Reuters IM Worm Attack Seen As 'Wake-Up Call' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
4/15/2005
03:13 PM
50%
50%

Reuters IM Worm Attack Seen As 'Wake-Up Call'

Reuters' instant messaging service, purposefully taken offline by the U.K.-based firm Thursday in a last-ditch effort to stymie a fast-spreading IM worm, was back in operation early Friday morning.

Reuters' instant messaging service, purposefully taken offline by the U.K.-based firm Thursday in a last-ditch effort to stymie a fast-spreading IM worm, was back in operation early Friday morning.

The service, which is built atop Microsoft's Messenger technology, but is a separate, closed service that caters to 60,000 workers in the financial sector, was up and running again at 7 a.m. London time (2 a.m., Friday, EDT; 11 p.m., Thursday, PDT).

At 10 a.m. Thursday, London time, Reuters shuttered the service because another variant of the persistent and pernicious Kelvir worm -- which targets Microsoft instant messaging clients -- was spreading. "This action was taken in order to prevent further propagation of the virus that is attempting to spread by using the messaging service," Reuters said in one of several alerts it posted throughout the day.

"The service will remain suspended until Reuters are confident the virus has been removed," it added in a follow-up alert.

Security firms reacted by issuing alerts and raising their overall threat warnings. FaceTime, for instance, which on Monday debuted a new IM threat center, raised its IMPact Index to "8" from "3" to mark the occasion.

"We know a bit more today about what happened," said Francis DeSouza, the chief executive of IMlogic, an instant messaging security and management company. "The Kelvir worm attacked only version 3.1 client of Reuters, not version 4.0. Large customers, who had mostly upgraded, were okay."

Even so, the worm spread so fast and infected so many of users that Reuters shut down rather than let it propagate further.

"Because Reuters targets the financial industry, it holds itself to higher bar," DeSouza said. "It's a mission-critical application for its users, while IM for, say a consumer, really isn't."

The Kelvir worm that knocked out Reuters was tagged as Kelvir.re by IMlogic and its Threat Center. That versions was only the most recent in a long line of Kelvir variants that have appeared in the last six weeks. By Symantec's count, for example, two dozen different Kelvir worms have popped up, all of which take aim at Microsoft's MSN Messenger and Windows Messenger.

This Kelvir, like all the others, spread by sending copies to everyone on the IM contact list of the infected client. The message, which read "Is it you?" was accompanied by a link to a Web site. Users who clicked on the link were then infected with the Spybot spyware software, which, among other chores, watches for passwords and usernames, then sends them to the controller attacker via an IRC channel.

The Web site which hosted the malicious code was shut down Thursday, although not in time to save Reuters.

"There's nothing dramatically different about this version of Kelvir," said DeSouza. "In fact, it wasn't designed to attack Reuters specifically, but all Microsoft IM clients."

Was Reuters just unlucky? Security analysts are often unable to explain why one variant of a worm spreads like wildfire, while nearly identical version languish in the worm version of Purgatory.

That may have been what happened here, said DeSouza. "Other Kelvirs were just as capable, but they didn't bring down any of the networks. In fact, that happens very infrequently.

"But this is certainly a wake-up call," said DeSouza. "IM is just like any other communication media. The media needs to go hand in hand with security."

DeSouza also called any link between Thursday's attack and other events this week -- including the disclosure of an MSN Messenger vulnerability by Microsoft and the announcement by America Online that it would make its network accessible to users of several other IM clients, including the open-source Jabber -- just coincidence.

"They had nothing to do with this," he said. "It was just another Kelvir."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll