« Two Minor Worms of Note: Kaiten, Santa | Main | New PHPBB Malware? »
IM worms: A 2005 review
2005 has been a busy year for IM-based worms as the table below shows. So far the state of the attack seems to be link spamming over AIM, and this trend doesn't look to stop. Consider this to be the same developmental stage as the late 1990's for e-mail based worms - no client side vulnerability attacks with specific exploits, just spamming and hoping someone is dumb enough to click.
| Date First Seen | Latest Date Seen | Threat Family Name | IM Networks Affected | Brief description |
|---|---|---|---|---|
| January, 2005 | January, 2005 | MyDoom.AL (a variant of the mass mailer family) | ICQ | Link spamming, joins a botnet |
| January, 2005 | February, 2005 | Bropia | MSN Messenger | Link spamming |
| February, 2005M | February, 2005 | Aimdes | AIM | Link spamming |
| March, 2005 | December, 2005 | Kelvir | MSN Messenger | Link spamming, downloads a Spybot variant |
| April, 2005 | May, 2005 | Picrate | AIM | Link spamming, downloads a Spybot variant, and joins a botnet |
| April, 2005 | July, 2005 | Opanki | AIM | Link spamming, downloads a Spybot variant, and joins a botnet |
| April, 2005 | August, 2005 | Chod | MSN Messenger | Link spamming, installs spyware, joins a botnet |
| April, 2005 | April, 2005 | Velkbot | AIM, Yahoo!, MSN Messenger | Link spamming, installs spyware, joins a botnet |
| April, 2005 | April, 2005 | Gabloliz | AIM | Link spamming, joins a botnet |
| May, 2005 | May, 2005 | Pinkton | AIM | Link spamming |
| May, 2005 | May, 2005 | Doyorg | AIM | Link spamming, joins a botnet |
| August, 2005 | August, 2005 | Guapim | AIM, MSN | Link spamming, downloads a Spybot variant |
| October, 2005 | October, 2005 | Loxbot | AIM | Link spamming, joins a botnet |
| November, 2005 | November, 2005 | Yimper | AIM, Yahoo! | Link spamming |
| December, 2005 | December, 2005 | Santa | AIM, ICQ, MSN, Windows Messenger, Yahoo! | Link spamming related to holiday activity. Malicious software and a rootkit is downloaded and installed. |
| December, 2005 | December, 2005 | Dinoxi | AIM | Link spamming, joins a botnet |
| December, 2005 | December, 2005 | Myspace | AIM | Link spamming, some user interactivity |
So, what can you do to stop this? Again, taking the network-centric approach, run your own message router or a proxy and look for the out degree of the clients (ie how many people they try and contact in a short period of time), look for self similar messages, and throttle the message rate. eWeek covered some of this and more in IM Threats: The Dark Side of Innovation, an article on defense measures against IM-based attacks.
December 24, 2005 in IM worms, new trends | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
Question: What definition of "worm" are you using in your classification? All of the above (to the best of my knowledge) require human interaction. Some purists would argue that they aren't viruses either, but that term is probably closer to the mark.
Posted by: Dan Ellis | Jan 4, 2006 7:23:52 AM
Search-and-destroy Antispyware.
Have you ever tried Search-and-destroy Antispyware? If you answered no, then you should give it a try. Over the years I have used many different types of antispyware and this is one of the best that I have ever tried. I was surprised and delighted to find that I could purchase it for a lower price than I could buy Norton and other similar scans that produce the same results. That makes it even better. Antispyware solution from Search-and-destroy can find the same kinds of bugs as these more expensive programs and is easy to get. Just click here http://www.Search-and-destroy.com and you can see how well it really works for yourself.
Posted by: Chezy | May 1, 2009 1:23:53 PM
The comments to this entry are closed.
