News Stay informed about the latest enterprise technology news and product updates.

New bots, worm threaten AIM network

Security firms say a fresh wave of bots lures users into downloading malicious content. Plus a new worm variant is on the loose, cloaked as a greeting card.

Antivirus authorities late Tuesday identified what could be a new wave of malicious instant messaging threats propagating over the AOL Instant Messenger (AIM) network.

IM threat specialist IMlogic Inc. in Waltham, Mass., said a number of IM bots are leveraging social engineering techniques to spread among users, most of whom are unaware that they are extending the bots' reach.

The most notable new threat is the IM.Myspace04.AIM worm. It attempts to convince AIM users to download malicious content. Once infected, the host acts as a bot by sending out new messages to infect others, plus responding blindly to messages it receives.

"When recipients of the malicious message reply to the infected user," IMlogic said in a release, "the Bot running on the infected machine sends follow-up messages that include "lol no its not its a virus."

The company added that one such message includes a URL to a .pif file on the domain.

Andrew Burton, IMlogic's director of product management, said the operating system interprets the .pif as a shortcut, so once a user clicks on it, it can generate an executable on the fly.

"Once it's an executable on the machine, this program now has the ability to do local system changes to the extent that the hacker would like it to," Burton said, including disable host security software, modify local system files and open backdoors to Internet Relay Chat.

But what may be most alarming is what IMlogic calls a shift toward interactive communication with intended targets, saying IM.Myspace04.AIM represents what may be a new breed of malicious threats that can increase infection rates by simulating a live user.

"As consumer bots such as the recently released AOL MovieFone and ShoppingBuddy Bots gain popularity, hackers have also recognized the potential for Bot technology to assist in their attacks on unsuspecting users," IMlogic said.

Separately, a new variant of last winter's Aimdes worm has emerged. San Diego-based Akonix Systems Inc., Cupertino, Calif.-based Trend Micro Inc. and others report that W32/Aimdes.E is also propagating over the AIM network.

Classified as low risk, it spreads in the form of an IM greeting sent from one user to another. Trend Micro reports that it typically is accompanies by the following text:

This AIM user has sent you a Greetings Card, to open it visit: http://g{BLOCKED}

Once a user clicks the link, the worm installs itself on the host. Then it may engage in a number of backdoor activities, such as opening random ports and using its built-in Internet Relay Chat (IRC) client to connect to the IRC network to await potentially malicious commands.

Akonix recommends organizations ensure all desktop computers are updated with the latest security patches, and that all public IM use is appropriately blocked or managed.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.