Worms Dupe Yahoo, AOL IM Users

Hackers took advantage of the recent wave of 'Star Wars: Episode III, Revenge of the Sith'' publicity to launch a phishing-style attack on Yahoo Messenger users, said IMlogic, a security firm that specializes in defending instant messaging (IM) networks.

The gambit starts when a user receives an IM from someone on their buddy list, and naively clicks on the embedded link referencing something called "StarGames."

"IM worms are getting very good at using social engineering techniques to get people to click on links," said Jon Sakoda, the co-founder and chief technical officer of IMlogic. "They're becoming very effective."

After users clicked on the link and entered his Yahoo username and password to access what he thought would be a game, a Trojan downloaded to the PC, where it proceeded to IM more copies of the bogus message to all on the system's buddy list. The Yahoo credentials collected from each machine were then e-mailed to the attacker.

"With these compromised IDs," said Sakoda, "the attack could then read the user's Yahoo Mail account, or do other nefarious things, such as use it to send out more malicious code."

The Web site used to host the Yahoo scam was offline as of this writing.

On the same day, a different attack developed against America Online's AIM client and network, said Sakoda. Funny.Movie.AOL, he said, was much more like earlier worms, Bropia and Kelvir, that have hit Microsoft's IM clients several times this year. Funny.Movie.AOL tried to get users to click on a link that downloads malicious code using the message text of "hehe i found this funny movie," where 'this' is linked to a malicious site. The Web site linked to the attack was still up and running mid-morning Wednesday, PDT.

Like its Bropia and Kelvir cousins, Funny.Movie.AOL spreads by harvesting every AIM (AOL Instant Messenger) contact on the infected system and sending new IMs to those who are online.

Both attacks were tagged as a "medium" threat by IMlogic's Threat Center, a clearinghouse supported by IMlogic as well as several prominent partners, including Microsoft, Symantec, AOL, Yahoo, IBM, and HP.

"That rating tracks back to how many customers are impacted," said Sakoda. "A significant portion of users of Yahoo and AIM received these messages that capitalized on current events."

What's remarkable about the newest IM attacks, Sakoda said, is their demonstration of the trend toward more sophisticated instant messaging threats. "There has been an increase in both the intensity and the sophistication of IM attacks," said Sakoda, "and a trend to mimicking what is quite commonplace in the e-mail attack world."

He was speaking specifically of the topicality of the attacks, a tactic e-mail scammers, including worm writers, have long used. "This weekend a lot of the IM conversations were about movies, what with the release of 'Revenge of the Sith'," said Sakoda. "What we're seeing now are just some of the early incidences of topical IM threats."

Although IMlogic won't compile Q2 IM attack statistics until July, the first quarter trend -- which saw a 275 percent increase in 2005's Q1 numbers over the same quarter in 2004 -- continued in April, Sakoda pointed out. "We're still seeing an exponential increase in the number of attacks." April 2005's numbers were up more than 300 percent over 2004's, he added.

The quantity of attacks, he said, are increasing rapidly because hackers have discovered two things about IM. "Number one, your defenses are down in IM. Unlike e-mail, you're not yet trained to be suspicious of IM. Two, and more powerful yet, is that IM uses a model where messages come from IDs that you trust. You might have just had am IM conversation with someone down the hall when you receive a worm from that same person.

"It's why IM worms spread so much faster than mass e-mailed worms," he said.