Network News

X My Profile
View More Activity

November a Record Month for IM Worms

November produced a record number of computer worms that spread over instant-message programs like AOL Instant Messenger, Yahoo! Messenger and MSN Messenger, according to the latest stats posted by San Diego-based IM security firm Akonix.

The company tracked more than a threefold increase in new IM worms this month -- 62 compared with 19 in October. More than a third of those IM attacks hit more than one public network, and eight of them were able to spread across all of the major networks.

Microsoft's network was the most popular vector for mainstream IM worms for the 12-month period ending in September, but starting in October AIM seized that dubious honor, Akonix said.

No doubt Akonix released this data to create buzz for its products. Don Montgomery, the company's vice president of marketing, said studies show that fewer than 5 percent of companies use some kind of virus-filtering software for their instant-message applications. Maybe that's because, as he acknowledged, most IM worms going around today carry little in the way of a destructive payload.

"Most are more of a nuisance than anything else, sending out copies of themselves to everyone on your buddy list," he said.

By the way, he's talking about major-network IM worms. If you check out the company's stats, it's clear that the most prevalent messaging worms spread over Internet relay chat (IRC) networks.

The IRC worms tend to be far more problematic and dangerous, seeding victims' PCs with nasties like Mytob, IRCbot, Rbot and SDbot -- programs designed to turn infected machines into "zombies" that attackers can remote-control for a variety of illegal online activities.

Still, I happen to agree with Montgomery that we will soon start to see the mainstream networks become a prime vehicle for spreading more destructive and invasive viruses and worms.

By Brian Krebs  |  November 29, 2005; 1:52 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: The Truth About Anti-Virus Products
Next: Apple Update Patches 13 Flaws


People still use IRC? Wow. I thought it was a dying segment of the online universe 5 or 6 years ago.

Posted by: corbett | November 29, 2005 2:52 PM | Report abuse

uh... irc worms don't spread via irc. irc is the control channel, not a data channel in most cases.

the data channel is usually a microsoft exploit, more and more often the result of reverse engineering actual microsoft patches.

when the exploit does it's work on a microsoft product, the "worm" becomes active only after inserting itself as a virus, logic bomb, and/or (more often the case lately) a "rootkit". i prefer the term "backdoor", because the mechanism isn't important. the "worm" part is when it starts to spread itself.

one of the first popular backdoor tools was backorifice (i.e. BO). the irc control channel was popularized through a BO plugin called butttrumpet. these are classic proof-of-concept code, and kind of like a baseline architectural reference.

while BO didn't contain an explicit exploit or worm component... today's "worms" usually do. usually they have it all... take phatbot or sasser as case in points.

Posted by: dre | November 29, 2005 3:06 PM | Report abuse

Dre -- I'd take issue with your notion that IM worms don't spread on IRC. they most certainly do. Just spend a little time in one of the kiddie or carder channels and you'll see no fewer than a half-dozen bots spewing messages out to get people to click on links. granted, these aren't exactly the same as AIM worms or MSN IM worms, but they share similar behaviors.

Posted by: Bk | November 29, 2005 3:10 PM | Report abuse

Yes, as dre pointed out, there's a misunderstanding in this entry between the "spreading" of worms versus the "control" of a virus/worm. IRC is almost used for controlling a trojan or worm that has already taken over a PC through email, web, etc.

The linked statistics page may suggest that there are a lot of worms that "target" IRC, however, if you click on the link for each one you'll find that the actual spreading mechanism is "network shares" not IRC itself. The IM worms do in fact spread via IM in contrast to the supposed IRC worms.

Although you are probably right that IRC channels may spew links trying to get people to click on them, that is not considered a "worm" because it would still require the user's cooperation and a security hole in the browser or the user to install malware via the link in order to infect the user's PC.

Posted by: David | November 29, 2005 5:38 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company