IM Security

Libraries are concerned with the security of their computers. This is a good thing. Every time I talk to librarians about IM in their libraries, they ask about the security risks involved. Because of this I’m always on the lookout for news related to malware being spread via IM clients.

I’ve read a decent amount of “doom and gloom on the horizon” type articles, but very little about actual events. But this morning Trojan Targets AIM was in my aggregator [via bigblueball].

A Trojan continued to spread Monday among America Online instant messaging clients, and installs its backdoor on the infected PC when trusting users click on a link within the line “Check out this” or “i thought youd wanna see this” from a buddy on their AIM contact list.

Dubbed “Oscarbot” by McAfee and “Doyorg” by Symantec, the Trojan doesn’t spread automatically when users download and run the file linked in the instant message. Instead, it opens a port and listens for instructions on IRC (Internet Relay Channel); the attacker must specifically order each infected machine to start spreading.

It propagates by sending the same message to every buddy in the system’s AOL Instant Messenger client’s address book.

The rest of the article details that the purpose of this is for the creation of zombie networks, and that the usual antivirus software should catch this thing.

Has anyone or anyone you know been infected with this?

5 thoughts on “IM Security”

  1. Good thought. I was going to include a bit about Trillian, but I wanted to find out a bit more.

    I’m not sure if the trojan works with just AIM’s oscar protocol (in which case trillian would also be prey) or a combo of the protocol and the AIM software (in which case trillian would probably be safe).

    Either way, I bet that your Apple using Fire is safe.

  2. If it’s the one I’m think of, which it seems to be, you have to click on a link and run a file from a website. Depending on your browser settings this could easily happen. If you use other IM clients you could probably get it but I don’t think it would spread as easily. More info on it here:

    We had a huge outbreak on campus awhile back due to a variant that was putting links in people’s profiles such as “check out my spring break pics”, etc. People would click on the link and I believe that one used a vulnerability in IE to infect. This caused havoc with the library proxy and some online courses because it seemed to hijack IE security settings. Something to look out for.

  3. Some folks in town have apparently been infected, since a few of these “check this out” and “look at my pictures” IMs popped up at the ref desk this weekend. Can this spoof sender s/n’s, like what happens in email, or has the s/n owner definitely been hit?

Leave a Reply