Viruses Learn How to IM

The dark side of instant messaging bots.
We've been writing frequently about the growing interest in IM bots, or interactive agents. In a corporate environment, an IM bot can interface with a backend database to provide information in response to a natural-language or text-based menu query -- perfect for memory-limited mobile devices or for simplifying routine tasks, like corporate directory lookups.

On the consumer side, IM bots are being explored as a way to promote goods and provide ad-supported content (as Dow Jones is doing with its recent WSJonline launch.) Other companies, like ActiveBuddy, are looking to sell instant messaging-based information-services to consumers.

But there's a more sinister sphere of innovation taking place within the realm of IM bots: malicious Internet viruses.

Witness the recent Fizzer worm, which is only now thought to be dying out after close to a week of rampant spreading.

Essentially, Fizzer works like a host of other worms, spreading as an e-mail attachment sent to random addresses, and addresses culled from Outlook Contacts and Windows Address Books on infected PCs. Once running, however, the worm acts as an IM bot to cause its mischief.

The bot attempts to connect to the AOL Instant Messenger network, as well as the venerable Internet Relay Chat network. On both networks, the worm seeks to make itself available to receive commands from its creator.

To connect to IRC, the worm scans through a built-in list of IRC channels, pinging each one to check whether it's available. Once the worm has found an open channel, it connects using a random username. The worm also can automatically register a new, random AOL Instant Messenger username. It next attempts to log into AIM, using port 5190. Once online, it then joins a particular chat session.

In both cases, the hacker -- who would be monitoring IRC channels and AIM chatrooms -- can then see that the worm has successfully infected a PC. The hacker is then free to begin sending commands to the bot, including orders to transmit or delete files.

"Fizzer, which does a number of things -- it's a very creative little worm, -- creates it own account, and that account attaches to a chat room on the Internet," said David Loomstein, group product manager at Symantec Security Response. "So [hackers] know anyone on that chat room is infected with the virus -- and they use that chatroom as a backdoor to do hacking on the infected machine."

Similarly, the worm also runs an HTTP server on port 81, which acts as a command console. An outside party can then query the system for system information, like information on the user's current version of mIRC and AIM. It also allows the hacker to launch AIM and IRC bot commands, as well as more immediately threatening actions, like a Denial of Service attack.

The worm is reminiscent of the AIM-Canbot worm that appeared, briefly, in April. That worm also creates its own AIM username and logs into a chat session, sending the message "aimb0t reporting for duty..." to alert malicious hackers to the fact that an infected PC is able to be hacked.

However, the AIM-Canbot is spread manually, rather than automatically.

An IRC-reliant virus in April, dubbed Aphex/Aplore, could surreptitiously install a freeware IRC client on a user's PC -- and then begins spamming IRC channels with links to Web pages with viral code. It also could use AIM -- waiting until users connected to the service before using the IM client to send links for infectious Web pages to Buddies.

AIM and IRC aren't the only IM and chat networks susceptible to viruses. In February, the Menger/Coolnow worm used a security vulnerability in Microsoft Internet Explorer to gain control of a user's MSN Messenger IM client.

The worm sent IMs telling recipients to immediately visit one of several Web sites. Clicking on the sent link launched a Web page that in turn, ran JavaScript code that forced MSN Messenger to send the message out to all the contacts in a user's buddy list. Microsoft responded to the worm by releasing patches.

But the Fizzer, AIM-Canbot, and Aphex/Aplore worms are some of the first examples in which a virus creates its own instant messaging identity and tries to connect with its creator -- rather than wresting control of a user's own IM username.

"There are several viruses that communicate using IRC or using the messenger programs, but I haven't found anything yet that does create a new [AIM] account," Loomstein said. "This is indeed an interesting wrinkle."

Patches for the viruses have been released by the major anti-virus firms.

In the case of Fizzer, white hat hackers played a role in slowing the worm, when they undermined a tool the virus used to update itself. Since the worm connects to a geocities user page to download updates to its code, the hackers took control of the Web page and replaced the virus' content with benign content.

While destructive, the trend toward viruses with an IM bot component could serve as additional ammunition for firms that market tools to secure public instant messaging, and for standalone enterprise IM vendors as well. That's as companies are increasingly looking to assert control over IM's often-surprising ubiquity in the workplace.

"IM is definitely a part of the equation now ... It's a new frontier that's being exploited" by hackers, Loomstein said.

Christopher Saunders is managing editor of

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.