Research

AdWare or Worm?

Around the end of August we started to see the next logical step in the evolution of IM malware.

People were complaining about a new IM-Worm. The message which the user receives is actually a link, which when clicked takes the user to a site where a specific piece of IM related software can be downloaded.

There is a single executable which is responsible for spreading these promotional links for this software site across the AOL, MSN and Yahoo instant messaging networks. You guessed it, the first AdWare which spreads via IM.

But it gives rise to a very interesting question: are we dealing with AdWare or with an IM-Worm?

The EULA for the IM related software does explicitly state that this software will send messages to all contacts in the user’s IM client. Because of this, and the way in which the program spreads, it could be classified as AdWare. However, the executable file is designed purely to spread the site link, and it doesn’t warn the user of its behaviour.

We therefore decided to classify this file as an IM-Worm. We may see similar files in the future and these files might be classified differently because of the way in which they behave.

The company has now changed its policy, and is offering the IM related software without this feature. Why, we don’t know. But there is nothing to stop other vendors picking up on this approach and using it to promote their products.

AdWare or Worm?

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox