|
Instant Messaging virus and security threats |
New research has found that Instant Messaging (IM) borne security threats (such as AOL Instant Messenger, MSN Messenger, Windows Messenger, and Yahoo Messenger) have increased dramatically in volume since the start of 2005.
According to a report issued Tuesday by the IMlogic Threat Center--an industry consortium led by security software maker IMlogic--the quantity of instant messaging threats increased 250 percent in the first quarter of 2005, compared with the same period last year. The research, which tracks viruses, worms, spam and phishing attacks sent over public IM networks, also contends that reported incidents of newly discovered IM threats have grown by a whopping 271 percent this year.
In addition, the study found that more than 50 percent of the incidents reported to the Threat Center during the first quarter of 2005 involved attacks at workplaces where freely available IM software such as AOL Instant Messenger, MSN Messenger, Windows Messenger, and Yahoo Messenger is used. Based on that data, the consortium advises that companies take a closer look at managing IM security issues.
Among the other findings of the Threat Center report is that more than 75 new threats on public IM and peer-to-peer computing networks were discovered in the first three months of this year. The group said that 82 percent of the incidents reported to it involved IM virus or worm propagation, while 14 percent dealt with IM file transfer hijacking.
Only 11 percent of the incidents tracked by the Threat Center involved attacks on known vulnerabilities on IM applications.
Of all the IM-borne threats followed by the Threat Center, the Bropia, Kelvir and Serflog worms were found to be the three most frequently detected IM infections at workplaces, the group said. Multiple incidents of IM phishing and identity theft were also reported on IM networks.
At least one IT professional interviewed by the consortium said that the rise of IM attacks has changed the way that businesses are looking to secure their computing networks.
"The steady rise in attacks has put companies like us on the defensive," Ben Palacio, an IT manager at Priority Computer Parts, said in a statement.
How viruses via IM work
Like traditional e-mail viruses, IM-borne viruses appear as messages sent from someone you know, inviting you to click an attached file or a Web link for a self-proclaimed sexy photo or awesome information. And like e-mail viruses, IM-borne viruses steal your IM contact lists (to send itself to other hapless IMers) and require you to open the file or visit an infected Web page in order to become infected. But unlike e-mail viruses, which can be stopped en masse at the corporate mail server, IM-borne viruses hit randomly and sometimes with blinding speed.
To some degree, virus writers have included IM as a possible vector for their malicious code for several years. A few recent computer viruses, however, have been written exclusive to MSN Messenger. And within a few days of their appearance, we soon witnessed multiple variations.
But there's more to it. Assiral is a recent e-mail virus that attempts to remove Bropia IM virus infections while infecting you with its own virus, and Crog (alias Summon or Serflog), an IM-borne virus that attempts to prevent anyone from ever removing it. This scenario sounds a lot like last year's e-mail viruses Netsky, MyDoom, and Bagle. Summon and Assiral appear to be signs that traditional virus writers are getting comfortable with and even territorial over IM. And there's a reason why they might want to claim this territory early.
Prevention
Fortunately, many antivirus apps now block malicious downloads from infected Web
pages and prevent malicious code from executing on your hard drive. But that
assumes you have antivirus protection.
From: Matt Hines, CNET News.com
and Robert Vamosi, CNET Reviews
WORM_KELVIR.A
is a non-destructive worm that propagates via MSN Messenger.
It send a message to all contacts listed in the affected user's MSN Messenger
Contacts, with a link. When clicked, this link downloads a file. This worm
is currently spreading in-the-wild and infecting computers running Windows
95, 98, ME, NT, 2000, and XP.
Upon arrival, this worm drops, extracts, and executes the
following files:
UNCANNY.EXE - a copy of the worm
ADVBOT.EXE - Trend Micro detects this as WORM_SDBOT.BLL
This worm sends a message to all contacts in MSN Messenger with the following
details:
"Never give out your password or credit card number in an instant message
conversation. Its you!"
<link which downloads the file detected as WORM_SDBOT.BLL>
Once the recipient clicks the link, the file ADVBOT.EXE is downloaded, which
Trend Micro detects as WORM_SDBOT.BLL.
If you would like to scan your computer for WORM_KELVIR.N or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at:
http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYAWQTVKhgplLtpxLHjlotpgsQgLlV2VU
Related Story:
4-14-05
Reuters has shut down its instant messaging system after suffering an onslaught from a new Kelvir worm, the company confirmed Thursday.
The London-based international media company decided to take its Reuters Messaging system completely offline after noticing the attack on its network earlier on Thursday, a Reuters representative said.
The new variant attempted to spread by sending fake instant messages to people in contact lists on infected systems, a technique used by earlier Kelvir strains. The messages, crafted to look exactly like legitimate IM correspondence, attempted to lure people to a Web site where their computers would be infected with Kelvir, the representative said.
"In order to protect our customers and other users, and to prevent RM (Reuters Messaging) from being used to propagate this worm, Reuters has temporarily suspended the RM service and is working to resolve this matter," the company said in a statement. It has not reported any incidents of consumers being infected by the attack.
Unlike the free IM software marketed by rivals America Online, Microsoft and Yahoo, Reuters Messaging was created as a corporate tool, closed off from public subscribers and for internal company use only. But in recent years, the company has moved to connect its consumers with those networks. In 2003, Reuters signed deals with both AOL and Microsoft's MSN unit to allow users of its IM software to link to those services.
Technical workers at Reuters said they believe the new Kelvir attack could also target other IM systems. No other companies with messaging software had reported such a threat as of midday Thursday, however.
In a recent report on the growing threat of IM-borne viruses, the IMlogic Threat Center--an industry consortium led by security software maker IMlogic--indicated that Kelvir was among the three most frequently detected IM infections at work places, along with the Bropia and Serflog worms. The group also said that it has recently seen multiple incidents of IM phishing and identity theft reported on IM networks.
Just