Shoot the Messenger: IM Worms infectionvectors.com June 2005
Overview
Instant Messaging (IM) has rapidly gained popularity, making it an attractive medium for malware coders. However, without the universal interoperation of email, instant messaging worms have so far been much slower to propagate and gain widespread success compared to their SMTP-based cousins. As such, the amount of attention (and development) they have received from malware authors is significantly less than the mass mailer worms. Nonetheless, IM-based malware is a threat to all organizations and should be addressed by both policy and technical safeguards. IM-founded malware carries the same potential for compromising data as any other malcode (and has adopted the tactics of more successful varieties exceptionally quickly). This paper examines the development and importance of IM worms.
Messaging Overview
Instant messaging generically refers to real-time text communications between two or more clients (although, it is important to note many new services such as video and voice are available through these clients). Generally, messages are passed from a client to a server and vice versa. Some IM clients are capable of transmitting files between one another without a central server (once a communications channel is established) and can allow for a remarkable degree of command execution. This is represented simply below:
Messaging Server
Presence data transferred to clients from servers.
Message/file transfer.
Compatible Clients
Shoot the Messenger: IM Worms 2
IM protocols range from relatively simple to quite complex and generally include some form of “presence” detection and notification (the ability to indicate whether a contact is online at any given time). Some examples of IM protocols:
• Bonjour (Apple) • IRC (Jarkko Oikarinen) • Jabber (Jeremie Miller) • Meetro (Meetroduction) • .NET/MSN (Microsoft) • OSCAR (AOL) • Yahoo MSG (Yahoo)
From the list above, 4 major IM applications exist today (in terms of use): MSN/.NET Messenger, Yahoo Messenger, AOL Instant Messenger (AIM), and ICQ. With the exception of IRC and Jabber, these are all proprietary protocols, using clients that do not interoperate. For malware researchers, this is an important point, as the bulk of viruses are written for “popular” platforms/applications. Effectively, that means that until an application is in widespread use, it is likely to be ignored by most malware authors.
Note: The term “Instant Messenger” itself belongs to Time Warner-AOL; as such only the AOL-branded software carries the name.1
Using IM applications as a propagation medium is a worthwhile endeavor for many worm creators since the respective client software works almost identically on various operating systems. In addition, the family of code is very much like mass mailers as this paper will explore in greater detail.
Moving Malcode
The mechanism a worm uses to mobilize itself often has great implications for the code: from how successful it is to how it is cataloged by antivirus researchers (not the specific name given to a virus/worm, but the generic class is it dropped into). Being an “IM worm” places malware into a large category, one that has exploded over the last 12 months. Inside this class of malicious software are many different means of jumping from client to client.
IM worms transport themselves among clients in one of three main ways: via direct file transfer, sending a link to a third party server, or by sending a link to a web server created on the recently infected device. As is evident, in either of the last two cases, the URL sent out points to the malicious code for a target to download. Although it would seem that the more efficient transaction is to simply send a URL, worms have found success employing all of the methods.
infectionvectors.com Shoot the Messenger: IM Worms 3
Method 1: Sending Copy of Worm to Contacts
Infected with IM worm
2. Target opens Internet attached file and 1. Infected machine infects machine. sends message with copy of worm.
Target
IM-worm propagation by file attachment
Much like mass mailers, IM worms often send the entire piece of malcode along with a message which hopes to entice the recipient into opening it.
Method 2: Sending Link to Third Party Server
Infected with IM worm
Server hosting worm code
3. Server returns worm code. 1. Infected machine Internet sends message with link to server with worm copy . 2. Recipient clicks link in Target message.
IM worm propagation via URL and manual download from 3rd party server
infectionvectors.com Shoot the Messenger: IM Worms 4
Method 3: Sending Link to Infected Machine
Infected with IM worm
2. Target clicks link, retrieving worm code from infected device.
Internet 1. Infected machine sends message with link to new web server on local device .
Target
IM worm transmission via URL and manual download from infected machine
Two of the most pervasive messaging worms (both released in 2005), Bropia and Kelvir, took different paths to meet the propagation requirement – Bropia sends a copy of itself with each message, Kelvir a link to a third party web site.
In practice, it seems that a request to download a file from the Internet is not especially suspicious to many IM users, which is not surprising when one considers the success of email-based worms. The requirement, in most cases, for a user to execute a file once saved, is not much of hurdle either. Mass mailers for years have survived on the theory that sending a file to enough users will invariably lead to a healthy percentage of infections. The same principles that work for the email-borne malware work in favor of IM worms: they come from a recognized source in many cases, users are willing to take a chance with file extensions they assume to be “safe,” and simple message bodies can entice even generally skeptical readers.
ahahhaa :p [URL]
its you [URL]
[URL] lol! see it! u’ll like it2
IM still enjoys a much greater sense of trust over email. Contact lists are thought to be fairly private, as are the communications channels. Given this, plus the length of mail worms’ life, it may be a great while before IM worms begin to slow down. Years of spam/phishing abuse and mail-based malware has hardened many users to distrust email, yet the spread of mass mailers like Mytob, Netsky, and Beagle continues at tremendous rates.
infectionvectors.com Shoot the Messenger: IM Worms 5
Email became an easy target for worm coders because of its ubiquity and speed with which they could blanket targets with messages.3 The same can be said of IM, which targets the most popular of the protocols/clients. Recently, MSN was reported to have hit 155 million registered users.4 AOL’s AIM and Yahoo’s Messenger enjoy high user rates as well. Together these three clients make up the most targeted software (excluding IRC itself, which is still used by multiple worms to propagate and as a communications channel).
Getting the Message
The following review of IM worm highlights intends to give the reader a good perspective on how the family has developed over the last four years. It is not a complete record of every IM worm released; however, it does give a good overview of the code that has been distributed thus far.
The first known worm to utilize the proprietary IM clients discovered in the wild is W32.Hello (also known as FunnyFiles).5 The April 25, 2001 release marked a new direction for malware, providing writers around the world with proof that the popular communications tool could effectively move a worm. The Hello worm did not carry any particularly destructive routines; it simply attempted to spread from client to client by sending a copy of itself to any new client or as a reply to any incoming message. The worm sent the following text with itself:
i have a file for u. its real funny
Hello garnered a good deal of media attention, as one would expect, although most was tempered with the appropriate level of reasoning6, explaining that it was not interested in destroying files and that the worm moved without the speed of applications like AnnaKournikova or LoveLetter.7
Even within the 3 major groupings for IM Worm propagation, there are interesting tactics to note. These range from the social engineering used to entice readers through the way the file transfer routines are coded. In the case of the second MSN Messenger worm released, Choke, this amounted to the seemingly “polite” request for the target to accept a file (disguised as a game).8 In reality, however, Choke will not stop asking until the contact allows the worm to spread. The worm will not, however, send a copy of itself twice to the same contact. Choke was discovered June 6, 2001.
Aptly named, Annoying was released in August of 2001 for the MSN client.9 This worm took a different approach to propagating, actually respecting (if that is possible for self- propagating code) a user’s refusal. When the worm infected a machine, it sends the following as a reply to any incoming message:
hey, want me to send my new pic? i took it yesterday
infectionvectors.com Shoot the Messenger: IM Worms 6
Anyone responding to that with a “keyword” gets a copy of the worm. Keywords are:
yes sure yea guess send there maybe ok cool
So, if two boxes were infected, the first to manually send a message would get another copy (“send” is keyword), of course, the machines would already be infected. Annoying registers itself as a process named “MsgSprd.”
On February 13, 2002 (4 days after proof of concept code was released for Microsoft security advisory MS02-00510), a JavaScript-coded worm named Menger appeared.11 It sends a link to the exploit/worm to all MSN contacts. This represents the first case of an IM worm exploiting vulnerabilities in a client application, rather than relying upon social engineering solely (although that remains a critical piece of its strategy). MS02-005 actually affected Microsoft’s Internet Explorer (IE). When a user opens the link sent via MSN Messenger, and has IE set as the default browser so that it will open the destination web page, the exploit is launched. If the browser is not patched, the worm is capable of executing itself on the client machine and sending out a message/link to everyone in the local contact list.
In April of 2002, one of the most well-known of the IM worms was released, Aphex.12 Aphex was better known for its mass mailing capabilities, which allowed it to spread further than previous IM-only malware. Aphex attempts to lure IRC users into clicking the link it sends with the promise of free pornography. AIM-delivered messages carry a link to a file served from the infected hosts (on a freshly created HTTP server on TCP 8180).
After a brief hiatus, the IM worm writers again turned out an application for MSN users known as Simic.13 This worm, released in July of 2003, launched itself in stages. Initially the “loader” application retrieved additional pieces of code (some viral, some non-viral) from the Internet (script.mine.nu), which in turn checked to see if the MSN client was running and initiated the propagation. This increased sophistication in IM worms indicated that coders were serious about the medium, improving propagation mechanisms, and making management of such code better (ease of update, ability to check number of infections, etc.).
Slideshow14, released in early December of 2003, propagated by sending itself to every contact in the user’s Buddy List. This worm continued the use of a central website to download the actual worm, albeit for AOL users in this case. The program wrote its own log and made a number of copies of itself on the local machine. In addition, Slideshow checked for a Kazaa share directory and, if found, placed a copy of itself there as well. As
infectionvectors.com Shoot the Messenger: IM Worms 7
may be guessed by the reader, the worm attempts to get the user to click the link and run the software by promising photos (a slideshow).
By the end of 2003 the two largest IM clients (MSN and AIM) were the targets of worms that used all of the propagation methods mentioned earlier in this report (worms that send complete copies of themselves directly were still very rare for AIM, this trend would turn around later). Malware authors proved their ability to use the messaging platforms for their efforts and displayed multiple means of mobilizing and managing their code. Beginning in 2004 IM worms began to carry more destructive routines, well away from the “intentions” declared in the Annoying worm nearly three years earlier (in the code of the program):
I come in piece. My name is Jerry. The purpose of me is to spread. I'm not annoying, nor dangerous.
In March of 2004 Heycheck hit the Internet.15 Using a web server it established on the infected machine, Heycheck responds to MSN messages with a link to its executable (as well as transmitting the file to anyone who happens to send any GET to the web server). Heycheck also attempts to stop the processes associated with the Zone Alarm firewall, the Symantec Live Update system, and the Symantec Anti Virus client. The proof-of- concept phase was over. Now well beyond nuisance or technical wonder, IM worms were now squarely planted in the malware arena, using the same tactics to ensure their survival that more established types of malicious code used.
Snone16, released in September of 2004, added the URL to the malicious code to each outgoing message. This was a slightly different tactic than previously released IM malware and showed improvement in the social engineering sphere of malware coding, an important step in worm writing. Once the technical pieces of the application (and application family) are established, the construction of more appealing outer wrappers for malcode is critical to infection rates for worms that are dependant on user interaction. Tinkering with the outer “shells” of the programs continued in concert with changes to the way the worms spread. The following month, Funner17 melded two of the IM propagation mechanisms when it sent a copy of the worm and also attempted to retrieve additional files from the Internet.
Overnight Fame
2005 has been a breakout year for IM worms. The technical and social improvements have taken the family of malware to new heights of success. It is important to note that the IM worm technology has been adopted by a number of pieces of malware, integrated into the propagation and control functions. A good example of this came in mid January 2005 when the well-known MyDoom18 family of code added an ICQ message blast (containing a link back to a copy of the malware) to its mass mailer and file sharing propagation. It is interesting to see such a successful worm adding the IM routine; in many ways it gives credibility to the entire family of malcode.
infectionvectors.com Shoot the Messenger: IM Worms 8
Coincidentally, the IM worm family was about to explode. Near the same time that MyDoom.AL was distributed, the most widely released and revised piece of code in the IM world, Bropia19 bounced around MSN clients across the globe.
Bropia grabbed headlines because of its payload, a copy of the IRC Trojan Spybot20. With this application running, an attacker could control a near-limitless number of functions on the infected machine. Bropia sends itself (and Spybot) to every contact in the MSN Messenger contact list. This accounts for the relatively large size of the worm (approximately 160 KB).
In the wake of Bropia’s release, Led21 and Unfunner22 also made their debut. Led spread by sending chat invitations to contacts, something not explicitly seen in the wild up to this point. Unfunner, in the grim tradition of vigilante worms like Welchia/Nachi, attempted to remove the changes made by Funner. Unfunner, when launched:
• Tries to delete the files left by Funner • Resets the HOSTS file to an empty configuration • Alters the security settings for MS Word (HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word)
And, of course, sends itself to all entries in the contact list. Although not in the scope of this report, there is nothing “good” about this malware. For example, resetting the HOSTS file has the potential to delete an entry that was necessary for proper network communication, the uncontrolled propagation is certainly not beneficial for LAN traffic, and altering application security settings without the user/owner’s consent is never appropriate. These tactics (as well as the security software terminating routines of previous worms) were adopted by Chod23, seen later in the spring of 2005. Chod attempted to steal passwords as well, a function which is examined in the next section of the paper in greater detail with regard to IM malware.
In February of 2005, the Bropia worm’s cousin, named Kelvir24, made its appearance. Kelvir took the basic strategy of Bropia (use IM to install the Spybot code) but switched the propagation mechanism from sending a complete copy of the worm to sending just a link to a third party server. The worm also carried routines to disable security software/update features in later variants. In June of 2005, Kelvir made the move to a different payload, dropping a different version of the Randex/Spybot IRC-bot code with its infection. In addition, numerous new versions appeared in rapid succession, each with different message text. For example, two that were used in mid-June:
guess what i found [URL] i guess i won the bet... :D oops, sorry im talking to wrong person :
its you in this cartoon!!$ [URL]
Although Bropia and Kelvir made MSN’s client the target of a numerous attacks, AIM also found itself in the crosshairs of malware authors with the release of many new
infectionvectors.com Shoot the Messenger: IM Worms 9
worms in the first quarter of 2005. Aimdes, first seen in early February 2005, not only spread via AOL’s IM product, but also attempted to disable the Windows Security Console notifications introduced with Microsoft’s Windows XP Service Pack 2. This echoes the attempts to weaken the overall security of the victim machine with an IM worm of Heycheck months earlier. In late May of 2005, Pinkton25 attempted to disabled the Windows firewall by resetting specific Registry entries. The worm also inserted the following key/value in the target’s Registry:
"411" = "This computer's infected with Project Pinkerton, but don't let the user find out."
Pinkton used a very simple message to spread, sending only “you gotta see this!” and a link to each target.
The success and power of the Bropia/Kelvir code was soon adopted by coders focusing on AIM as well. Aiminfo26 (released in April 2005) places a URL to a version of Spybot into the victim’s user information – resulting in the link being added to every outgoing message (changes info.htm file). Within days of Aiminfo, Gabloliz27 was released. Gabloliz carried an IRC backend control function and sent itself to everyone in the AIM buddy list. In addition, this worm attempted to email a link to itself (on the infected/source computer) in the same style as mass mailers. Also released at the same time was Allim28, which sent links to all AIM contacts to a copy of itself, a worm that carried a copy of Spybot.
A final refinement seen thusfar in the IM worms is the use of manual propagation techniques in Doyorg29, an AIM worm released in early May of 2005. This IRC- controlled agent allows the author to kick-off propagation and specify the URL sent with each message – meaning that the attacker can move files around during the spread of the worm. This would be helpful in cases where the distribution servers are shutdown.
With the consideration given to which IM client is the target of each worm, it is natural to wonder why so few worms have attempted to spread via multiple platforms. The most successful of the very few samples that exist is Velkbot30, which is capable of propagating through the AIM, MSN, and Yahoo clients. It appears much like the SdBot code (as became a famous component to the Mytob code) and uses IRC to receive commands from its controller.
The IM worms discussed so far are summarized with their release dates and approximate sizes in the following table:
infectionvectors.com Shoot the Messenger: IM Worms 10
IM Worm Survey April 2001 – May 2005
Name Messaging Client Date of Approx. Size Used Discovery (bytes) Hello/FunnyFiles MSN April 21, 2001 10,240 Choke MSN June 6, 2001 40,960 Annoying MSN August 28, 2001 49,152 Menger MSN February 13, 2002 N/A Aphex/Aplore AIM April 8, 2002 319,488 Elitor MSN August 28, 2002 53,248 Simic MSN July 30, 2003 28,000 Slideshow AIM December 4, 2003 139,264 Heycheck MSN March 5, 2004 44,000 Snone MSN September 21, 2004 N/A Funner MSN October 11, 2004 56,320 MyDoom.AL ICQ January 19, 2005 59,185 Bropia MSN January 19, 2005 159,744 Led MSN January 22, 2005 110,592 Unfunner MSN January 28, 2005 N/A Aimdes AIM February 11, 2005 36,864 Kelvir MSN February 25, 2005 49,011 Serflog MSN March 7, 2005 36,352 Chod MSN March 13, 2005 152,292 Aiminfo AIM April 21, 2005 17,920 Velkbot AIM, MSN, Yahoo April 23, 2005 33,739 Gobloliz AIM April 25, 2005 34,816 Allim AIM April 26, 2005 28,160 Doyorg AIM May 1, 2005 54,272 Imspread AIM May 10, 2005 17,920 Pinkton AIM May 31, 2005 70,144
Instant Value
Many pieces of malware have shown interest in IM clients, even if they don’t try to use the messaging platforms to spread. Applications that lift usernames, passwords, and contact lists have been in circulation for years. Although the value in email addresses and contact information is apparent for spammers, theft of a specific account and password is more difficult to quantify in terms of damage potential. A single password for an anonymous AIM user may be of limited use (used possibly to impersonate the user and get others to execute the malware), whereas the ICQ password for a corporate CEO may hold tremendous value to a competitor. This portion of the report briefly outlines the family of IM-utilizing malware. This is code that does not spread via IM communication but instead uses information specific to the client or its infrastructure as the launch pad for further nefarious activity.
infectionvectors.com Shoot the Messenger: IM Worms 11
In April of 2002, the Mylife31 mass mailer began pulling additional target information from the contact list maintained by the MSN Messenger client. Better known than Mylife was Yaha32, which similarly used the addresses available in the messaging clients as recipients for its mass-mailed attachment. Kickin33, although not the beneficiary of a great deal of attention, did manage to launch a routine that snatched email addresses from both the MSN and .NET clients as well as ICQ and Yahoo Messenger contact lists. Recently the target-rich IM clients have been culled by Blackmal34 (2004) and Picrate35 (2005) as part of their propagation schemes.
AIM and MSN were both targeted by Hethat36, released in late 2002. Hethat stole passwords associated with messaging accounts for these platforms and relayed them back to its controller. Similar actions were taken against the AIM client by Avid37 (2002), Monatar38 (a Trojan from 2003), and Sinkin39 (2003). The Yahoo client was the victim of choice for the Sagic Trojan40 (2003) a product of the Sagic family of “tools.”
Name Messaging Client Date of Approx. Size Used Discovery (bytes) Mylife MSN April 12, 2002 12,888 Yaha.F MSN June 17, 2002 29,948 Avid AIM September 17, 2002 524,732 Hethat AIM/MSN December 16, 2002 230,400 Monatar AIM April 17, 2003 102,400 Kickin ICQ, MSN, Yahoo May 5, 2003 108,544 Sinkin AIM October 14, 2003 52,146 Sagic Yahoo December 15, 2003 12,550 Blackmal MSN March 23, 2004 75,000 Picrate MSN/Yahoo April 14, 2005 286,594 Worms attempting to steal from IM clients
Two Trojans that imitate the actual IM applications are worth mentioning as well. In 2003, a program that looks very much like the real AIM client was released. Snitch41, as it came to be known, collected the username and password from a user and mailed to a mailbox configured in the application. Upon investigation of the “client” a user could open the configuration window and see the destination for the data. In the summer of 2004, Likmet42, the MSN equivalent, was released. As these applications had no means of self-propagating, their distribution was limited.
At the beginning of this section was the hint that spammers could find immediate value in additional email accounts. The IM account itself has also been the target of advertising, in the form of an AIM hook known as Buddylinks.43 Although the URL for this piece of “adware” is sent to everyone in the Buddy List, the application must be retrieved, saved, and executed manually, removing it from consideration as a worm.
Beyond simply stealing from the local client, Fizzer44, a mass mailer that also includes and IRC back-end, used AIM to create a covert communications channel between the
infectionvectors.com Shoot the Messenger: IM Worms 12
infected machine and the author. Fizzer sent itself with numerous possible message bodies, most very short and non-descript some with philosophical undertones. The most interesting for anyone reading a malware report is probably the oft-asserted joke:
Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world’s worst viruses are the companies that make the Anti-Virus software.
No matter the intention of the Fizzer author, this worm did make an important statement about the use of all IM applications, not just IRC, as a means of passing commands and data in and out of a protected network. Fizzer added one more dimension to the nature and potential of IM malware.
Enterprise Ready?
Everyone researching IM technologies has likely heard at least one account of the trouble instant messaging can cause. One used as an example is that of an executive having all of his IM conversations sent to numerous contacts, including his bosses.45 The content of these conversations were not especially flattering to his managers, resulting in the executive’s termination from the company. This is not representative of a failure with the technology, but rather of the culture surrounding IM and related “chat” applications.
The technology itself is no more dangerous than many that are currently allowed on the majority of corporate networks. Enterprises that have deemed this tool as important to the way they do business have established private IM servers that can be hardened and outfitted with malware scanning capabilities. The use of third party and free services for passing sensitive business information is always a risky game, one that numerous companies are willing to play.
The case of eFront CEO Sam Jain’s ICQ logs being published to numerous web sites damaged the company tremendously, from bogging executives down with questions to hurting relationships with partners.46 Recently, the Kelvir worm forced Reuters to turn off their internal messaging services until a containment and cleanup effort could be established.47 These types of cases should spur reviews of the types of technologies employed by businesses, specifically, what security risks exist.
The issue of IM, however, is no different from any other messaging technology. Whether it is voice service, email, or chat functionality, if a technology carries vital business data and/or can be considered mission critical, its security is paramount to the organization. Malware authors have established that the high-volume services are a worthy target of their development hours. A similar review of these applications needs to occur if they are a service one’s company employs.
In terms of specific IM malware defense, the bulk of the security effort comes from allowing or blocking the use of such applications. That begins with top-down policy construction and enforcement. Any policy that allows IM clients should also address the use of such products for sensitive data, which will invariably end up in a conversation.
infectionvectors.com Shoot the Messenger: IM Worms 13
The technical piece of the puzzle is blocking/opening ports and/or servers associated with the tools. In either case, client security (meaning updated antivirus software) is critical. Gateway products that can identify IM conversations (often requiring that the data be extracted from an HTTP packet) can be immeasurably valuable to large organizations with the resources to keep them tuned and monitored.
Once the perimeter and policy aspects are considered, more creative options for detecting malware threats are available to security managers. The use of decoy accounts is one very effective early warning system for IM worms. An information assurance watch stander would be awfully suspicious of any file/invitation that ends up in the dummy account’s IM window. As IM worms may discriminate against certain accounts in the future (the same way many mass mailers dodge email accounts with strings like “secure” or “sopho” in the case of MyDoom), it may be prudent to simply create a phony, but legitimate sounding name for the decoy account.
Malware defense for IM follows the same strategies as any other technology: identify the value of the application, the value of the application’s data, the technical safeguards available, and the costs of each safeguard. Most important to the strategy is the policy, which in the case of IM, still seems to be lacking in many large organizations.
IM worms make a good study because they show how well malware authors learn from the development of prior families of code. In IM malware’s 4-year history it has borrowed a great deal from the mass mailers.48
Choke Unfunner Hello Annoying Aphex Heycheck Bropia Kelvir Menger Simic Led Slideshow Snone
2001 2002 2003 2004 2005
Incorporates Stop security Integrate IRC Various distribution “Staged” application software, control of tricks for sending functionality , vulnerabilities and improved compromised complete copies of downloading mass email social boxes. the worm. components routines to from the engineering . spread. Internet.
Defense efforts should work the same way as the worm-writing effort: leveraging strategies/policies even when tools don’t allow the exact same technical solutions.
Infectionvectors.com provides a number of reports that can help organizations of any size plan strategy and worm defense tactics. Please see http://www.infectionvectors.com for more information.
infectionvectors.com Shoot the Messenger: IM Worms 14
References
In most cases, the Symantec reference is provided where available as their nomenclature was again used to identify the various worms.
1. http://en.wikipedia.org/wiki/Instant_messenger
2. These examples come from Kelvir variants.
3. The built-in authentication of IM (requiring a proprietary server to sign into) is one very different facet of IM over email. However, this is only because coders appear to like the “personal” touch of having their worms only sent to targets in the infected machine’s contact list. In the future, IM worms may well come with or download a list of IM contacts and kick off mass-messaging routines via their own copies of IM clients.
4. “MSN Messenger reaches 155 million users” Converge! Network Digest. http://www.convergedigest.com/Bandwidth/newnetworksarticle.asp?ID=14365
5. FunnyFiles/W32.Hello http://securityresponse.symantec.com/avcenter/venc/data/w32.funnyfiles.worm.html
6. W32.Hello’s Media Coverage Tempered by Reality “Worm crawls into MSN Messenger” CNET News.com Rachel Konrad, 1 May 2001. http://news.com.com/2100-1023-256816.html?legacy=cnet
7. Interesting as a historical note, VBSWG.J (AnnaKournikova) and LoveLetter are two of the scurges mentioned in a report from 2001 entiteld, “Year of the Worm.” Robert Lemos, CNET News.com 15 March 2001. http://news.com.com/Year+of+the+Worm/2009-1001_3-254061.html?tag=st.rn
8. Choke http://securityresponse.symantec.com/avcenter/venc/data/w32.choke.worm.html
9. Annoying http://securityresponse.symantec.com/avcenter/venc/data/w32.annoying.worm.html
10. MS02-005 http://www.microsoft.com/technet/security/bulletin/MS02-005.mspx
11. Menger/Coolnow http://www.f-secure.com/v-descs/coolnow.shtml http://securityresponse.symantec.com/avcenter/venc/data/js.menger.worm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_MENGER.GEN
12. Aphex/Aplore W32.Aphex – Viruslist.com http://www.viruslist.com/en/news?discuss=48681&return=1 Aplore – Symantec Security Response http://securityresponse.symantec.com/avcenter/venc/data/[email protected] McAfee - http://vil.nai.com/vil/content/v_99437.htm
13. Simic Symantec Security Response – http://securityresponse.symantec.com/avcenter/venc/data/w32.simic.worm.html
14. Slideshow http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.slideshow.html
infectionvectors.com Shoot the Messenger: IM Worms 15
15. Heycheck http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.heycheck.html
16. Snone http://securityresponse.symantec.com/avcenter/venc/data/w32.snone.a.html
17. Funner http://securityresponse.symantec.com/avcenter/venc/data/w32.funner.html
18. MyDoom.AL http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
19. Bropia http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BROPIA.F&VSect=P
20. Spybot http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=35771
21. Led http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
22. Unfunner http://securityresponse.symantec.com/avcenter/venc/data/w32.unfunner.a.html
23. Chod http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
24. Kelvir http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=42019
25. Pinkton http://securityresponse.symantec.com/avcenter/venc/data/w32.pinkton.a.html
26. Aiminfo http://securityresponse.symantec.com/avcenter/venc/data/trojan.aiminfo.html
27. Gabloliz http://securityresponse.symantec.com/avcenter/venc/data/w32.gabloliz.a.html
28. Allim http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
29. Doyorg http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43062 http://vil.nai.com/vil/content/v_133393.htm
30. Velkbot http://securityresponse.symantec.com/avcenter/venc/data/w32.velkbot.a.html
31. Mylife http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
32. Yaha.F http://securityresponse.symantec.com/avcenter/venc/data/[email protected] http://www.sophos.com/virusinfo/analyses/w32yahae.html
infectionvectors.com Shoot the Messenger: IM Worms 16
33. Kickin http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
34. Blackmal http://www.f-secure.com/v-descs/nyxem.shtml http://secunia.com/virus_information/8417/blackmal/
35. Picrate http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
36. Hethat http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hethat.html
37. Avid http://securityresponse.symantec.com/avcenter/venc/data/trojan.avid.html
38. Monator http://securityresponse.symantec.com/avcenter/venc/data/backdoor.monator.html
39. Sinkin http://securityresponse.symantec.com/avcenter/venc/data/trojan.sinkin.html
40. Sagic http://www.sophos.com/virusinfo/analyses/trojsagica.html http://secunia.com/virus_information/15072/pwsteal.sagic.b/
41. Snitch http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.snatch.html
42. Likmet (July 5, 2004) http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39770
43. Buddlylinks (March 10, 2005) http://vil.nai.com/vil/content/v_101007.htm http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453082742
44. Fizzer http://www.f-secure.com/v-descs/fizzer.shtml http://www.sophos.com/virusinfo/analyses/w32fizzera.html
45. “Instant-messaging virus costs a man his job” Ingrid Marson, ZDNet UK, June 30, 2004. http://news.zdnet.co.uk/internet/security/0,39020375,39159096,00.htm
46. “ICQ logs spark corporate nightmare” Paul Festa, March 15, 2001, Paul Festa, CNET News.com. http://news.com.com/2100-1023-254173.html?legacy=cnet
47. “Kelvir closes Reuters IM Service” April 15, 2005. http://www.viruslist.com/en/news?id=162284289
48. Mass mailing worms (mass mailers) are discussed in a number of infectionvectors.com reports, including, Mail Call: Email Crime http://www.infectionvectors.com/vectors/mail_call_pt4.htm, The Mytob Infantry http://www.infectionvectors.com/vectors/mytob_infantry.htm, a series dedicated to the Beagle worm http://www.infectionvectors.com/vectorspaces.htm, and mass mailer worm threat modeling http://www.infectionvectors.com/hotzone/worm_modeling.htm.
infectionvectors.com Shoot the Messenger: IM Worms 17
Additional Information for the Curious
MyDoom.AL text
The following ten messages are the text that appears directly before the worm link in MyDoom ICQ messages: about Saddam Hussein [URL] fun game [URL]:/-)) funy game [URL] =) game [URL]:/-) happy x-mas [URL] lol [URL] merry-christmas [URL]!!! sex on mars [URL] LOL shit!!! [URL] view my postcard [URL]
Assiral “Saving” Us from Bropia
Maybe one way to know you are having an impact on the world is when someone hates you enough to try destroying what you create. In February of 2005 the Assiral mass mailer included routines that attempted to kill Bropia processes. It also opens an HTML document which includes the following text:
LARISSA ~ Anti-Br0pia – freeing the w0rld of br0pia !
One Thought on Sending a URL Pointing to a 3rd-Party Server
My first reaction to this when mass mailers did it was that the propagation would be more limited, as the server would be shutdown or blocked. That doesn’t happen nearly as much as the average person might think. In addition, the 3rd-party server link is an important concept, as in theory, if the IM server is involved in the transfer of files, the provider could prevent such files from being transferred (virus scanners, MD5 checks, filename, etc.). This possibility is removed when the URL points to an external server.
Stealing Miranda’s Password
Two pieces of malware from 2004 attempted to steal passwords associated with the Miranda IM project. One that scared a number of people in the summer named Webber attempted to lift Miranda passwords with one version. LDPinch also had a function to grab this information, along with ICQ account data, IE information, etc. http://www.f-secure.com/v-descs/damrai.shtml http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.r.html
For information on the Miranda IM project: http://www.miranda-im.org/
infectionvectors.com Shoot the Messenger: IM Worms 18
Honorable Mentions Additional IM Worms Worth Investigating
There are many, many other IM worms that are not mentioned in this report. Although they did not fit the framework of this paper, some of these additional worms are very interesting in their own right, for technical reasons or because of the content of their routines. A few are mentioned below:
Opanki http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPANKI. A
Opanki.B (Trend) attempted to download multiple software packages identified as spyware by Trend Micro, making it a worm worth watching: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPANKI. B
Elitor http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.elitor.html
Aimdes http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
Serflog (the original was called Bropia.U by CA) continues to pop up with its security- damaging payload. http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.b.html
Copyright © 2005 infectionvectors.com. All rights reserved.
infectionvectors.com