This weekend, an unnamed worm forced Microsoft to temporarily suspend active links  in Live Messenger 2009, in order to prevent the aggressive worm from spreading further. This is quite a surprising measure, because worms spreading through Instant Messaging (IM) such as Skype, Yahoo! Messenger and Microsoft Live Messenger are not new at all! For example, the AimVen worm was discovered in 2003 and was targeting the America Online Instant Messenger platform.

The modus operandi for this type of attack is simple:

  1. the victim receives a message that contains an hyperlink from one of their contacts
  2. the victim clicks on the hyperlink;
  3. the victim gets infected.

The only purpose of the hyperlink is to get a malicious program installed onto the victim's computer. The hyperlink may lead to a direct executable file, to a page infected by a browser exploit kit, such as the Eleonore kit (see this article by Brian Krebs), or to a page designed to lure the user into downloading and executing the malicious program through social engineering.

This spreading mechanism is a very effective way for malware to stay active and prosper. And as time goes by, the bad guys are refining their techniques to convince potential victims to actually visit the malicious hyperlinks. For example, the Butterfly worm waits until the victim enters into a conversation with someone before sending the malicious messages, rather than sending them out of the blue. The worm can also use geo-localization in order to use the victim's language and even relate to news or events related to the victim's country. These advanced techniques make the malicious messages look much less suspicious and may trick even the most cautious users.

One of the active worms that uses this technique is the worm behind the famous Mariposa botnet, called Butterfly and also known as Win32/Bflient, Win32/Peerfrag, Win32/Palevo, and Win32/Rimecud. Surprisingly, Butterfly is still a very prevalent threat despite the arrest of its alleged author, a Slovenian, earlier this year and the dismantlement of the Mariposa botnet. In fact, ESET's October ThreatSense report shows that Win32/Bflient.K has entered the top 10 threats with its 8th place.

Here is a real life example of Butterfly using Microsoft's MSN to spread itself. Last week, a compromised machine received an order from its botnet operator to activate the MSN spreading component with the following message:

 

mira a ana :DD http://bit.ly/XXXXX 
 

As we can see, an URL shortener is used to obfuscate the real destination. When the victim opens the hyperlink, it sees a fake video player and a pop-up prompting to install a Flash Player update. Obviously, the file is all but a Flash Player update, but rather the latest version of the worm. In this case, the malicious file was hosted on a compromised, low-profile Canadian website.

 

Fake Flash Player

 

Was it an outbreak of the Butterfly worm that caused Microsoft to take action and block active links in Microsoft Live Messenger 2009? Who knows? But one thing is for sure, link blocking technologies need to be rapidly integrated into IM clients, because the bad guys will keep using this powerful infection vector and successfully infect new victims every day. So Microsoft scores a bonus point for integrating Link Safety in their Live Messenger 2011.

 

Alexis Dorais Joncas

Pierre-Marc Bureau