Tuesday, August 19, 2008

MALWARE eksploiting Messenger & social network

one of the most interesting developments in 2007 was the appearance of worms for instant messenger applications. Instant messenger applications have become very popular, but users rarely perceive them as potential infection vectors. Although IM-worms were detected prior to 2007, the start of the year brought a noticeable increase in this type of malware.
An analysis of the IM-worms detected so far this year provides some data on possible future trends.
As Table 1 shows, most new IM-worms target MSN Messenger, which is extremely popular in the United States, but almost never used in Russia. All the worms except for Atlex are written in Visual Basic.

These two facts taken together seem to indicate that IM-worms are at the initial stage of evolution. And the fact that the vast majority of the worms are written in Visual Basic demonstrates that most of the authors are fairly new to the virus writing scene and are relatively inexperienced programmers. VB is one of the easiest programming languages to master, but it's unsuitable for serious projects due to the large files and the relatively slow speed that results from this.



The obvious preference for MSN suggests that new worms were based on earlier samples. A detailed analysis of the worms' code by Kaspersky Lab virus analysts confirms this hypothesis. The source code for some early IM-worms was also published on a number of virus writers' sites, and most of the new worms are clearly based on this code. The evidence currently points to IM-worms being the domain of script-kiddies.

This situation is effectively a repeat of the evolution of P2P-worms between 2002 and 2004. When P2P worms first appeared, they were also mostly written in Visual Basic and also targeted one P2P client, Kazaa, the most popular client at the time. As P2P-worms were simple to create, and spread rapidly, several hundred families appeared, with numerous versions in each. The increase in this type of malware reached its peak in 2003, with more than 10 new versions being detected every week.

Kaspersky Lab monitored P2P networks closely during the upsurge in P2P-worms and analysis showed that almost every second file in the Kazaa file-sharing network was a P2P-worm. During that period most email-worms used file-sharing networks as a secondary channel for propagation. However, the rapid evolution of P2P-worms slowed dramatically in 2004 and they currently comprise an insignificant percentage of contemporary malware. It seems likely that IM-worms will have the same life cycle.

One of the most interesting aspects of IM-worms is the way in which the worm files are delivered to the victim machine. Despite the fact that Internet messaging services allow file transfer, for some reason virus writers are not utilizing it as a method of infection, possibly because they find overly complex. Instead, they all (with the exception of Aimes) use a technique pioneered by email-worms in 2004: a link to an infected website containing the body of the worm is sent to the recipient, instead of a message with an attached file containing the worm's body. The user believes that the link is from a trusted source, as the worms send their links to contacts harvested from the local contact list. This makes the user more likely to visit the site in question. The worm penetrates victim systems either by exploiting Internet Explorer vulnerabilities or simply by downloading and installing the malicious code.

Given the fact that IM-worms have demonstrated their ability to propagate and spread, it seems self-evident that system administrators and security managers should be focusing their attention on the potential threat which IM applications represent. One option would be to forbid the use of IM applications in enterprise settings until security improves. Monitoring incoming http traffic for malicious code (which should be part of any responsible security policy) will block those worms which penetrate via browser vulnerabilities.

The majority of IM-worms also install other malware on the victim machine. IM-worm.Bropia, the family with the most versions at the time of writing, installs Backdoor.Win32.Rbot on the infected machine, turning it into a zombie machine in a bot network.

No comments: