We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Frankenstein rootkit hits AIM users

Instant-messaging worm a sign of things to come

A potentially destructive worm is targeting users of AOL’s AIM instant-messaging service.

Called W32/Sdbot-ADD by Facetime Security Labs, the vendor that first reported its existence in a less harmful version some weeks ago, this is a worm with a troubling and innovative twist - it installs a rootkit-like backdoor on any system it manages to infect.

An attack starts with an AOL IM user being asked to open a link, apparently at the request of an AOL “buddy” or contact. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files and the rootkit software itself, lockx.exe.

Once on the PC, the malware attempts to shut down antivirus software, install software that allows the PC to be remotely controlled by IRC and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.

The vendor has classified it as being the first IM rootkit because of the way it attempts to hide traces of its existence. The rootkit file’s use of IRC is also considered especially dangerous because it allows attackers to execute remote commands.

According to Chris Boyd of Facetime, the researcher who first discovered the “Frankenstein-like” malware, it has strange properties that mark it out. Several of the adware components it installs have been seen before, for instance. What was innovative was the mixture of many different components, the installation of such a potentially dangerous executable, and the fact it attacks via the generally unprotected channel of instant messaging.

The infection route was also by way of a link leading to a blank page, in contrast to conventional 'drive-by' infections that dropped malware from real web pages.

Facetime's tests indicated that several antivirus programs were not able to detect the malware. Equally, most antivirus programs don't monitor the IM channel, so this is not surprising. Once on a PC, the malware runs like any other unidentified executable.

“They (the malware writers) will push out many variants in order to confuse things,” said Boyd, describing the outbreak as probably a 'dry-run attempt' for something to come.

He described the new and dangerous W32/Sdbot-ADD malware bundle as being a low-to-medium risk, but one the company was publicising because of its dangerous effects. If it infected a PC, he would consider reformatting the system from scratch, he said.

IDG UK Sites

Acer Aspire R11 review: Hands-on with the 360 laptop and tablet convertible

IDG UK Sites

Apple Watch release day: Twitter reacts

IDG UK Sites

See how Framestore created a shape-shifting, oil and metal based creature for Shell

IDG UK Sites

Apple Watch buying guide, price list & where to buy today: Which Apple Watch model, size, material,?......