New Worm Aggressively Spreading via Facebook and IM Clients

Security researchers warn of a new worm spreading on instant messaging applications by luring users to malicious link via spam messages.

Rogue messages posted from compromised computers on Facebook, Yahoo! Messenger and Windows Live read: "Foto :D http://[censored]otoon.com/photo.php?=[random_number]"

According to security researchers from Trend Micro, this malware also functions as a botnet client by connecting to Internet Relay Chat (IRC) servers and awaiting commands.

The threat, which is detected by Trend products as WORM_IRCBOT.PHT, allows attackers to download and execute other files on the infected systems.

This behavior is consistent with a pay-per-install scheme, where other cyber criminals pay the worm's creators to distribute their malicious applications.

"Recent media reports have stated that IRC-based botnets such as the one formed by WORM_IRCBOT.PHT are 'dying off,' but as this incident shows the threat still exists," Jonathan Leopando, technical communications specialist at Trend, writes.

The reason why botnet runners are moving away from using IRC servers in their command and control infrastructure is because they can be easily taken down.

IM worms have historically been very successful. Palevo, which spreads through several instant messaging applications, was the most prevalent malware family during the first half of this year and was responsible for the huge Mariposa (Butterfly) botnet.

Over the weekend, Microsoft temporarily disabled active hyperlinks in Windows Live Messenger 2009, citing a worm that spreads via social networks and IM programs.

"You will still be able to copy a web address and paste it into a browser window if you know it to be safe, but by removing active hyperlinks from Messenger 2009, we’re taking a significant step towards stopping the unintentional spreading of this worm," John Scarrow, Microsoft's general manager of Safety Services, explained.

It's not certain if the worm that triggered this response from Microsoft is the same as the one reported by Trend Micro today, but the description certainly sounds similar.