IM malware diversifying

In the last week or so, new trends in using IM (instant messaging) applications to spread malicious code have been on the rise.

Firstly, we’ve been seeing IRCBots which have the ability to spread via AOL Instant Messenger.

Some of these bots get classified as IM-Worms. But in my opinion, these are standard IRCBots which we see every day. It’s just that they have added functionality and the remote malicious user has the ability to tell the bot to start the IM spreading routine.

The bot’s code contains a text sentence, which in turn contains an html link. The remote malicious user fills this link with the url of his/ her choice – what the AOL user receives is the sentence complete with link. There’s a wide variety of sentences used.

As AIM supports HTML, it’s not surprising that it’s being exploited for malicious purposes. And it’s yet another reason not to use HTML in normal messaging.

Secondly, we’ve spotted a new version of IM-Worm.Win32.Bropia, Bropia.ad, which utilizes yet another tactic.

Bropia.ad copies itself – using a range of different filenames – to the shared directories of popular P2P programs, which obviously means it has P2P-Worm capabilities.

As P2P is a popular way of spreading and not that difficult to implement, the addition of such a propagation routine was only a matter of time.

Now we’re on the lookout for the next new tactic which blackhats will think up. As IM malware continues to evolve, new approaches are a matter of sooner, rather than later.