Anti Rootkit Blog

A new worm is propagating the AOL Instant Messaging Network. The worm called W32.pipeline was found by Security Experts over at Facetime Security Labs today. The worm arrives as what looks like a picture file but is actually an executable. When executed the worm downloads from a variety of other files including a Rootkit to hide itself. The worm then tries to propagate via the infected users Buddy List.

“Like many IM worms, W32.pipeline first appears as an instant message from a familiar contact, luring users into clicking on a link with a contextual phrase. The IM message “hey would it okay if i upload this picture of you to my blog?” downloads a command file called image18.com, which is disguised as a JPEG. Running the file results in csts.exe being created in the user’s system32 folder, part of the Windows operating system.”

Once installed the worm payload may include sending private information about the infected user back to the attacker, perform Distributed Denial Of Service attacks on websites or sending out spam messages to millions of users worldwide.

Facetime says that the attack seems to be carried out by individuals who want to create a Botnet, a network of computers “owned” by the attacker. Once a member of the Botnet the computer can carry out any operation that the attacker wants.

Keep Safe

regards
Steo
www.antirootkit.com

Another Instant Messaging worm is being used to spread malware that is hidden by dropping a Rootkit. Security Experts at MicroWorld Technologies have said that a Trojan Bot is exploiting multiple Windows vulnerabilities to spread in networks, whilst using a Rootkit component to hide its files and processes. Backdoor.Rbot.ayg is spread via AOL Instant messaging and once it has installed itself on your PC it will go looking for other PC to infect. This backdoor is hidden on the computer by using a Rootkit known Win32.Rootkit.l.
One of the vulnerabilities that the malware targets is the recent Server Service Vulnerability-MS06-040 and earlier flaws like MS03-049 in Microsoft Windows. PC users who do not have their computers updated with the latest patches can get the malware and rootkit.

From Microworld “Backdoor.Rbot.ayg uses ‘Win32.Rootkit.l’ to hide its files and processes. It communicates to the remote attacker via IRC channels and accepts and executes commands. The Bot can shutdown and restart the computer, log on to websites and download malicious code, log off current user, send files to the intruder, capture network user information and search disks for files.”

So once again the lesson for us all is keep your system updated with the latest patches and always remember to use your PC with an non-administrative account.
Keep Safe

regards
Steo
www.antirootkit.com

A new worm which persuades Instant Messaging users to visit a Santa Claus site was found on many IM networks like MSN, AOL, ICQ and Yahoo. Users who visted the site were infected a rootkit with a filename of gift.com. The infections the went on to record key strokes and provide a backdoor to hackers while staying hidden from anti virus software through it’s stealth technology.IMlogic reported it as a Medium risk. It specifically infects previously infected users by way of allready in place exploits. It will also try and disable your anti-virus software. This is just another IM worm or trojan spotted recently. Recently a Worldwide IM botnet was discovered which had links to a group from the Middle East.

Keep Safe

regards
Steo
www.antirootkit.com

A potentially destructive new worm is targeting users of AOL’s AIM instant messaging service. The new worm, called W32/Sdbot-ADD installs a rootkit when it infects a users PC so that it can hide its payload. The payload consists of Spyware and a backdoor for Hackers to gain remote access to the infected machine.Unsuspecting AOL IM users have been enticed to click on a file sent to them from a “buddy”. Once clicked on the worm places a rootkit on the users system. The rootkit file is called lockx.exe and proceeds to hide the presence of any infection from the user.

Instant messaging users should beware of receiving files from users via the IM network unless they are absolutely sure that they are expecting one and that the sender is well known to them.

Keep Safe,

regards

Steo
www.antirootkit.com

A new worm has been found to be progogating on AOL’s Instant Messanger (AIM) network and installing a Rootkit on users PC. People may become infected via their Buddy List or while chatting in chatrooms within the AIM network.

The worm called W32/Sdbot-ADD creates a file called lockx.exe. This file is a Rootkit that hides any other file the creator wants to be invisible to the PC user. The worm creates a backdoor for hackers to come into your PC and load spyware, files and other malicious activities. If the hacker uploads Spyware on to your PC and hides it with the Rootkit then when you do a scan via any popular Anti Spyware program it will not see it and so cannot report it.

Keep Safe,

regards

Steo
www.antirootkit.com