Network News

X My Profile
View More Activity

Instant Message Worms Get Mean

For the longest time, worms circulating over instant messaging networks like AOL Instant Messenger (AIM), Yahoo!, MSN and ICQ were considered more childish than harmful, threats that for the most part simply spread themselves to everyone in a victim's buddy list.

As evidenced by a recent spate of particularly nasty IM worms, however, those days are fading fast. The latest IM worm to make the news -- dubbed IM.GiftCom.All by security firm IMLogic -- arrives in an instant message from someone who has you on their buddy list, urging you to click on a link to view a Santa Claus file. While the link appears to display an image of jolly ol' St. Nick, it quietly installs a rootkit on the victim's PC as the image is being displayed. The worm also tries to disable anti-virus and firewall software and drops a keylogger on infected machines.

The definition of a rootkit varies depending on whom you ask.  But generally speaking, rootkits are designed to help malware remain hidden on your machine, and decently-designed rootkits can successfully hide from anti-virus software. In most cases, when a rootkit takes hold of a system, security experts consider it "game over" -- that is, only a system reinstall can guarantee that attackers do not still have a foothold on the affected system.

I'm afraid that destructive and invasive IM worms such as this IM.GiftCom.All will become just as common as e-mail borne threats in the coming year. A great many companies now filter executable files and other viruses that arrive via e-mail, but relatively few do the same for IM traffic. According to IMLogic's latest quarterly report, some 300 million IM users send more than one billion messages per day, and the company projects that IM traffic will surpass e-mail traffic by the end of 2006. The company found that IM threats increased roughly 1500 percent in the 12-month period from Oct. 2004 to Oct. 2005.

Disturbingly, IMLogic said traditional anti-virus updates to detect IM threats were available for just six percent of reported threats at the time the worms were first spotted online. That means that unless users are super-vigilant about not clicking on links that arrive in IM (at least until they verify that the link was indeed sent by their buddy) most people who fall for these social engineering malware scams will not know their PC is infected. That is, of course, until an appropriately cautious someone on that victim's buddy asks the question, "Hey, did you mean to send this? What gives?"

By Brian Krebs  |  December 22, 2005; 11:45 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Ranking Response Times for Anti-Virus Programs
Next: Give the Gift of Security


Rootkits are so passe. Don't be afraid, just get a decent operating system and stop wasting so much time and money on propietary "solutions".

Posted by: Alan Pater | December 23, 2005 6:30 AM | Report abuse

>>urging you to click on a link

Brian, you just put your finger on the real problem -- current versions of IM clients (other than MSN Messenger) don't allow you to disable the automatic conversion of text URLs into hyperlinks. Developers (or their managers) might say, "Why would anyone want to disable hyperlinks in IM?" Worms like these are why. The inability to shut off this "feature" of creating hyperlinks by default is a design flaw in the application.

>>unless users are super-vigilant about not clicking on links that arrive in IM

The point is, they shouldn't have to be "super-vigilant" -- their ability to click on any old link in IM should be disabled by default in the IM client (and I might suggest requiring an admin password to change the setting). Users can't click on links that are never presented to them....

Posted by: Mark Odell | December 26, 2005 7:27 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company