[ISN] Bot masters fool with Paris Hilton

From: InfoSec News (alerts@private)
Date: Tue Jul 18 2006 - 22:19:45 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9001846

By Darren Pauli
Computerworld Australia
July 18, 2006

Paris Hilton being exploited? It's hard to believe. But virus writers are 
becoming more sophisticated in their use of celebrities such as Hilton to 
entice users to unknowingly install malware.

It may be hard to understand how any reasonable user could believe that 
Paris Hilton is inviting him to chat on instant messaging or to receive a 
copy of that video via e-mail, but they do -- or maybe they're just 
hopeful.

The IRCbot and IM-Worm-based Kelvir families, made famous by the use of 
videos and images of Hilton, are becoming more sophisticated, according to 
antivirus vendor Kaspersky Labs.

To date, celebrities, security and law enforcement agencies and 
politicians have been used to create fast, high-profile infections in 
devices using IM programs, the company's senior research engineer Roel 
Schouwenberg said.

But bot masters are now controlling malware distribution and execution by 
separating the worm from the back door.

"The worm will only start spreading when the IRC operator (the bot master) 
gives a specific command in the channel, or to one specific victim 
machine," Schouwenberg said. "It should be noted that in such cases, the 
worm spreads as a link to the backdoor, not to itself."

IM malware evolved from basic IRCBot installers such as Bropia and Kelvir, 
to Prex which uses links to separate worm and bot, to social-engineered 
"chatboxes", which incorporate messages to fool users into thinking Hilton 
is offering her explicit personal imagery, or that the FBI will confiscate 
your PC unless you visit a Web site.

These may lure more users into responses that lead to infection, but such 
infections are inevitably terminated due to high media attention which 
result in the quick release of fixes.

Schouwenberg says the use of .php dynamic content to steal e-mail 
addresses led to a leap in IM hacking.

"The most common scenario in the case of IM worms is that the e-mail 
address will be stored in a database for spamming purposes, then an 
executable will be presented to the user for download," he said.

He said new IM malware, such as IRCBot.lo, controls botnet size unlike 
earlier Kelvir variants that spread uncontrollably.

Story copyright 2006 Computerworld New Australia. All rights reserved.


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 18 2006 - 22:23:58 PDT