AOL Instant messaging worm builds menacing 'botnet'
If you use AOL Instant Messenger, or another IM client that is capable of connecting to the AIM network and downloading files, you should read this security alert.
A computer worm that spreads via instant messaging is being used to build an extensive "botnet" of remote-controlled PCs, a US security firm has warned.
Security experts at US company FaceTime identified the worm as "W32.pipeline" and warned that it spreads via AOL's instant messenger program.
The worm disguises a malicious executable program as a jpeg image, which is attached to an instant message that appears to come from someone on the recipient's AOL "buddy list".
Typically, the picture is accompanied by the message, "hey would it be ok if I upload this picture of you to my blog?" although another similar message may also be used.
Ultimate goal
If the recipient tries to open the image, the executable installs a program on their PC. This forwards the executable on to other contacts on their buddy list and also enables connections to several remote computers. It then tries to download another program that allows an
outsider control the infected machine.
FaceTime's director of malware research Chris Boyd says the goal appears to be creating a huge network of remote-controlled machines, known as a "botnet". As of Thursday, Boyd estimates W32.pipeline had amassed botnet between 1000 and 2000 machines.
Botnets may be used to send out huge quantities of junk e-mail or attack business websites with an avalanche of data, in a so-called distributed "denial-of-service" attack, which may be linked to extortion.
Click fraud
Botnets can also be used to commit "click fraud", which involves ordering the zombie machines to repeatedly click internet advertisements, to generate money for a company's that is paid per click.
"The ultimate goal of the W32.pipeline is to create a sophisticated botnet that can be used for a range of malicious purposes," FaceTime said in a security alert issued on Tuesday.
Boyd and other researchers posted details of the worm, including screenshots and "attack scenarios" to the company's blog http://blog.spywareguide.com.
They note that the botnet created using the worm, which is controlled via Internet Relay Chat (IRC) servers, is particularly sophisticated and uses a complicated "install chain" to schedule file uploads to infected machines.
Spyware Doctor is a multi-award winning spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, Trojans, keyloggers, spybots and tracking threats.
Spyware Doctor is fully capable of detecting and removing hidden processes associated with complex threats and rootkits. Such threats are otherwise difficult to remove by conventional means since they may be hidden to the operating system.
A Startup Scanner removes references to malicious programs that run at startup in the registry and Windows startup files, as well as malicious files in Windows startup locations.
State-of-the-art scanning engines, including file scan, memory scan, registry scan, browser helper objects scan, cookie scan and much more.
