AIM users targeted again by IM worm, rootkit and adware
Hot off the press -- another IM worm is making the rounds, targeting AIM users and leaving a nasty payload of rootkits, trojans and adware including 180solutions and Zango.
Research experts at FaceTime Security Labs(TM), the threat research division of FaceTime Communications, identified and reported a new threat today affecting AOL Instant Messenger (AIM) applications. The new worm targets PC hosts infected with lockx.exe or palsp.exe and utilizes IRC enabled malware to connect the host to a server for further infection through a series of commands. One of the commands has the ability to control the AIM client on the infected host and send a message containing links to the AIM buddy list. When recipients click on the link they become infected with new variants of the IRC enabled malware along with an installation executable "creame.exe" which delivers multiple adware payloads including Zango and 180 solutions.
More at VitalSecurity. Paperghost, aka Chris Boyd, writes that the payload includes not only rootkits, but a rootkit detection application, Rootkit Revealer. Boyd gives the following rundown:
IM hackers distribute rootkit.
IM hackers then control a global botnet where their infections can be tested and payloads are pushed. Facetime traced these hackers to the Middle East.
The same IM hackers sent movies by way of IRC and their own version of BitTorrent, installing it without consent. Now the IM hackers are back with more, nastier malware, Rootkit Revealer and adware from 180solutions/Zango.
Users already infected with the files lockx.exe or palsp.exe are most at risk, but any user clicking on the wrong IM link can be infected. There's an executable called creame.exe that delivers the adware including 180solutions and Zango. Facetime has a free online scan that detects and disable files such as lockx.exe. If you're an AIM user and notice anything unusual, I'd say head for the free scan ASAP. The link for the free scan can be found here. Beware links in AIM, as the attacker can control the infected host machine and send IMs to anyone on the buddy list, meaning even though the link looks seems to be coming from a friend, don't click!
Now the question is... what excuse is 180solutions going to come up with now? At last notice, 180 was reporting:
a year of major changes for 180solutions, including technology upgrades and even more aggressive enforcement efforts, but the biggest change of 2005 was the complete overhaul of our distribution model.
It seems like that overhaul wasn't so complete after all.