When I had time to investigate further, I noticed something interesting.
Instead of relying on 'real' webservers, this malware simply turns the infected machine into a webserver.
The biggest advantage this approach has is the fact that the host is fairly unlikely to be shut down quickly.
As you can see from the description the worm connects to a specific server to determine the computer's (outside) I.P. address.
Most likely this is done to circumvent the problem of internally used I.P. addresses on computers, such as the 10.x.x.x and the 192.168.x.x ranges.
This is an interesting new approach. But for it to be effective, machines within a LAN will have to have the necessary portforward in place, and I'm not sure that this is widespread. We'll keep you posted on any developments.
A user notified us about a suspicious link being spread via MSN. Normally we would assume that there's a new IM-Worm out there, since we've had quite a few of them this year.
However, the link itself attracted our attention:
Naturally, anyone who follows information security knows Virus Bulletin: one of the oldest and most respected publications in the AV industry. Getting a VB award is a must for any reputable antivirus.
No, their site has not been hacked. If you read the URL carefully, you'll notice that the word bulletin is misspelled - bulettin. Moreover, Virus Bulletin can be found on-line at a slightly different URL: www.virusbtn.com.
Most of us only scan URLs at best, and the malicious version is certainly close enough to the real thing to fool people. Virus writers are at it again: masquerading as a respected AV publication is a good way to get people to trust you.
Oh, before I forget... a new version of Backdoor.Win32.Landis is lurking at this link. If you receive this link, don't click on it. There's no IM-Worm involved, by the way - Landis sends the link out on command from its owner.
We've added detection for this new Trojan to our databases, so update just in case.
We saw an interesting attack a few days ago (12 June) when an ongoing attempt to infect AIM users took place.
The same piece of malware was uploaded to several sites in an effort to increase its effectiveness. The malware that was used is a variant of IM-Worm.Win32.Opanki.
This effectiveness worked in several ways. By uploading to several sites the attackers still had one or more places left to turn to when measures were taken to take a site down.
Additionally, different messages were used to convince the recipient to click on the link. Among those messages was a one with a link to a .wmv file on a popular humor site. The link, of course, was fake, and it led to the malware.
Faking the link is done though some basic HTML code, and, in my opinion, this is yet another reason for not having an HTML parser in your IM client.
As is the case with newer IM-worms which spread across the MSN network, this Opanki variant also has the ability to send variable messages defined by the remote attacker. This helps to maintain and expand the botnet.
So, we're clearly seeing increasing organization when it comes to the spread of IM malware. Furthermore, it's also clear that newer IM malware has the ability to send messages which can be completely changed by the remote attacker over IRC.
The advice remains the same - be very cautious when clicking links you receive.
We have a write-up on IM-Worm.Win32.Opanki.d.
Today we've been getting more and more reports of a particular Backdoor.Win32.SdBot variant spreading.
This SdBot is packed using UPX, Upolyx and Morphine, we detect it using our generic signature as Backdoor.Win32.SdBot.gen.
This is a true hybrid worm as it contains many functions, firstly the IRCBot which can spread over the network, next to this it has got AIM and P2P spreading capabilities.
Embedded in the bot is an IM-Worm.Win32.Kelvir variant and a rootkit to stealth the presence on the system.
This worm has been actively spreading over IRC yesterday and today the target seemed the MSN network, both as a link to a website.
Luckily the offending website has been taken down now, but that hasn't prevented a major spread. I received quite a lot of reports from the Netherlands.
The danger is not over as this complete package is dificult to get off the system. Kaspersky Anti-Virus users were proactively protected from installation onto the system.
In the last week or so, new trends in using IM (instant messaging) applications to spread malicious code have been on the rise.
Firstly, we've been seeing IRCBots which have the ability to spread via AOL Instant Messenger.
Some of these bots get classified as IM-Worms. But in my opinion, these are standard IRCBots which we see every day. It's just that they have added functionality and the remote malicious user has the ability to tell the bot to start the IM spreading routine.
The bot's code contains a text sentence, which in turn contains an html link. The remote malicious user fills this link with the url of his/ her choice - what the AOL user receives is the sentence complete with link. There's a wide variety of sentences used.
As AIM supports HTML, it's not surprising that it's being exploited for malicious purposes. And it's yet another reason not to use HTML in normal messaging.
Secondly, we've spotted a new version of IM-Worm.Win32.Bropia, Bropia.ad, which utilizes yet another tactic.
Bropia.ad copies itself - using a range of different filenames - to the shared directories of popular P2P programs, which obviously means it has P2P-Worm capabilities.
As P2P is a popular way of spreading and not that difficult to implement, the addition of such a propagation routine was only a matter of time.
Now we're on the lookout for the next new tactic which blackhats will think up. As IM malware continues to evolve, new approaches are a matter of sooner, rather than later.
Today we detected a new variant of IM-Worm.Win32.Kelvir - we detect it as Kelvir.k. As always Kelvir is accompanied with an IRCBot, which we detect as Backdoor.Win32.Rbot.gen.
This new Kelvir variant uses a new social engineering tactic to spread. Instead of hyperlinking to, for instance, a .pif or .scr file, Kelvir.k links to a .php file. The thing about links to .php files is that you can append extra data (letters and numbers) to them. This additional data will be sent to the server when the link is clicked. And that's exactly what Kelvir.k does - it appends the IM user's MSN address to the link.
To make things a bit clearer, here's an example.
IM user #1 has the email address firstname.lastname@example.org
IM user #2 has the email address: email@example.com
User #1 gets a link which looks like this: hxxp://www.[edited].us/[edited]/firstname.lastname@example.org
User #2 gets a link which looks like this: hxxp://www.[edited].us/[edited]/email@example.com.
When the link is clicked, the user is presented with a prompt to execute or save an MS-DOS application. By now, users will hopefully be suspicious and not run the application.
But as soon as the user clicks the link, their email address is harvested. So even if the user doesn't run the MS-DOS application, the brains behind Kelvir get another address to spam.
So is this new tactic being used because of MSNM 7's new 'anti-malware' features? I don't think so. While I was writing this, we detected a repacked version of Kelvir.e. And Kelvir.e uses a hyperlink to a .scr file to spread, something which isn't filtered by MSNM 7.
The use of new social engineering tactics leads me to believe that IM-users have learned to be more careful - 'traditional' IM-Worms don't seem to be as effective as they used to be, and attackers are looking for new ways to install their malware on a large number of machines.
MSN released version 7 of their Messenger yesterday.
In addition to some other new features, the new version also incorporates functions to prevent the spreading of malware.
The developers have taken some serious steps to prevent the sharing or spreading of .pif files. Any incoming or outgoing message with a ".pif" in it will be blocked completely.
Too bad that MSNM doesn't tell you that this is happening. Messages won't get delivered to the recipient, but neither the recipient nor sender will be notified that the message has been blocked. Not very user-friendly, IMHO.
In addition to filtering messages, MSN 7 also filters incoming file transfers. This filtration applies to files such as executables (with extensions such as .exe, .com, .scr etc) and other potentially dangerous types of file such as .vbs and .reg.
We've already seen IM-worms which spread in the form of a link to .scr files, so the measures that MSN developers have taken won't be 100% effective. But I think the complete blocking of .pif files is the most important innovation, as it's IM-worms spreading as .pif files which have been the most 'successful' to date.
Although some users may not like this kind of filtering, I think in the long run we're better off. IM-worms are becoming more and more common. Sooner or later users will have to learn to live with security measures designed to combat their spread.
We have seen an increase in IM-Worms over the last couple of weeks.
Yesterday we saw two new Bropia variants.
We also saw a new version of IM-Worm.Win32.Kelvir.a, packed with a hacked version of UPX, which made it undetectable for most AVs.
And we just released an urgent update for IM-Worm.Win32.Sumom.a, which also included an update for IM-Worm.Win32.Kelvir.b.
The vast majority of IM-Worms currently make use of MSN and they normally 'arrive' as a (web)link to a picture, which of course isn't a picture but an executable.
Paris Hilton has the been subject for these IM-Worms quite a lot of times, along with other topics.
Attackers are using social engineering techniques once again.
Most IM-Worms have got a .pif extension and what I'm hearing a lot is that people are mistaking the .pif for a .gif or .tiff format, which are pictures.
Note that almost all current IM-Worms also install a Backdoor on the system which gives the master control over the infected systems.
We have seen cases where IM-Worms were used to install AdWare onto the infected system.
The bottom line? Next time someone sends you a link or file via IM, check it closely. A .pif file will certainly mean trouble.
Also ask the person if he is aware of sending that link or file. This will give you more insight into if the file is possibly malware, and in the case of a worm, will also alert the sender that he's infected.
You have to update MSN Messenger to the latest version for the vulnerability to be fixed.
The reason that we bring this up is that WindowsUpdate doesn't update MSN Messenger as it isn't a standard part of Windows.
Although there is an automatic update notification system present in MSNM, it can take a long time for it to actually inform the user about a newer version.
Given the severity of the vulnerability we recommend everyone to update MSN Messenger manually. You can get the latest version here.