New Worm Propagating Via AOL’s Instant Messenger, Researchers Warn
FOSTER CITY, CA – Researchers from FaceTime Security Labs announced today their discovery and identification of a new worm called “W32.pipeline,” and reported that the worm is spreading via AOL’s Instant Messenger service.According to a FaceTime press release, the worm “delivers an executable file disguised as a JPEG, which in turn calls out to various host computers that download a variety of infection files including rootkits and Trojans that may further propagate the worm through the user’s AIM Buddy List.”
FaceTime’s researchers speculate that the “ultimate goal of the W32.pipeline is to create a sophisticated botnet that can be used for a range of malicious purposes,” according to the release.
According to FaceTime, once a user’s machine has been infected, their computer “becomes part of a botnet and is under complete control of the hacker to use for a variety of purposes that could include relaying SPAM, performing distributed denial-of-service (DDoS) attacks on other computers or committing financial fraud against online advertisers.”
The researchers also believe there is significant risk for “loss of sensitive personal data stored on the user’s PC,” according to the release.
“The emphasis for this latest worm is not so much on the files that are delivered to the users’ computers, but rather on the way these files are deposited onto the system,” said Chris Boyd, director of malware research for FaceTime.
“Previous IM attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC,” Boyd said. “Here, the motivation for the bad guys seems to be in lining up as many ‘install chains’ as possible to insure a consistent pipeline that can be controlled by their rogue botnet.”
According to FaceTime, “most commonly used anti-virus programs do not provide protection from W32.pipeline worm,” and the best defense against the worm is to avoid clicking on links or files sent by other IM users.
More information on W32.pipeline is available here: http://blog.spywareguide.com.