Rootkit-Wom Hitting AOL’s IM Network

FaceTime Security Labs today identified a new threat circulating through AOL’s Instant Messenger (AIM) network: a worm that leaves behind a nasty surprise for unsuspecting chatters.

Dubbed W32/Sdbot-ADD, the worm is being passed through instant messages within AOL chat rooms. FaceTime said it spreads when users clink on a message reading, “HILARIOUS!!!” or “See thing!!!”

If the user clicks on the link accompanying the message, the malicious code drops off an adware bundle and a lockx.exe rootkit file before hitting its next victim.

“This is a new trend we haven’t seen before,” Tyler Wells, senior director of engineering at FaceTime, said. “This type of attack bundled with a rootkit is a very scary thing to think about.”

The rootkit can be particularly hazardous to a system’s health because, once planted, it can hide logins, processes, files, and logs, according to Wells.

It may also include software to intercept data from terminals, network connections and the keyboard.

FaceTime researchers said the executable file provides an attacker with the capability to upload, download and monitor the infected host.

The exploit also attempts to shut down anti-virus programs and leaves a backdoor on the host PC to install additional software.

“Once it has occurred, you’re pretty much in trouble,” Wells said. “If you don’t have a product protecting the perimeter level of the machine, you’ll have to get it cleaned up.”

Wells recommends products such as FaceTime’s Zero Day Worm Prevention to thwart the virus.

News Around the Web