http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9001846 By Darren Pauli Computerworld Australia July 18, 2006 Paris Hilton being exploited? It's hard to believe. But virus writers are becoming more sophisticated in their use of celebrities such as Hilton to entice users to unknowingly install malware. It may be hard to understand how any reasonable user could believe that Paris Hilton is inviting him to chat on instant messaging or to receive a copy of that video via e-mail, but they do -- or maybe they're just hopeful. The IRCbot and IM-Worm-based Kelvir families, made famous by the use of videos and images of Hilton, are becoming more sophisticated, according to antivirus vendor Kaspersky Labs. To date, celebrities, security and law enforcement agencies and politicians have been used to create fast, high-profile infections in devices using IM programs, the company's senior research engineer Roel Schouwenberg said. But bot masters are now controlling malware distribution and execution by separating the worm from the back door. "The worm will only start spreading when the IRC operator (the bot master) gives a specific command in the channel, or to one specific victim machine," Schouwenberg said. "It should be noted that in such cases, the worm spreads as a link to the backdoor, not to itself." IM malware evolved from basic IRCBot installers such as Bropia and Kelvir, to Prex which uses links to separate worm and bot, to social-engineered "chatboxes", which incorporate messages to fool users into thinking Hilton is offering her explicit personal imagery, or that the FBI will confiscate your PC unless you visit a Web site. These may lure more users into responses that lead to infection, but such infections are inevitably terminated due to high media attention which result in the quick release of fixes. Schouwenberg says the use of .php dynamic content to steal e-mail addresses led to a leap in IM hacking. "The most common scenario in the case of IM worms is that the e-mail address will be stored in a database for spamming purposes, then an executable will be presented to the user for download," he said. He said new IM malware, such as IRCBot.lo, controls botnet size unlike earlier Kelvir variants that spread uncontrollably. Story copyright 2006 Computerworld New Australia. All rights reserved. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 18 2006 - 22:23:58 PDT