Shoot the Messenger: IM Worms infectionvectors.com June 2005 Overview Instant Messaging (IM) has rapidly gained popularity, making it an attractive medium for malware coders. However, without the universal interoperation of email, instant messaging worms have so far been much slower to propagate and gain widespread success compared to their SMTP-based cousins. As such, the amount of attention (and development) they have received from malware authors is significantly less than the mass mailer worms. Nonetheless, IM-based malware is a threat to all organizations and should be addressed by both policy and technical safeguards. IM-founded malware carries the same potential for compromising data as any other malcode (and has adopted the tactics of more successful varieties exceptionally quickly). This paper examines the development and importance of IM worms. Messaging Overview Instant messaging generically refers to real-time text communications between two or more clients (although, it is important to note many new services such as video and voice are available through these clients). Generally, messages are passed from a client to a server and vice versa. Some IM clients are capable of transmitting files between one another without a central server (once a communications channel is established) and can allow for a remarkable degree of command execution. This is represented simply below: Messaging Server Presence data transferred to clients from servers. Message/file transfer. Compatible Clients Shoot the Messenger: IM Worms 2 IM protocols range from relatively simple to quite complex and generally include some form of “presence” detection and notification (the ability to indicate whether a contact is online at any given time). Some examples of IM protocols: • Bonjour (Apple) • IRC (Jarkko Oikarinen) • Jabber (Jeremie Miller) • Meetro (Meetroduction) • .NET/MSN (Microsoft) • OSCAR (AOL) • Yahoo MSG (Yahoo) From the list above, 4 major IM applications exist today (in terms of use): MSN/.NET Messenger, Yahoo Messenger, AOL Instant Messenger (AIM), and ICQ. With the exception of IRC and Jabber, these are all proprietary protocols, using clients that do not interoperate. For malware researchers, this is an important point, as the bulk of viruses are written for “popular” platforms/applications. Effectively, that means that until an application is in widespread use, it is likely to be ignored by most malware authors. Note: The term “Instant Messenger” itself belongs to Time Warner-AOL; as such only the AOL-branded software carries the name.1 Using IM applications as a propagation medium is a worthwhile endeavor for many worm creators since the respective client software works almost identically on various operating systems. In addition, the family of code is very much like mass mailers as this paper will explore in greater detail. Moving Malcode The mechanism a worm uses to mobilize itself often has great implications for the code: from how successful it is to how it is cataloged by antivirus researchers (not the specific name given to a virus/worm, but the generic class is it dropped into). Being an “IM worm” places malware into a large category, one that has exploded over the last 12 months. Inside this class of malicious software are many different means of jumping from client to client. IM worms transport themselves among clients in one of three main ways: via direct file transfer, sending a link to a third party server, or by sending a link to a web server created on the recently infected device. As is evident, in either of the last two cases, the URL sent out points to the malicious code for a target to download. Although it would seem that the more efficient transaction is to simply send a URL, worms have found success employing all of the methods. infectionvectors.com Shoot the Messenger: IM Worms 3 Method 1: Sending Copy of Worm to Contacts Infected with IM worm 2. Target opens Internet attached file and 1. Infected machine infects machine. sends message with copy of worm. Target IM-worm propagation by file attachment Much like mass mailers, IM worms often send the entire piece of malcode along with a message which hopes to entice the recipient into opening it. Method 2: Sending Link to Third Party Server Infected with IM worm Server hosting worm code 3. Server returns worm code. 1. Infected machine Internet sends message with link to server with worm copy . 2. Recipient clicks link in Target message. IM worm propagation via URL and manual download from 3rd party server infectionvectors.com Shoot the Messenger: IM Worms 4 Method 3: Sending Link to Infected Machine Infected with IM worm 2. Target clicks link, retrieving worm code from infected device. Internet 1. Infected machine sends message with link to new web server on local device . Target IM worm transmission via URL and manual download from infected machine Two of the most pervasive messaging worms (both released in 2005), Bropia and Kelvir, took different paths to meet the propagation requirement – Bropia sends a copy of itself with each message, Kelvir a link to a third party web site. In practice, it seems that a request to download a file from the Internet is not especially suspicious to many IM users, which is not surprising when one considers the success of email-based worms. The requirement, in most cases, for a user to execute a file once saved, is not much of hurdle either. Mass mailers for years have survived on the theory that sending a file to enough users will invariably lead to a healthy percentage of infections. The same principles that work for the email-borne malware work in favor of IM worms: they come from a recognized source in many cases, users are willing to take a chance with file extensions they assume to be “safe,” and simple message bodies can entice even generally skeptical readers. ahahhaa :p [URL] its you [URL] [URL] lol! see it! u’ll like it2 IM still enjoys a much greater sense of trust over email. Contact lists are thought to be fairly private, as are the communications channels. Given this, plus the length of mail worms’ life, it may be a great while before IM worms begin to slow down. Years of spam/phishing abuse and mail-based malware has hardened many users to distrust email, yet the spread of mass mailers like Mytob, Netsky, and Beagle continues at tremendous rates. infectionvectors.com Shoot the Messenger: IM Worms 5 Email became an easy target for worm coders because of its ubiquity and speed with which they could blanket targets with messages.3 The same can be said of IM, which targets the most popular of the protocols/clients. Recently, MSN was reported to have hit 155 million registered users.4 AOL’s AIM and Yahoo’s Messenger enjoy high user rates as well. Together these three clients make up the most targeted software (excluding IRC itself, which is still used by multiple worms to propagate and as a communications channel). Getting the Message The following review of IM worm highlights intends to give the reader a good perspective on how the family has developed over the last four years. It is not a complete record of every IM worm released; however, it does give a good overview of the code that has been distributed thus far. The first known worm to utilize the proprietary IM clients discovered in the wild is W32.Hello (also known as FunnyFiles).5 The April 25, 2001 release marked a new direction for malware, providing writers around the world with proof that the popular communications tool could effectively move a worm. The Hello worm did not carry any particularly destructive routines; it simply attempted to spread from client to client by sending a copy of itself to any new client or as a reply to any incoming message. The worm sent the following text with itself: i have a file for u. its real funny Hello garnered a good deal of media attention, as one would expect, although most was tempered with the appropriate level of reasoning6, explaining that it was not interested in destroying files and that the worm moved without the speed of applications like AnnaKournikova or LoveLetter.7 Even within the 3 major groupings for IM Worm propagation, there are interesting tactics to note. These range from the social engineering used to entice readers through the way the file transfer routines are coded. In the case of the second MSN Messenger worm released, Choke, this amounted to the seemingly “polite” request for the target to accept a file (disguised as a game).8 In reality, however, Choke will not stop asking until the contact allows the worm to spread. The worm will not, however, send a copy of itself twice to the same contact. Choke was discovered June 6, 2001. Aptly named, Annoying was released in August of 2001 for the MSN client.9 This worm took a different approach to propagating, actually respecting (if that is possible for self- propagating code) a user’s refusal. When the worm infected a machine, it sends the following as a reply to any incoming message: hey, want me to send my new pic? i took it yesterday infectionvectors.com Shoot the Messenger: IM Worms 6 Anyone responding to that with a “keyword” gets a copy of the worm. Keywords are: yes sure yea guess send there maybe ok cool So, if two boxes were infected, the first to manually send a message would get another copy (“send” is keyword), of course, the machines would already be infected. Annoying registers itself as a process named “MsgSprd.” On February 13, 2002 (4 days after proof of concept code was released for Microsoft security advisory MS02-00510), a JavaScript-coded worm named Menger appeared.11 It sends a link to the exploit/worm to all MSN contacts.