
According to Kaspersky, there will be a sharp rise in next-generation IM worms which can spread via multiple IM networks, triggering the demise of traditional IM worms, such as Bropia, Kelvia and Prex, which spread via single IM networks, such as MSN.
IM worms, such as IRCBot.lo, will represent the greatest IM threat, as they can spread to a large number of networks and can use variable messages and download links, the security firm warned.
“In most cases, an IM worm should not be viewed as a standalone piece of malware, but rather as a slave that is used to help the IRCBot spread,” said Roel Schouwenberg, senior research engineer, Kaspersky Lab.
“The appearance of IRCBot.lo, which represents the ultimate in IM worm functionality, demonstrates that IM is an infection vector that has not yet been exhausted.”
“The worrying thing about IM worms like IRCBot.lo is that the code that is used to write them can be easily copied, potentially resulting in a significant increase in IRCBots which can spread links across all major IM networks. It therefore seems likely that we may start to see reports of other IM networks being increasingly targeted in the future,” he added.
Schouwenberg believes sophisticated IM worms, such as IRCBot.lo, will signal the demise of the traditional IM worm: “Since IM worms first appeared, there have been significant changes in distribution methods, in the sophistication of the code used and in the IM networks targeted. Additionally, dynamic messages help increase the lifecycle of malware and of botnets, and the use of controlled spreading helps malware authors evade unwanted attention.”
It is not just PCs, however, that are vulnerable to IM worms; Macs are also at risk, according to Kaspersky. On February 13 2006, the first worm for Mac OS X was discovered: an IM worm named OSX/Leap.A that spreads via Apple’s IM application, iChat. “Apple’s small share of the global PC market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change; once critical mass is reached, more malware will undoubtedly start to appear,” said Schouwenberg.
Even though malware like IM-Worm.OSX.Leap.a is a ‘proof of concept code’ with no obvious malicious payload, it proves that Mac OS X does contain security flaws, which can be used to compromise the operating system.
“Whether proof of concept code such as Leap will be used for financial gain in the near future remains to be seen. Although history shows that once vulnerabilities are identified, malware writers are never far behind.”