AIM Worm Mimics Talking IM Bots

A new malicious worm squirming through America Online's AIM network has the ability to carry on an interactive chat session with potential victims.

A new malicious worm squirming through America Online Inc.s AIM network has the ability to carry on an instant messaging conversation with potential victims.

Researchers at IMLogic Inc.s Threat Center spotted the new threat and warned that virus writers are continuing to push the social engineering envelope to trick computer users into downloading nasty malware programs.

The newest worm, identified as IM.Myspace04.AIM, is coded to chat and persuade the victim to click on a malicious URL embedded in the IM message.

If the first attempt at infection is unsuccessful and the victim replies to doubt the legitimacy of the link being sent, the worm replies with the following message: "lol no its not its a virus."

Like other IM worms spreading over AOLs instant messaging network, the bot uses an infected users buddy list to propagate itself, carrying on a conversation with new victims without the infected users knowledge.

"This sophisticated bot attack is programmed such that infected users cannot see the messages the worm is sending on their behalf. When recipients of the malicious message reply to the infected user, the bot running on the infected machine sends follow-up messages," IMlogic said in an advisory.

By ratcheting up the level of social engineering techniques, the company said the new breed of malicious bot attacks represents a shift toward interactive communication with intended targets, more effectively simulating a live user and thereby increasing infection rates.

The appearance of a talking worm comes on the heels of AOL and Microsoft Corp. releasing legitimate IM bots on the IM networks. Two consumer bots from AOL—MovieFone and ShoppingBuddy—were added to the buddy lists of AIM users last month as part of the companys use of IM Robots to deliver news and other content on behalf of advertising partners.

Interactive IM bots have been around for years, but this is the first sign that malware writers are latching onto the concept to use in social engineering attacks.

"As [consumer] bots gain popularity, hackers have also recognized the potential for bot technology to assist in their attacks," IMlogic said.

The talking worm is just one of two new threats targeting AIM users. Akonix Systems Inc. has issued an alert for a worm posing as a holiday greeting card to lure users into launching a harmful executable.

Akonix identified the worm as W32/Aimdes.E and warned that the worm is executed once the IM user clicks on a link purporting to be a greeting card.

/zimages/6/28571.gifPhishers slip through Web loopholes. Click here to read more.

Upon execution, this memory-resident worm propagates and sends the following message to other users listed on the infected users buddy list:

The user has sent you a Greeting Card, to open it visit: http://g{BLOCKED}

Once the link is clicked, the worm automatically installs itself on the affected system and opens random ports to receive instructions from a remote attacker. Aimdes.E also comes with a built-in IRC (Internet Relay Chat) client engine that connects the machine to an IRC channel to wait for several commands from a malicious user. This routine then compromises system security.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.