Kaspersky Lab announces the publication of the analytical article “‘Instant’ Threats”

Kaspersky Lab, a leading developer of secure content management solutions, has published “‘Instant’ Threats” by Denis Maslennikov and Boris Yampolsky, two of the company’s virus analysts. The article analyses the spread of malware via instant messengers.

Instant messaging programs are very attractive to malicious users of all kinds, and because of this the problem of malware distribution via IM clients is a serious one. New versions of IM clients contain as yet unknown vulnerabilities, which can be identified first by hackers and only afterwards by program developers. Such situations can easily lead to mass epidemics. Some users are also extremely tired of getting unwanted messages (IM spam).

The article uses the example of ICQ – a popular IM client in many countries – to demonstrate the most widespread types of attack used by cybercriminals against instant messengers.

Password theft. All ICQ users have their own unified identification number, or UIN. Nine-digit numbers are currently the most widespread, but many users are keen to have a number with five, six or seven digits made up of only two different numbers.

‘Attractive’ UINs are traded, usually fetching high prices. In most cases they have been acquired illegally. The multitude of Internet stores selling attractive UINs often engage in industrial-scale password searches and account theft. Another method is to steal the password for the ICQ user’s primary email (the email address that was entered into the contact information during registration). Access to the primary email makes it possible to change a user’s UIN password: by pretending to be a genuine account holder who has forgotten their password, the cybercriminal asks the ICQ support department for a new one.

The most popular method for stealing ICQ numbers is with the help of malicious programs, and Trojan-PSW.Win32.LdPinch in particular. This family of Trojans has posed a threat to users for the last few years. LdPinch not only steals passwords to ICQ and other IM clients but also to email accounts, various FTP programs, online games, etc. The popularity of LdPinch has been boosted by special constructor programs that make it easy to create the necessary malicious Trojan.

Spreading malicious programs. ICQ is used most commonly to spread the following malware: IM worms that use the client as a base for self-propagation; Trojan programs for stealing passwords, including those for ICQ numbers (in the vast majority of cases, it is Trojan-PSW.Win32.LdPinch); and malicious programs created to fraudulently obtain money from users (e.g., Hoax.Win32.*.*).

If IM worms usually spread with little or no help from the user, then in the other cases cybercriminals use a variety of social engineering ploys to provoke a potential victim into clicking on a link, and opening a file if the link downloads a malicious program.

Malware is also spread via ICQ spam messages that contain direct links to malicious programs or to sites that contain Trojan-Downloader programs. These downloaders then install other malicious software on the victim computer, usually by exploiting vulnerabilities in browsers (in particular, Internet Explorer). The vulnerabilities that are used to carry out such attacks can also be present in the instant messaging applications themselves. In many cases the vulnerability can lead to buffer overflow and the execution of arbitrary code on a system, or provide remote access to a computer without the user's knowledge or consent.

Spam in ICQ. The number of unwanted messages received by a user in any given period of time depends on the ICQ number. Users with six-digit UINs receive an average of 15 to 20 unwanted messages every hour. Users with unremarkable nine-digit numbers receive an average of 10 to 14 such messages every day, while users with 'attractive' numbers get 2 to 2.5 times more spam.

In terms of message subjects, ICQ spam significantly differs from email spam. While about 90% of email spam advertises various goods and services, the proportion of such advertising in ICQ spam is less than 13% and most commonly Illegal Services (5.45%). Messages related to ICQ in some way accounted for 8.17% of ICQ spam, including promotion of ICQ 6.x, the buying and selling of UINs, and “ICQ chain letters”.

ICQ makes it possible to search for people based on their interests, allowing cybercriminals to target specific audiences. Spammers take the age of ICQ users into account, with the vast majority being young people. Subsequently, about 50% of all spam messages target young people, with Entertainment Sites (18.47%) and Adult Spam (17.19%) dominating. The categories of spam termed Computer Games, Voting, and Mobile Spam are also targeted at the younger generation.

Why cybercriminals attack IM clients:

1. Selling stolen ICQ numbers (nine-digit numbers are sold wholesale and ‘attractive’ numbers are sold individually for significant amounts of money).
2. Creating spam lists for sale to spammers or for mass distribution of malicious programs.
3. Using the contact lists of victims as trusted sources to ‘borrow’ money.
4. Downloading malicious programs using software vulnerabilities.
5. Changing the web pages of legitimate sites (using FTP server passwords) to download malicious software to visitors’ computers.
6. Creating botnets or extending existing zombie networks.
7. Other malicious activity.

Currently, there are no methods or solutions designed specifically to protect IM clients. However, observing the simple rules of ‘computer hygiene’, and using a well-configured anti-spam bot combined with a healthy dose of common sense can help users enjoy worry-free chat via the Internet.

The full version of the article “‘Instant’ threats” can be found at www.viruslist.com.