Instant Message Worms Gets Mean

For the longest time, worms circulating over instant messaging networks like AOL Instant Messenger (AIM), Yahoo!, MSN and ICQ were considered more childish than harmful, threats that for the most part simply spread themselves to everyone in a victim's buddy list.

As evidenced by a recent spate of particularly nasty IM worms, however, those days are fading fast. The latest IM worm to make the news -- dubbed IM.GiftCom.All by security firm IMLogic -- arrives in an instant message from someone who has you on their buddy list, urging you to click on a link to view a Santa Claus file. While the link appears to display an image of jolly ol' St. Nick, it quietly installs a rootkit on the victim's PC as the image is being displayed. The worm also tries to disable anti-virus and firewall software and drops a keylogger on infected machines.

The definition of a rookit varies depending on whom you ask. But generally speaking, rootkits are designed to help malware remain hidden on your machine, and decently-designed rootkits can successfully hide from anti-virus software. In most cases, when a rootkit takes hold of a system, security experts consider it "game over" -- that is, only a system reinstall can guarantee that attackers do not still have a foothold on the affected system.

I'm afraid that destructive and invasive IM worms such as this IM.GiftCom.All will become just as common as e-mail borne threats in the coming year. A great many companies now filter executable files and other viruses that arrive via e-mail, but relatively few do the same for IM traffic. According to IMLogic's latest quarterly report, some 300 million IM users send more than one billion messages per day, and the company projects that IM traffic will surpass e-mail traffic by the end of 2006. The company found that IM threats increased roughly 1500 percent in the 12-month period from Oct. 2004 to Oct. 2005.

Disturbingly, IMLogic said traditional anti-virus updates to detect IM threats were available for just six percent of reported threats at the time the worms were first spotted online. That means that unless users are super-vigilant about not clicking on links that arrive in IM (at least until they verify that the link was indeed sent by their buddy) most people who fall for these social engineering malware scams will not know their PC is infected. That is, of course, until an appropriately cautious someone on that victim's buddy asks the question, "Hey, did you mean to send this? What gives?"