AIM Worm Spreads

Security firm traces source to Middle East hackers.

The W32/Sdbot-ADD worm infecting some users of AOL Instant Messenger is more dangerous than previously thought, according to Facetime Security Labs, the researchers who discovered the worm in October.

The rootkit installed by the worm, lockx.exe, is allowing systems to be further compromised by a group of attackers based in the Middle East, according to Facetime researchers. The attackers are installing additional malicious code capable of stealing personal information, according to the group.

At least tens of thousands of systems appear to be infected, Facetime said. The company's president and chief executive, Kailash Ambwani, said that the network of infected machines could, like other large botnets, be used to carry out denial of service attacks against particular Web sites.

"We have delivered detailed research information to the U.S. federal authorities and are fully cooperating with their efforts," Ambwani said in a statement.

Facetime has published an online scanning tool that can detect and disable lockx.exe, the company said.


How Worm Works
The worm attacks via AIM, asking users to open a link, apparently at the request of one of the user's "buddies" or contacts. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files, and the rootkit software itself, lockx.exe.

Once on the PC, the malware attempts to shut down antivirus software, install software that allows the PC to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.

Facetime's newer research has found that lockx.exe is being actively used as a backdoor to install additional malware on systems. The additional malware can steal usernames, passwords ,and other information, and can be controlled via the IRC messaging system, Facetime said.

One of the files installed via lockx.exe, called ster.exe, specifically allows attackers to upload, download and monitor the infected PC, said Facetime. Other files allow theft of Outlook Express passwords, keystroke logging, and launching additional attacks on Web sites or networks.

A group in the Middle East appears to be behind the additional malware, according to Facetime. The group has compromised servers in various countries around the world to distribute the new malware.



Related Links:

• Go back to category System & Utilities to read more reviews and articles.
• Go back to Software Magazine's main page.