also shows how a worm can spread among members with linked AOL Instant Messenger relations.

Conclusion
With an increasing number of IM worms, and the recent medium risk rating received by Bropia.P, increasing attention is being, deservedly, given to this growing threat area. With detection often here-and-there, and users who are less tech-savvy and less likely to submit discovered worms to antivirus companies, IM worms may soon become a top-tier vector for new threats in the upcoming months.

Posted: Mar 06 2005, 05:32 PM by trafton | with 10 comment(s)

Filed under: VIRUSES, SECURITY, COMMENTARY

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.

Recent Posts

Tags