'Frankenstein' Attack Hits AIM
John E. Dunn,
A potentially destructive new worm is targeting users of the America Online instant messaging service.
Called W32/Sdbot-ADD by Facetime Security Labs, the vendor that first reported its existence in a less harmful version some weeks ago, this is a worm with a troubling and innovative twist--it installs a rootkit-like backdoor on any machine it manages to infect.
Chris Boyd of Facetime, the researcher who discovered the new and dangerous W32/Sdbot-ADD malware bundle, describes it as being a low to medium risk, but one the company is publicizing because of its dangerous effects. If it infected a PC, he would consider reformatting the machine from scratch, he said.
How it Works
An attack starts with an AOL Instant Messenger (AIM) user being asked to open a link, apparently at the request of an AOL "buddy" or contact. Clicking on this initiates the infection sequence, which starts with the dropping of a number of adware files, and the rootkit software itself, lockx.exe.
Once on the PC, the malware attempts to shut down antivirus software, install software that allows the PC to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine with which to collect e-mail addresses.
The vendor has classified it as being the first IM rootkit because of the way it attempts to hide traces of its existence. The rootkit file's use of IRC is also considered especially dangerous because it allows attackers to execute remote commands.
Mix of Methods
Facetime's Boyd says the "Frankenstein-like" malware has strange properties that mark it out. Several of the adware components it installs have been seen before, for instance. What was innovative was the mixture of many different components, the installation of such a potentially dangerous executable, and the fact it attacks through the generally unprotected channel of instant messaging.
The infection route was also by way of a link leading to a blank page, in contrast to conventional "drive-by" infections that dropped malware from real Web pages.
Facetime's tests indicated that several antivirus programs were not able to detect the malware. Equally, most antivirus programs don't monitor the IM channel, so this is not surprising. Once on a PC, the malware runs like any other unidentified executable.
"They (the malware writers) will push out many variants in order to confuse things," said Boyd, describing the new outbreak as probably a "dry-run attempt" for something to come.
Copyright © 2005 PC World Communications, Inc.