The sudden appearance of a rootkit file in a spyware-laden IM worm attack has set off new fears that malicious hackers are sophisticated enough to launch a fully automated worm attack against instant messaging networks.
In the most recent attack aimed at users of America Online Inc.s AIM network, the “lockx.exe” rootkit file was bundled with a new variant of the W32/Sdbot Trojan to create a nasty mix of hidden malware.
This is the first detection of SDBot squirming through IM chat windows, and the addition of a rootkit program is causing raised eyebrows among security researchers and worm watchers.
“The situation is ripe for a fully automated worm to cause some serious damage,” said Jose Nazario, senior software engineer at Arbor Networks Inc., a network security firm based in Lexington, Mass.
Nazario, a worm researcher and author who tracks malicious activity on the Worm Blog, said the appearance of SDBot in an IM attack highlights a rapidly emerging trend for malware: Bootstrap onto the system, download a number of tools including a rootkit and spyware, use an IRC (Internet Relay Chat) network to control the botnet, and continue propagating.
“Im really surprised we havent seen a fully automated worm on these IM networks. To me, its begging to happen,” Nazario said in an interview with Ziff Davis Internet News. “Pretty soon, someone will find a way to package one of these attacks with an unpatched vulnerability to cause some real problems.”
Nazario said the IM worm writers have mastered the art of commandeering a users buddy list to spread the malware bundles via URLs that must be clicked.
“Once we start seeing AIM or MSN Messenger exploits packaged into these, well see a fully automated IM worm. But, so far that hasnt yet happened on a large scale, and I dont know why. I think its only a matter of time before some enterprising malware author decides to break down that barrier,” Nazario added.
Chris Boyd, who broke the SDBot code and discovered the hidden rootkit for FaceTime Communications Inc., echoed Nazarios fears.
“Before long, someone will come up with something capable of doing massive damage. There are some pretty horrific rootkits out there at the moment that are completely undetectable. Were now seeing them all coming together and its not looking good,” said Boyd, a well-known security researcher who uses the “paperghost” moniker.
“Ive noticed over the past six months or so, the malware writers are moving away from the standard Web page drive-bys and finding new avenues to deliver the nasties. Weve seen it with BitTorrent and were seeing it more and more with IM,” Boyd added.
Boyd said he believes the inclusion of a rootkit file in the spyware bundle was a deliberate “sleight-of-hand tactic” to drop the backdoor Trojan on compromised machines.
“Its a very slick move. While were all complaining about the pop-ups and spyware, no one notices the nasty rootkit that puts your entire computer in the hands of someone on IRC,” he added.
Increased Multimedia Functions Mean
Boyd said the “lockx.exe” rootkit has been programmed to connect to an IRC server to listen for commands from a remote attacker.
The Windows kernel rootkit can also be used to hide log-ins, processes, files, and logs. It may include software to intercept data from terminals, network connections, and the keyboard.
Earlier this year, Microsoft Corp. became so worried that its MSN Messenger network could be used in an automated worm attack, it pushed out patched versions of the software as a mandatory update.
At the time, exploit code that could be used in widespread attack was circulating on underground Web sites just 24 hours after Microsoft released the software patch.
Tyler Wells, senior director of engineering for FaceTime Communications Inc., said buffer overflows in IM applications are a recipe for disaster.
“Weve already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, youll see were not that far away from an automated IM attack where infections dont require the user to click on anything,” Wells said.
“The attackers will start looking for exploits within the IM itself. Now were seeing the IM clients become more than just a text chat tool. AIM now has the ability to load an image on top of the buddy list and play music without a click. All the messaging clients today are bundling a lot of different applications like VOIP, file transfer, image sharing, Internet radio. Those add-ins all have their own security concerns,” Wells said in an interview.
“When you bundle third-party functionality into the program, you expand the client footprint, but youre also in inheriting all the security problems,” he added.
Arbor Networks Nazario said there has been detailed research work done to show that an automated IM worm could spread over IM rapidly. “In the worst case scenario, research has shown that all vulnerable clients online at a time could get infected in a matter of seconds.”
“Whether we see that in practice is debate. But the results of simulations and analysis were striking. If someone is able to operationalize a worm that propagates without user intervention, we would be in for a very massive attack,” Nazario said.
“A fully automated, rampant IM worm can happen at any time. Im actually very surprised its not out there yet. Its a very attractive way to drop malware behind an enterprise security system quickly and efficiently,” he added.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.