A new breed of malicious IM bots are duping users into activating and spreading IM worm payloads with interactive chat, according to IMLogic.
A malicious bot dubbed “IM.Myspace04.AIM” is being broadcast over the AOL Instant Messaging network. Once one computer is infected, the bot targets its next victim with messages that appear to come from a friendly source. That message attempts to persuade the recipient to download malicious content.
“If I am an infected AOL user and you are on my buddy list, it would appear that I was sending you a message encouraging you to click on a malicious link that would download payload,” Andrew Burton, Director of Product Management for IM Logic, told TechNewsWorld. “What’s different about this attack is that if you respond, the bot would talk back to you on my behalf without me knowing it.”
No Laughing Matter
When recipients of the malicious message reply to the infected user, the bot running on the infected machine sends follow-up messages that include “lol no its not its a virus.” But nothing could be further from the truth. If a victim clicks on the link, it downloads a Program Information File (PIF) onto their computer and sets off a number of malicious activities.
The victim’s local operating system interprets the PIF as a shortcut and then creates an executable in real time. That executable, said Burton, is able to wreak havoc on your system.
It begins with disabling your desktop security solution. It continues its scam by creating or deleting system files, which can cause the user machine to become unstable. It could also cause the loss of critical data on the infected machine. But Burton said its third function is perhaps most malicious.
“Once you have a hacker’s executable running on your machine, that executable has system access to do things like open up backdoors and try to steal data from you,” Burton said. “So it becomes a very malicious infection.”
Virus Strategy Shift
While IM.Myspace04.AIM leverages similar social engineering techniques as other IM worms, Burton said this new breed of malicious bot attacks represents a shift toward interactive communication with intended targets, more effectively simulating a live user and thereby increasing infection rates.
As consumer bots such as the recently released AOL MovieFone and ShoppingBuddy bots gain popularity, he said hackers have also recognized the potential for bot technology to assist in their attacks on unsuspecting users.
“Because it is an interactive bot the effectiveness of you clicking on this link increases,” Burton said. “We expect to see more sophisticated IM attacks like this occurring.”
Protecting Your Messaging
IMLogic recommends organizations strengthen additional security protection by ensuring all desktop antivirus solutions are updated and that the latest security patches have been applied in addition to ensuring that all out-of-date IM clients have been blocked from accessing relevant IM networks.
“Unlike e-mail where, in many instances there is a delay of propagation and infection, the real-time nature of IM creates a unique threat,” Burton said. “The people on your buddy list are all online and publishing their presence. Everybody knows exactly who is online and what their status is. As an attacker that’s very appealing.”