Malware writers have developed IM worms capable of attacking all major IM networks, according to Kaspersky Lab, one of the worlds leading anti-virus companies. The company predicts that the industry will witness a rise in IM worms which can spread via multiple IM networks, triggering the demise of traditional IM worms, such as Bropia, Kelvia and Prex, which spread via single IM networks, such as MSN.
IM worms such as IRCBot.lo, discovered by Kaspersky in January, will represent the greatest IM threat, as they can spread to a large number of networks and can use variable messages and download links.
In most cases, an IM worm should not be viewed as a stand alone piece of malware, but rather as a slave which is used to help the IRCBot spread, says Roel Schouwenberg, Senior Research Engineer, Kaspersky Lab. The appearance of IRCBot.lo, which represents the ultimate in IM worm functionality, demonstrates that IM is an infection vector which has not yet been exhausted. The worrying thing about IM worms like IRCBot.lo is the code that is used to write them can be easily copied, potentially resulting in a significant increase in IRCBots which can spread links across all major IM networks. It therefore seems likely that we may start to see reports of other IM networks being increasingly targeted in the future.
Schouwenberg believes sophisticated IM worms, such as IRCBot.lo, will signal the demise of the traditional IM worm: Since IM worms first appeared, there have been significant changes in distribution methods, in the sophistication of the code used and in the IM networks targeted. Additionally, dynamic messages help increase the lifecycle of malware and of botnets, and the use of controlled spreading helps malware authors evade unwanted attention.
The ability to spread malware via IM is something which malware authors will undoubtedly continue to use as part of a multi-featured IRCBot. However, it is likely that dedicated malware which only exists to spread via IM, i.e. early variants of IM worms, will die out.
It is not just PCs, however, that are vulnerable to IM worms Macs are also at risk. On February 13 2006, the first worm for Mac OS X was discovered: an IM worm named OSX/Leap.A that spreads via Apples IM application, iChat. Apples small share of the global PC market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change once critical mass is reached, more malware will undoubtedly start to appear, says Schouwenberg. Even though malware like IM-Worm.OSX.Leap.a is a proof of concept code with no obvious malicious payload, it proves that Mac OS X does contain security flaws, which can be used to compromise the operating system. Whether proof of concept code such as Leap will be used for financial gain in the near future remains to be seen. Although, history shows that once vulnerabilities are identified, malware writers are never far behind.
The threat to IM is becoming more and more significant as adoption among home and business users continues to grow. According to IDC Collaborative Reporting, in 2005 more than 28 million business users worldwide sent nearly 1 billion messages each day, and in the next few years IDC expects IM to continue to grow into its role as a substantial business collaboration tool.
Meanwhile, according to AOL, nearly one in four (23 per cent) IM users in the UK send as many or more IMs than they do emails, with the number rising to nearly half (44 per cent) among 18-24-year-olds. Popular uses for IM include chatting with family or friends, particularly those who are abroad and sharing files and/or photos.
As with most threats on the Internet, business and home users can help keep themselves safe by taking basic precautions:
Related links: (Open in a new window.)
www.viruslist.com/en/analysis?pubid=191386185
www.viruslist.com/en/analysis?pubid=191968025
View printable version (opens in new window)
Back