A new worm is targeting users of the ICQ instant messenger by tricking them into clicking on links delivered via IM, security experts said Tuesday.
About 50,000 machines have been infected with the Bizex worm, said Moscow-based Kaspersky Labs. The security firm called outbreak the first global epidemic among ICQ users.
Invitations to a malicious site lead ICQ users to the jokeworld.biz Web site, where vulnerabilities in both Internet Explorer and Windows are used by the hacker to download the worm and launch it on the compromised machine. Bizex spreads by hijacking ICQ contacts from the infected machine, then sending IMs with the link to jokeworld to all those contacts.
Bizex includes a range of payloads, said Kaspersky, including one which harvests information it finds on the infected machine related to payment systems from Wells Fargo, American Express UK, Lloyds, Barclaycard, Credit Lyonnais, and E*TRADE. Any financial information Bizex uncovers is then transmitted to a remote, anonymous server.
Additionally, Bizex includes a keylogger component that intercepts data transmitted via HTTPS (the encrypted version of HTTP), typically used to move financial transactions, such as those between a user and his bank. This data is also sent to the remote server.
“This as a bare-faced attempt to make money,” said Eugene Kaspersky, who heads the anti-virus research at Kaspersky, in an e-mailed statement. “The new method of penetration, the fact that ICQ has not been used for such an attack before, and the wide range of spy functions means this combination is sure to reap huge profits for the author of Bizex.”
Although the jokeworld site was shut down just hours after the outbreak began, security experts warned users to be wary of links sent via IM, even by buddies on their instant messenger contact list.
“All ICQ and instant messaging users should be careful to avoid hyperlinks sent to them by others,” said Ken Dunham, director of malicious code research at iDefense. “It's very likely that similar attacks will be launched in 2004 through such mediums.”
Kaspersky recommended that ICQ users update Internet Explorer and Windows immediately using the available patches on the Windows Update Web site. TechWeb