« Worms: Taxonomy and Detection | Main | Second Life MMOPG Worm »

Rootkit-Armed Worm Attacking AIM

One of the more interesting developments this past week (and one that's helped keep me busy and away from posting here) is a new variant of the SDBotfamily which spreads over the AOL Instant Messenger (AIM) network. While there are a few variants of the URL and malcode installed, it's always the same order of operations:

The virus spreads via messages on AOL’s AIM software, either saying HILARIOUS!!! Or see thing!!!, with a URL. Clicking on the link takes the user to a web page that attempts to download a Trojan onto the computer using patchable flaws in the browser.

Source: AOL hit by IM virus, by Iain Thomson, postd to vnunet.com 28 Oct 2005.

This is the first variant of SDBot that I've seen that uses the AIM network to propagate, but otherwise this is a radpily emerging trend for malware: bootstrap onto the system, download a number of tools including a rootkit and spyware, use an IRC network for your botnet, and continue propagating.

Other information on this threat:

It looks like most of the download sits have been taken down, but we'll certainly see more of this in the coming months.

Analysis and commentary This shows that attackers have yet to really fully automated IM-based worms. They spam their victims, gathered from the user's buddy list, with URLs that they have to click to download the malicious software. Once we start seeing AIM or MSN Messenger exploits packaged into these, we'll see a fully automated IM worm. But, so far that hasn't yet happened on a laarge scale, and I don't know why. I think it's only a matter of time before some enterprising malware author decides to break down that barrier.

Update Added this post to the IM worm category, look there for more historical data on IM worms.

October 29, 2005 in editorial, IM worms, new worms | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

This type of worm is not new. When I started working at my current job (a .edu) in February and got to deal with my first IM outbreak, it was old news among both my co-workers and the UNISOG people (hopefully I don't get yelled at for mentioning that name again).

There are hundreds of variants of the initial trojan, and just as many for the actual rootkits, bots, and what exactly they do (from NetBIOS scanning to SSH scanning to hosting FTPs). The newer rootkits (within the last three or four months) are actually quite userfriendly; when you tell them to start scanning, they let you know how many active threads they're running, who they're attacking, what attack they're using (my favorite is the flavor that brute forces Windows boxes and then cheerfully reports to the controller).

As for propagation, the behavior I've seen is the worm will actually cull the user's "buddy list" either immediately or wait from a command from the botnet controller, and spam the message with the badness URL. They're actually quite amusing to watch once they're keyed to roll: You get a user with badness, and then boom, n-n2 outbound messages on 5190 (or whatever).

The first outbreak of this nature I dealt with (back in Feb) we got nailed for about 300 kids in three or four days. More recently, I turn off 10-15 kids a day.

Currently tracking these down is very easy, especially the ones that use IRC daemons, or things that act like IRC daemons, for a control network. Eventually they'll jump to using harder to detect methods, encryption... and *that* will suck. When they start exploiting bugs in the IM software, as you say, that will suck, too; it's a more common propagation method, but how many people *don't* run an IM of some flavor? And if they can't pop your client, they can still trojan you.

It's very annoying.

This SDBot clone is just another in a long line of worms propagating via IM. I'm pretty sure it's a couple months old, but I'd have to check my notes (and I gotta get running or I'll miss the pumpcon talks again this year!).

Posted by: bda | Oct 29, 2005 11:07:29 AM

IM worms aren't, no, they've been around for well over a year. but this is the one of the first times i've seen SDbot/RBot/RxBot use AIM.

the "emerging trends" i am talking about here are things that are gaining momentum in 2005. check out http://www.wormblog.com/im_worms/ for more perspective and analysis on IM worms over the past year or so. a paper by chien and hindocha at VBConf 04 showed that an IM worm could spread to all victims faster than SQLSlammer did. clearly these are on peoples' radars.

the family of bots (RBot/SDBot/RxBot) is enourmous, mainly because the code is widely available at this point. it's easy to fix bugs, add features, etc. it's amusing, in fact, to watch the quality of the malware to improve, along with its capabilities. authors are getting better ...

Posted by: jose | Oct 29, 2005 1:15:44 PM

a vulnerability like this [1] could cause a severe caos.

[1] http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10

hopefully authors are getting better slowly, even traditional on IRC worms, IMHO. they have the limitation of stealthness x speed of propagation, I don't think most of them care about being stealth (although they technically should). IM worms may be an evolution toward this direction.

Posted by: vinicius | Oct 29, 2005 10:29:36 PM

Keeping it running sufficiently.
When I first got my computer I didn’t realize how important having antispyware was to keeping it running sufficiently. However, it didn’t take very long for it to become perfectly clear. If you don’t have a good scan you will have many problems that could be avoided so easily. Search-and-destroy Antispyware is a great option when it comes to scanning for bugs that will help you keep your computer running at its peak efficiency. The antispyware solution from Search-and-destroy which you will find at http://www.Search-and-destroy.com will help give your PC the protection it needs to keep it in good working condition.

Posted by: Chezy | May 1, 2009 1:25:01 PM

The comments to this entry are closed.