America Online may have preferred a sweet treat this Halloween, but what it got instead was a nasty trick as a potentially destructive worm began targeting users of its AIM instant messaging service.
Dubbed W32/Sdbot-ADD by Facetime Security Labs, the worm installs a rootkit-like backdoor on any computer it can sneak into. A rootkit is a hacker security tool that captures passwords and message traffic to and from a computer. Rootkits also mask the fact that the system is compromised, among other malicious activities.
According to Moscow-based anti-virus developer Kaspersky Labs, the number of worms or Trojan horses equipped with rootkits more than tripled in the first half of 2005.
And Michael Sutton, director of the i-Defense Lab, told TechNewsWorld that rootkits are “evolving into new generations that are harder to detect.”
Facetime reports the worm is being passed from members on an AIM user’s Buddy List and within AOL chat rooms. The vendor initially reported a less harmful existence of W32 weeks ago that included an adware bundle.
The executable provides an attacker with the capability to upload, download and monitor the infected host. The executable also attempts to shut down anti-virus programs and leaves a backdoor on the host PC to install additional software.
W32 in Action
Specifically W32 adds a lockx.exe rootkit that connects to an IRC server, awaiting remote commands from an attacker. Rootkits may include software to intercept data from terminals, network connections, and the keyboard.
W32 also acts as a vector for additional adware, worms and viruses and changes a viewer’s original search page to www.eza1netsearch.com/sp2.php. The worm often increases the CPU usage to 100 percent after the malware is installed.
Finally, W32 downloads other applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway, and SearchMiracle. Facetime said all AIM PC users are at risk by the new instant messaging exploit.
How the Worm Hides
Sutton reminds that the purpose of a rootkit is to hide itself so that if a PC user went through the normal processes to discover malicious code on their machine it would not appear because it “hooks into functions.”
Sutton offers an example: “You might use Task Manager within Windows to see what is running. The rootkit would be running but you would not see it because it taps into Task Manager and said, ‘Don’t show me.'”
Sutton said while rootkits are not uncommon, what is uncommon is for malicious code to use a rootkit. That, he said, is why W32 is getting so much hype.
Uncommon Use of Rootkit
“People haven’t seen a worm use a rootkit before, at least from an instant messaging worm,” Sutton said. “But the major anti-virus vendors are covering it, and it looks like they are coming out with definition files that will detect it.”
According to Symantec rankings, the degree of damage W32 could do is high, but it is ranked low in terms of its prevalence in the wild.