We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Frankenstein rootkit hits AIM users

Instant-messaging worm a sign of things to come

A potentially destructive worm is targeting users of AOL’s AIM instant-messaging service.

Called W32/Sdbot-ADD by Facetime Security Labs, the vendor that first reported its existence in a less harmful version some weeks ago, this is a worm with a troubling and innovative twist - it installs a rootkit-like backdoor on any system it manages to infect.

An attack starts with an AOL IM user being asked to open a link, apparently at the request of an AOL “buddy” or contact. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files and the rootkit software itself, lockx.exe.

Once on the PC, the malware attempts to shut down antivirus software, install software that allows the PC to be remotely controlled by IRC and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.

The vendor has classified it as being the first IM rootkit because of the way it attempts to hide traces of its existence. The rootkit file’s use of IRC is also considered especially dangerous because it allows attackers to execute remote commands.

According to Chris Boyd of Facetime, the researcher who first discovered the “Frankenstein-like” malware, it has strange properties that mark it out. Several of the adware components it installs have been seen before, for instance. What was innovative was the mixture of many different components, the installation of such a potentially dangerous executable, and the fact it attacks via the generally unprotected channel of instant messaging.

The infection route was also by way of a link leading to a blank page, in contrast to conventional 'drive-by' infections that dropped malware from real web pages.

Facetime's tests indicated that several antivirus programs were not able to detect the malware. Equally, most antivirus programs don't monitor the IM channel, so this is not surprising. Once on a PC, the malware runs like any other unidentified executable.

“They (the malware writers) will push out many variants in order to confuse things,” said Boyd, describing the outbreak as probably a 'dry-run attempt' for something to come.

He described the new and dangerous W32/Sdbot-ADD malware bundle as being a low-to-medium risk, but one the company was publicising because of its dangerous effects. If it infected a PC, he would consider reformatting the system from scratch, he said.


IDG UK Sites

Where to buy iPhone 6 and iPhone 6 Plus in the UK: Launch day price, deals and contracts

IDG UK Sites

Is Apple losing confidence in itself?

IDG UK Sites

Professional photo and video techniques for perfect colours

IDG UK Sites

How (and where) to buy an iPhone 6 or iPhone 6 Plus in the UK. Plus: What to do if you pre-ordered...