The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks.
In the most recent attack aimed at users of America Online Inc.s AIM network, the "lockx.exe" rootkit file was bundled with a new variant of the W32/Sdbot Trojan to create a nasty mix of hidden malware.
This is the first detection of SDBot squirming through IM chat windows, and the addition of a rootkit program is causing raised eyebrows among security researchers and worm watchers.
"The situation is ripe for a fully automated worm to cause some serious damage," said Jose Nazario, senior software engineer at Arbor Networks Inc., a network security firm based in Lexington, Mass.
Nazario, a worm researcher and author who tracks malicious activity on the Worm Blog, said the appearance of SDBot in an IM attack highlights a rapidly emerging trend for malware: Bootstrap onto the system, download a number of tools including a rootkit and spyware, use an IRC (Internet Relay Chat) network to control the botnet, and continue propagating.
"Im really surprised we havent seen a fully automated worm on these IM networks. To me, its begging to happen," Nazario said in an interview with Ziff Davis Internet News. "Pretty soon, someone will find a way to package one of these attacks with an unpatched vulnerability to cause some real problems."
Nazario said the IM worm writers have mastered the art of commandeering a users buddy list to spread the malware bundles via URLs that must be clicked.
"Once we start seeing AIM or MSN Messenger exploits packaged into these, well see a fully automated IM worm. But, so far that hasnt yet happened on a large scale, and I dont know why. I think its only a matter of time before some enterprising malware author decides to break down that barrier," Nazario added.
Chris Boyd, who broke the SDBot code and discovered the hidden rootkit for FaceTime Communications Inc., echoed Nazarios fears.
"Before long, someone will come up with something capable of doing massive damage. There are some pretty horrific rootkits out there at the moment that are completely undetectable. Were now seeing them all coming together and its not looking good," said Boyd, a well-known security researcher who uses the "paperghost" moniker.
"Ive noticed over the past six months or so, the malware writers are moving away from the standard Web page drive-bys and finding new avenues to deliver the nasties. Weve seen it with BitTorrent and were seeing it more and more with IM," Boyd added.
Boyd said he believes the inclusion of a rootkit file in the spyware bundle was a deliberate "sleight-of-hand tactic" to drop the backdoor Trojan on compromised machines.
"Its a very slick move. While were all complaining about the pop-ups and spyware, no one notices the nasty rootkit that puts your entire computer in the hands of someone on IRC," he added.