Research

IM malware diversifying

In the last week or so, new trends in using IM (instant messaging) applications to spread malicious code have been on the rise.

Firstly, we’ve been seeing IRCBots which have the ability to spread via AOL Instant Messenger.

Some of these bots get classified as IM-Worms. But in my opinion, these are standard IRCBots which we see every day. It’s just that they have added functionality and the remote malicious user has the ability to tell the bot to start the IM spreading routine.

The bot’s code contains a text sentence, which in turn contains an html link. The remote malicious user fills this link with the url of his/ her choice – what the AOL user receives is the sentence complete with link. There’s a wide variety of sentences used.

As AIM supports HTML, it’s not surprising that it’s being exploited for malicious purposes. And it’s yet another reason not to use HTML in normal messaging.

Secondly, we’ve spotted a new version of IM-Worm.Win32.Bropia, Bropia.ad, which utilizes yet another tactic.

Bropia.ad copies itself – using a range of different filenames – to the shared directories of popular P2P programs, which obviously means it has P2P-Worm capabilities.

As P2P is a popular way of spreading and not that difficult to implement, the addition of such a propagation routine was only a matter of time.

Now we’re on the lookout for the next new tactic which blackhats will think up. As IM malware continues to evolve, new approaches are a matter of sooner, rather than later.

IM malware diversifying

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox