|
|
|
|
|
|
| Search | ||||||||||||
| Security News | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-05-04 16:54:08 | |
|
Worms that use instant messaging services to spread from computer to computer are not exactly new. At least one security firm, BitDefender, actually identified the new threat as being a variant of an older worm known as Palevo. Bkis detects it as W32.Ymfocard.fam.Botnet and Symantec names it W32.Yimfoca. These names all refer to the same malware, though, which has some rather typical but potentially devastating behavior.
First of all, the worm uses a very simple social engineering technique to reach new victims. It all starts when a user receives a specially crafted instant message from one of their friends on the Yahoo! Messenger application. The message looks like this: foto :D http://www.example.com/image.phpNot suspecting that it is the worm present on the infected computer that sent the message, and not really their friend, the user clicks on the link, and the browser subsequently asks for downloading a JPG-looking file called IMxxxxx.JPG-www.myspace.com.exe (numbers, which are not always the same, replace "xxxxx"). It is actually an executable file which, when run, installs the worm. To make it look less suspicious, the first time the file is accessed the victim's browser is opened and redirected to http://browseusers.myspace.com/Browse/Browse.aspx, an actual MySpace Web page containing pictures. Unfortunately, at the same time malicious code is inserted into Windows' registry, adding the worm to firewall exceptions, disabling the Windows Update service, and configuring itself to run at Windows startup. It also dumps the winbrd.jpg file and copies itself as infocard.exe, both in the %WinDir% folder. And of course, the worm searches for the Yahoo! Messenger application and starts sending the same bogus picture message to all of the victim's contacts. If indeed the worm is a variant of Palevo, like BitDefender claims, its payload may also include a backdoor, which "allows remote attackers to seize control over the compromised computer and do whatever they want with it – from installing additional malware and swiping files to launching spam campaigns and malware offensive on other systems." Palevo would even be able to harvest login credentials as they are entered in the Firefox or Internet Explorer browsers. In addition, it could be able to spread much like the devastating Conficker worm was doing, through networks and USB devices, using their Autorun feature. P2P sharing platforms such as BearShare, Kazaa and LimeWire are also possible transmission vectors, as the worm could inject its code into shared files. But whatever the way it propagates, the new worm does it fast. BitDefender has reported that in countries like Romania, Mongolia or Indonesia, "during the very beginning of the outbreak [they] have witnessed rates of infection which easily exceeded 500 percent per hour." The general advice is, as usual, to maintain up-to-date, trusted antivirus software active at all times. Also, we are used to not trusting suspicious links received in emails that come from unknown sources, but this worm shows that even links that seem to come from friends may be malicious. Users of Yahoo! Messenger, and also of other instant messaging services, are strongly advised to ask their contacts if they have sent them the link when they receive an unexpected message. A simple question could save lots of headaches. For now, it is still not clear what is the purpose of the worm. It could serve the creation of a botnet, for instance, for launching large-scale attacks or spam campaigns. | |
Reference 3: http://www.malwarecity.com/blog/extremely-aggressive-worm-chokes-instant-messaging-806.html
Reference 4: http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=224700541
|
© 2006-2010 Heptacube Inc. |