IM Threats Growing 50% Per Month

A threat center devoted to instant-messaging hacks put numbers to what IM users already know: IM threats are on the upswing.
As three more worms targeted Microsoft's MSN Messenger Tuesday, a threat center devoted to instant messaging hacks released detailed statistics that put numbers to what IM users already know: instant message threats are on the upswing.

According to the IMlogic Threat Center, a coordinated effort by several vendors, including IMlogic, McAfee, Symantec, and Sybari Software, IM and P2P exploits have exploded in 2005, and have grown 50 percent each month thus far.

"IM viruses and worms are growing exponentially," said IMlogic chief technology officer Jon Sakoda, in a statement.

The threat center has warned of more than 30 widespread incidents of IM or P2P viruses, worms, or other malicious code thus far in 2005, said Sakoda, with the bulk--81 percent--of them aimed at instant messengers.

Seven out of ten attacks put MSN Messenger, Windows Messenger, and the MSN IM network in the crosshairs, reported the center, while Yahoo and AOL have been the target of just 18 and 12 percent of the attacks, respectively.

The disparity between MSN Messenger and other instant messaging clients continued to grow Tuesday, as three more anti-MSN Messenger worms appeared.

Two new variants for the Kelvir and one for Sumon (also called Serflog by some anti-virus vendors, and even Fatso by others) have debuted since Monday's news of a wave of IM worms hitting Microsoft's client and public IM network.

Like earlier iterations, Kelvir.c and Kelvir.d entice MSN Messenger users to click on a link, which in turn takes them to a malicious site where the code--a version of the Spybot worm--is downloaded to their system, opening it up for attack or hijacking by spammers.

Kelvir.c uses the phrase "hot pic!!" along with a link, while Kelvir.d uses "haha look at us" as its come-on. Kelvir spreads by sending itself to everyone on the compromised MSN Messenger's contact list.

Sumon.b, very similar to its predecessor, Sumon, propagates over the eMule peer-to-peer file-sharing network as well as MSN Messenger, disables a long list of security software, and tries to overwrite the HOSTS file so commonly accessed security Web sites can't be reached. Its hallmarks are IMs reading "My new photo!" and "The Cat And The Fan," along with malicious links that download the worm.

Also on the IM worm front, Finnish security firm F-Secure reported Tuesday that its analysis of Sumon.a showed an embedded message to the author of the Assiral worm, a mass-mailed worm from late last month that, among other things, tried to kill copies of the IM-oriented Bropia worm it found.

"The message is quite rude and blasts Assiral's author for trying to eliminate Bropia worm infection by creating a new worm," said F-Secure's warning of Sumon on its security team's blog. "I really hope we're not going to see another War of the Worms like the Bagle-Netsky-MyDoom war last year," added the analyst, Mikko Hypponen, the manager of the company's anti-virus research efforts, in the blog.

In early 2004, a tit-for-tat battle raged among the authors of the Bagle, Netsky, and MyDoom worms, with each new version trying to eradicate rivals. The war, which was waged for several weeks, was one reason why the first three months of last year were among the most virus-plagued ever, most security firms have said.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing