A potentially destructive worm is targeting users of AOL’s AIM instant-messaging service.
Called W32/Sdbot-ADD by Facetime Security Labs, the vendor that first reported its existence in a less harmful version some weeks ago, this is a worm with a troubling and innovative twist - it installs a rootkit-like backdoor on any system it manages to infect.
An attack starts with an AOL IM user being asked to open a link, apparently at the request of an AOL “buddy” or contact. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files and the rootkit software itself, lockx.exe.
Once on the PC, the malware attempts to shut down antivirus software, install software that allows the PC to be remotely controlled by IRC and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.
The vendor has classified it as being the first IM rootkit because of the way it attempts to hide traces of its existence. The rootkit file’s use of IRC is also considered especially dangerous because it allows attackers to execute remote commands.
According to Chris Boyd of Facetime, the researcher who first discovered the “Frankenstein-like” malware, it has strange properties that mark it out. Several of the adware components it installs have been seen before, for instance. What was innovative was the mixture of many different components, the installation of such a potentially dangerous executable, and the fact it attacks via the generally unprotected channel of instant messaging.
The infection route was also by way of a link leading to a blank page, in contrast to conventional 'drive-by' infections that dropped malware from real web pages.
Facetime's tests indicated that several antivirus programs were not able to detect the malware. Equally, most antivirus programs don't monitor the IM channel, so this is not surprising. Once on a PC, the malware runs like any other unidentified executable.
“They (the malware writers) will push out many variants in order to confuse things,” said Boyd, describing the outbreak as probably a 'dry-run attempt' for something to come.
He described the new and dangerous W32/Sdbot-ADD malware bundle as being a low-to-medium risk, but one the company was publicising because of its dangerous effects. If it infected a PC, he would consider reformatting the system from scratch, he said.