New IM Worms Hit MSN Messenger

The new worms, tagged as Kelvir.a and Kelvir.b, appeared over the weekend and on Monday, respectively, anti-virus vendors said. Both use the same mechanism to attract users and infect Windows-based PCs: they include a link in the instant message. That link, in turn, downloads a malicious file -- the actual worm, a variant of the long-running Spybot -- which opens a backdoor to the compromised machine.

Kelvir spreads by sending itself to all the MSN/Windows Messenger contacts on the infected PC, and poses as cryptic messages such as "lol! see it! u'll like it!" and "omg this is funny!" The link opens a .pif-formatted file.

.pif files are also often a format-of-choice for mass-mailed worms.

Also on Monday, another worm -- dubbed Sumon.a by U.K.-based Sophos -- was discovered spreading via MSN/Windows Messenger. Sumon, which propagates over peer-to-peer file-sharing networks as well, is much more aggressive. It disables a long list of security software, tries to overwrite the HOSTS file so commonly-accessed security Web sites can't be reached, and picks from a large number of links, including "Fat Elvis! lol!" and "Crazy frog gets killed by train!" to entice downloads.

The boom in IM worms shouldn't come as a surprise: most security companies that made prognostications in late 2004 cited instant messaging as the next big attack avenue.

"The number of threats is increasing," said John Sakoda, the chief technology officer at IMLogic, an IM security and management vendor. "In January we had four high- or medium-risk IM threats, and in February, we had 11. So far in March, we've had four, which puts on a pace for well over 20."

IM, said Sakoda, is an unprotected channel in many enterprises, something hackers know and exploit. "For them, it's the path of least resistance."

Worse, IM exploits can spread extremely fast, faster than mass-mailed threats, and on par with the network-attacking exploits such as MSBlast of 2003 and Sasser of 2004. "Once [hackers] get it right, the speed with which the attack spreads is very quick."

Nor is it any surprise to Sakoda that MSN Messenger (and its Windows Messenger sibling) are the most frequent targets. "You have to remember where a lot of these worms originate," he said. "Overseas. And although AOL and Yahoo have much bigger market share here in the U.S., MSN is really the only one with a major global network."

But another reason -- one less well-known, said Sakoda -- is that Microsoft's IM clients, and its network, can be accessed through APIs. "They're embedded in the operating system, and allow experienced hackers a way to take over the MSN client." The experience hackers have in breaking down Windows also helps explain the high number of IM worms that exploit Microsoft's clients and network.

That's not what happened Monday. The Kelvir and Sumon worms are simple social-engineered worms; "low-hanging fruit," Sakoda called them. But earlier attacks, such as the Bropia worm, have used MSN Messenger's already-in-use processes to automatically execute worms. "That's very, very dangerous," said Sakoda.

Those are the kinds of threats that keep security experts like Sakoda up nights.

"It's as if the hackers got together and decided that this will be the year to try to add IM to their arsenal," he said.

IMLogic runs the IM Threat Center, a site that, in cooperation with anti-virus vendors including Symantec and Sophos, has been listing emerging IM and P2P exploits since December, 2004. The company also offers a free IM threat analyzer, called IM Detector Pro, for download from its site.