IM RootKit Worm Controlled by Group in Middle East

[Jeff]

Experts at FaceTime Security Labs™ , the threat research division of FaceTime Communications, identified and reported a new threat today related to the AOL Instant Messenger (AIM) “RootKit” worm they first identified on October 28, 2005.

FaceTime security researchers confirmed that computers infected with the lockx.exe rootkit file are being further compromised by a group in the Middle East. The attackers have compromised multiple servers hosted by ISPs worldwide to distribute the malware payload. The additional malware includes a “ster.exe” file that contains six additional files to provide the attacker with the capability to upload, download, and monitor the infected host PC. It has also been found that the malware has the potential to steal Microsoft Outlook Express email passwords and log keystrokes. The infected computers can also be used as a platform for launching attacks on Web sites or networks.

Additional Information

• The lockx.exe rootkit and its variants connect to an IRC server, where it is capable of receiving instructions through private, automated messages from an IRC operator. These messages can open a browser session or install an unwanted application
• Over 17,000 users were found to be compromised on a single server, and multiple servers exist worldwide
• Users may receive the instant message text consisting of:
  • “evilday.us/pic####.com”, or
  • “how do I look[ipaddress]/~q8army/pic0023.com” which links them to one of multiple worldwide servers to deliver additional malware
• Additional malware includes self-extracting zip files including a “Ster.exe” file which utilizes the compromised machine to deliver multiple payloads that:
  
  
  • Can steal your browser auto-complete data which may leak confidential personal information
  • Gain access to Microsoft Outlook Express
  • Open browsers to launch a denial of service attack, and/or
  • Download additional malicious applications

“We have delivered detailed research information to the U.S. federal authorities and are fully cooperating with their efforts,” said Kailash Ambwani, president and CEO of FaceTime Communications. “This army of ‘bots could be used for any number of malicious purposes including a denial of service (DoS) attack against targeted Web sites.”

Resources

• Free online RootKit scan
• Facetime

[DragonSlayerz]

Wow, that's scary. There are to much worms in the the world wide web servers.