New worm uses IM to lure victims

A new version of the worm that spread from infected Microsoft Internet Information Services (IIS) Web servers in June has been identified and is using instant messages (IMs) and infected Web sites in Russia, Uruguay and the U.S. to spread itself, according to one security company.

Researchers at PivX Solutions have intercepted new malicious code that closely resembles widespread attacks in June attributed to a malicious computer code named "Scob" or "Download.ject." The new attacks use mass-distributed instant messages to lure Internet users to Web sites that distribute malicious code similar to Download.ject, said Thor Larholm, senior security researcher at PivX.

First detected on June 24, the Scob attacks were attributed to a Russian hacking group known as the "hangUP team," which used a recently-patched buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS Version 5 Web servers. Companies that used IIS Version 5 and failed to apply a recent security software patch, MS04-011, were vulnerable to compromise. (See: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.)

The June attacks also used two vulnerabilities in Windows and the Internet Explorer (IE) Web browser to silently run the malicious code distributed from the IIS servers on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.

The new attacks begin with instant messages sent to customers using America Online Inc.'s AOL Instant Messenger (AIM) or ICQ instant message program. The messages invite recipients to click on a link to a Web page, with pitches such as "Check out my new home page!" The messages could be sent from strangers or from regular IM correspondents, or "buddies," Larholm said.

Once victims click on the link, they are taken to one of a handful of attack Web pages hosted on servers in Uruguay, Russia and the U.S., from which a Trojan horse program is downloaded.

In addition to opening a "back door" on the victim's computer through which more malicious programs can be downloaded, the new attacks change the victim's Web browser home page or Outlook e-mail search page to Web sites featuring adult content, Larholm said.

PivX is still analyzing the attacks to see if malicious code is placed on victims' machines, but many of the files used by the new worm and the way in which the attacks are being carried out point to the same group that launched the Scob attacks in June, Larholm said.

"The code is different enough to be something of its own, but unique enough to be related," he said. "And as with the Scob attacks, this is all about money --in this case, driving ad revenue for specific people."

The attack Web sites take advantage of vulnerabilities in Internet Explorer and Outlook that Microsoft has patched, but that allow the attackers to place and run malicious code on unpatched systems. Two patches from 2003, MS03-025 and MS03-040 address the flaws used by the new worm, Larholm said. (See:http://www.microsoft.com/technet/security/bulletin/MS03-025.mspx and http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx.)

Antivirus companies were informed of the new malicious code but did not have virus signatures issued Thursday, Larholm said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?