Spotlightingnews

AOL AIM Hit By W32.pipeline Worm

AOL IM's 22 million users targeted by the latest worm, W32.pipeline.

The latest worm, W32.pipeline, hitting the AOL IM shows up as a message from a known contact, telling you to download a .jpeg picture, but the moment one clicks, the command file image18.com, is downloaded and saved as a JPEG-file.

When the file is run, csts.exe appears in Windows' system32, and then on, your computer is infected, and can act as a zombie computer, part of a botnet.

The W32.pipeline worm propagates to those in your buddy list, exposing them to the same danger; the worm is to be avoided, as it lays the track for rootkits and Trojan horses to one's computer, FaceTime Security Labs announce. After controlling a considerable number of infected computer, zombies, the botnet operator can launch DoS attacks or click fraud operations.

Chris Boyd, FaceTime's malware research director:

"The emphasis for this latest worm is not so much on the files that are delivered to the users' computers, but rather on the way these files are deposited onto the system. It's a very sophisticated attack. Standard instant messaging attacks have mainly focused on tricking the end users into hosting a malicious file and past attacks have been quite crude. This particular attack has put more effort into the distribution of the files and the way they will interact with each other."

"Previous IM attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC. Here, the motivation for the bad guys seems to be in lining up as many 'install chains' as possible to insure a consistent pipeline that can be controlled by their rogue botnet."

"With regards to IM, so much of it depends on the end user. With antivirus programs yet to catch up, IM worms can be quite tricky to defend against."

The IM message the ones targeted get is: "hey would it be okay if I upload this picture of you to my blog?"

The FaceTime announcement on their website also states that:

"The infection has the potential to call, via the Internet Relay Chat (IRC) channel, numerous other files that are constantly being updated. Depending on the files downloaded, the infection may create an unwanted service named RPCDB, open up SMTP port 25 (used for email) and attempt to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams). Users may also potentially end up with a rootkit installed on their PC as a result of this chain of infections."

FaceTime Communications enables the safe and productive use of services like instant messaging, VoIP, web conferencing and P2P file sharing. FaceTime provides the IMPact Index, detailing risks posed by various viruses, worms and other malware, as well as other award-winning software delivered to a customer base of over 800 customers. FaceTime collaborates with AOL, Google, Microsoft, Yahoo!, IBM, Reuters, Bloomberg, and Jabber.