Tuesday, November 01, 2005

New Worm Targets AOL Instant Messenger

New Worm Targets AOL Instant Messenger Jay Wrolstad, newsfactor.com
Mon Oct 31, 4:23 PM ET



A dangerous new worm is spreading through the AOL (NYSE: AOL - news) Instant Messenger (AIM) network. Identified by security experts, it provides hackers with an opening for installing all kinds of malware on compromised PCs.

The W32/Sdbot-ADD worm is particularly nasty because it includes what is called a "rootkit," which is software designed to go to the root of an operating system, circumventing virus protection and firewall software.

When a machine is compromised with such software, it gives hackers the ability to execute remote commands and install anything they want on the vulnerable PC.

New Attack Vector

"This is the first time a rootkit has [targeted] instant messaging," said Tyler Wells, senior director of engineering for instant-messaging security specialist FaceTime Communications.

Wells explained that this worm goes far beyond installing a single version of malware. He explained that the rootkit can include software to intercept data from network connections and even from the keyboard. It also acts as a vector for installing adware, worms, and viruses.

The worm works by targeting AIM users, who might get what appears to be a message from someone on a buddy list asking them to click on a link in the message. If they comply, the virus is downloaded to the machine.

Disturbing Trend

The worm was detected in a "honey pot" machine set up by FaceTime to track malware on instant-messaging networks and Web sites for malicious code and hazardous URLs.

FaceTime indicated that all AIM users are at risk.

"This is part of a disturbing trend, and attacks based on instant-messaging clients will only get worse over time," Wells said.

FaceTime noted that in the past year there has been a 20-fold increase in the number worms and viruses hitting messaging clients.

The best advice for AIM users is to avoid clicking on any URLs included in instant messages, even if the links look legitimate.

No comments: