Cyber-attackers are delivering an early Christmas gift this holiday season, albeit one more unwanted than the proverbial bag of coal. This Christmas-themed worm attack is not leaving anyone out. It’s delivering its rootkit payload to instant messaging (IM) users of AOL, MSN, Windows Messenger, ICQ and Yahoo networks.
A rootkit is a hacker security tool that captures passwords and message traffic to and from a computer. This collection of tools allows a hacker to provide a backdoor into a system, collect information on other systems in the network, and mask the fact that the system has been compromised.
Dubbed IM.GiftCom.All by researchers at IMlogic’s Threat Center, which discovered it on Monday, the worm is spreading via IM by tricking users into clicking on a malicious link. IMlogic describes the risk level as “medium.”
This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When executed, the file hides itself and scans the registry, file system, and Internet cache.
By operating as a rootkit, the process is hidden from all tools and anti-virus software. IMlogic reports that it also attempts to shut down anti-virus software and makes several networking calls. It even allows keystroke logging and may attempt to propagate itself over IM clients.
IMlogic said IM users can block this threat by using Content Filtering in IM Manager. Additionally, the company said administrators should ensure they have the latest signature updates from their anti-virus provider.
IM Set to Overtake E-Mail
IM is one of the fastest growing communications mediums of all time, with an estimated 300 million consumer and enterprise IM users in 2005, according to IMlogic’s Q3 IM Security Threat Report.
Global services such as AOL Instant Messenger, MSN Messenger, and Yahoo Messenger each report over 1 billion messages sent per day, and IM traffic is expected to exceed e-mail traffic by the end of 2006, the report predicted.
“The prevalence and ubiquity of e-mail led to increased level of attacks. IM will become more like e-mail,” Andrew Burton, Director of Project Development for IMlogic, told TechNewsWorld. “Prevalence and ubiquity attracts attackers.”
Indeed, IM has become a bigger target for attackers to propagate IM-borne viruses, worms, spam over IM (SPIM), malware and phishing attacks. Burton said this is because IM is generally unprotected and unmonitored in consumer and enterprise environments, leaving it vulnerable to attacks and exploits.
The Rise of IM Worms
According to the IMlogic Threat Center, IM and P2P threats increased 3,295 percent in the third quarter of 2005 over the third quarter of 2004, bringing the year-to-date increase to 2,083 percent over 2005 year to date. Growth from first to the third quarter in 2005 was also significant, with reported threats increasing by almost 32 percent quarter over quarter.
Viruses and Trojans accounted for 12 percent of the malicious payloads. Worms made up 87 percent, according to IMlogic. Sixty-two percent of the reported incidents over IM networks targeted the MSN Messenger client, Windows Messenger, and MSN Network.
Will the increasing threat of attack cause enterprises to shy away from using IM? Burton does not think so. “IM usage has surpassed a key inflection point. The network effect of IM has become large. The value of IM is still substantial,” Burton said. “I don’t think this type of threat will necessarily slow down IM usage.”