From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jul 19 2006 - 00:19:45 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9001846

By Darren Pauli
Computerworld Australia
July 18, 2006

Paris Hilton being exploited? It's hard to believe. But virus writers are
becoming more sophisticated in their use of celebrities such as Hilton to
entice users to unknowingly install malware.

It may be hard to understand how any reasonable user could believe that
Paris Hilton is inviting him to chat on instant messaging or to receive a
copy of that video via e-mail, but they do -- or maybe they're just
hopeful.

The IRCbot and IM-Worm-based Kelvir families, made famous by the use of
videos and images of Hilton, are becoming more sophisticated, according to
antivirus vendor Kaspersky Labs.

To date, celebrities, security and law enforcement agencies and
politicians have been used to create fast, high-profile infections in
devices using IM programs, the company's senior research engineer Roel
Schouwenberg said.

But bot masters are now controlling malware distribution and execution by
separating the worm from the back door.

"The worm will only start spreading when the IRC operator (the bot master)
gives a specific command in the channel, or to one specific victim
machine," Schouwenberg said. "It should be noted that in such cases, the
worm spreads as a link to the backdoor, not to itself."

IM malware evolved from basic IRCBot installers such as Bropia and Kelvir,
to Prex which uses links to separate worm and bot, to social-engineered
"chatboxes", which incorporate messages to fool users into thinking Hilton
is offering her explicit personal imagery, or that the FBI will confiscate
your PC unless you visit a Web site.

These may lure more users into responses that lead to infection, but such
infections are inevitably terminated due to high media attention which
result in the quick release of fixes.

Schouwenberg says the use of .php dynamic content to steal e-mail
addresses led to a leap in IM hacking.

"The most common scenario in the case of IM worms is that the e-mail
address will be stored in a database for spamming purposes, then an
executable will be presented to the user for download," he said.

He said new IM malware, such as IRCBot.lo, controls botnet size unlike
earlier Kelvir variants that spread uncontrollably.

Story copyright 2006 Computerworld New Australia. All rights reserved.

_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]