New IM Worms Hit MSN Messenger - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New IM Worms Hit MSN Messenger

New worms spreading through MSN Messenger -- and its bundled-with-Windows Windows Messenger version -- via links to a malicious site are infecting users.

New worms spreading through MSN Messenger -- and its bundled-with-Windows Windows Messenger version -- via links to a malicious site are infecting users and leaving their PCs open to hacker hijack, security vendors reported Monday.

The new worms, tagged as Kelvir.a and Kelvir.b, appeared over the weekend and on Monday, respectively, anti-virus vendors said. Both use the same mechanism to attract users and infect Windows-based PCs: they include a link in the instant message. That link, in turn, downloads a malicious file -- the actual worm, a variant of the long-running Spybot -- which opens a backdoor to the compromised machine.

Kelvir spreads by sending itself to all the MSN/Windows Messenger contacts on the infected PC, and poses as cryptic messages such as "lol! see it! u'll like it!" and "omg this is funny!" The link opens a .pif-formatted file.

.pif files are also often a format-of-choice for mass-mailed worms.

Also on Monday, another worm -- dubbed Sumon.a by U.K.-based Sophos -- was discovered spreading via MSN/Windows Messenger. Sumon, which propagates over peer-to-peer file-sharing networks as well, is much more aggressive. It disables a long list of security software, tries to overwrite the HOSTS file so commonly-accessed security Web sites can't be reached, and picks from a large number of links, including "Fat Elvis! lol!" and "Crazy frog gets killed by train!" to entice downloads.

The boom in IM worms shouldn't come as a surprise: most security companies that made prognostications in late 2004 cited instant messaging as the next big attack avenue.

"The number of threats is increasing," said John Sakoda, the chief technology officer at IMLogic, an IM security and management vendor. "In January we had four high- or medium-risk IM threats, and in February, we had 11. So far in March, we've had four, which puts on a pace for well over 20."

IM, said Sakoda, is an unprotected channel in many enterprises, something hackers know and exploit. "For them, it's the path of least resistance."

Worse, IM exploits can spread extremely fast, faster than mass-mailed threats, and on par with the network-attacking exploits such as MSBlast of 2003 and Sasser of 2004. "Once [hackers] get it right, the speed with which the attack spreads is very quick."

Nor is it any surprise to Sakoda that MSN Messenger (and its Windows Messenger sibling) are the most frequent targets. "You have to remember where a lot of these worms originate," he said. "Overseas. And although AOL and Yahoo have much bigger market share here in the U.S., MSN is really the only one with a major global network."

But another reason -- one less well-known, said Sakoda -- is that Microsoft's IM clients, and its network, can be accessed through APIs. "They're embedded in the operating system, and allow experienced hackers a way to take over the MSN client." The experience hackers have in breaking down Windows also helps explain the high number of IM worms that exploit Microsoft's clients and network.

That's not what happened Monday. The Kelvir and Sumon worms are simple social-engineered worms; "low-hanging fruit," Sakoda called them. But earlier attacks, such as the Bropia worm, have used MSN Messenger's already-in-use processes to automatically execute worms. "That's very, very dangerous," said Sakoda.

Those are the kinds of threats that keep security experts like Sakoda up nights.

"It's as if the hackers got together and decided that this will be the year to try to add IM to their arsenal," he said.

IMLogic runs the IM Threat Center, a site that, in cooperation with anti-virus vendors including Symantec and Sophos, has been listing emerging IM and P2P exploits since December, 2004. The company also offers a free IM threat analyzer, called IM Detector Pro, for download from its site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll