Worms propagating via instant messaging (IM) applications are on the increase according to a new study.
The Malware Evolution: January – March 2005 report from anti-virus vendor Kaspersky Labs found that since the beginning of the year there are been a noticeable increase in this type of malware. 40 variants of IM worms have been spotted this year alone with Bropia having the most variants. Most worms targeted Microsoft’s MSN Messenger and are written in Visual Basic.
“These two facts taken together seem to indicate that IM worms are at the initial stage of evolution,” said Alexander Gostev, senior virus analyst at Kaspersky Labs and author of the report.
He added the fact that the vast majority of the worms are written in Visual Basic demonstrated that most of the authors are fairly new to the virus writing scene and are relatively inexperienced programmers in general.
“The evidence currently points to IM worms being the domain of script-kiddies,” said Gostev.
The worms use web links to download worms despite IM applications allowing file transfers. It appears virus authors find file transfer delivery to complex to write and so rely on the simpler web link method.
The author of the report said these worms are in evolving along the same lines as worms that propagated through peer-to-peer (P2P) networks a few years ago. Most then targeted Kazaa and were written in Visual Basic. The peak of P2P worms came in 2003 when ten new variants were spotted almost every week.
But Gostev said after that P2P infections slowed down and he expected IM worms to follow a similar pattern. He warned systems administrators to be aware of the threat and take action to prevent the spread of worms. One option he forwarded would be to forbid the use of IM until security improves.
The worms also install other malware. Bropia installs Backdoor.Win32.Rbot on the infected machine, turning it into a zombie machine in a bot network. (As reported in SC Magazine here.)
Last week the Kelvir worm, which targets Microsoft’s MSN Messenger, forcedReuters to temporarily shut down its own messenging system on Thursday.