Com-Central.net

New MSN Messenger Trojan Spreading Quickly
By Lisa Vaas
November 18, 2007

An MSN Messenger Trojan is growing a botnet by hundreds of infected PCs per hour.


A Trojan is introducing malware into thousands of computer systems worldwide, and the number is growing by the hour.

The malware is being introduced by MSN Messenger files posing as pictures, mostly seeming to come from known acquaintances.

The files are a new type of Trojan that has snared several thousand PCs for a bot network within hours of its launch earlier on Nov. 18 and is being used to discover virtual PCs as a means of increasing its growth vector.

The eSafe CSRT (Content Security Response Team) at Aladdin—a security company—detected the new threat propagating around noon EST on Nov. 18. At 18:00 UTC (Coordinated Universal Time), eSafe had detected 1 operator and more than 500 on-command bots in the network. Less than three hours later, or by 2:30 EST, when eWEEK spoke with Roei Lichtman, eSafe director of product management, the number had soared to several thousand PCs and was growing by several hundred systems per hour.

eSafe is monitoring the IRC channel used to control the botnet. The only inhabitants of the network besides the operator are in fact infected PCs.

The Trojan is an IRC bot that's spreading through MSN Messenger by sending itself in a .zip file with two names. One of the names includes the word "pics" as a double extension executable—a name generally used by scanners and digital cameras: for example, DSC00432.jpg.exe. The Trojan is also contained in a .zip file with the name "images" as a .pif executable—for example, IMG34814.pif.

The files are infiltrating new systems by using either known contacts from which the Trojan has harvested instant messaging names, as well as from the systems of unknown users.

The infection vector—an IM program—isn't new. But the Trojan is the first that eSafe has tracked that has tried to scan for VNC (Virtual Network Computing) instances, likely in order to multiply the botnet's number of connections.

Lichtman said that the Trojan shares common characteristics with other Trojans, looking like "a flexible Swiss Army knife" with multiple processes to steal passwords, to spread the infection and to deliver spam, for example.

The move of malware to VMs (virtual machines) won't surprise those who've been studying the security aspects of this new, red-hot technology. Some of the things that keep them up at night include the possibility of "VMware escape," which is where malware breaks out of a VM and onto the host operating system, which would enable an attacker to potentially install a rootkit, among other things.

David Lynch, vice president of marketing at Embotics, said a more immediate potential threat is virtual appliances: As software delivery mechanisms move to delivering VMs through virtual appliances, they're bringing in a black box of unknowns to the data center, Lynch told eWEEK at a presentation at Interop Oct. 23.

"Virtual appliances run who knows what kind of operating system, with heaven knows what level of hardening and with the potential to introduce backdoors," he said.

Lynch counseled administrators to question the processes for patching the relevant operating system and application set, as well as to learn who will do security maintenance work, as these appliances are put in place.

Given the familiar social engineering aspect of the attack, individuals are being urged to not open files sent unexpectedly from either friends or strangers.

eSafe hasn't determined what criminal activity the botnet is up to at this point.

Please watch out for this one everyone...

glad I dumped aLL MY IM's after CFS1...

thanks CC for hosting COMS so we dont have to use IM to see who is online...

That brings up an interesting point Slow...

We can put a chat feature on CC that would be like using an IM from within the site. We've never done it 'cause most use their own IM's. But, this would be one way to 'see' who's online or at least who's online at CC.

Intresting read and intresting idea.