ISPs to blame for new worm affecting MSN users

ISPs could kill a new worm that is spreading rapidly via MSN Messenger, according to security experts.

The worm, called Backdoor.IRCBot.gen, spreads by sending file transfer requests to a victim's contact list. Once accepted, a malicious file is executed on the recipients' computer, which gives criminals control of the infected computer.

Experts say that in most cases, IM worms send files to all the user's contacts without their knowledge and the only way to verify the authenticity of the file is to check with the person who is supposed to have sent it.

James Turner, security consultant for Australian-based research firm IBRS, claims ISPs could stop the worm if they tried.

"It's pretty pathetic that we can see the code for this worm moving around the Internet. We've got the capability to block this attack at the network level ... what's lacking in the war against malware is any initiative from ISPs like Telstra in offering managed security services for home users. This kind of offering could knock malware on its back," said Turner.

MessageLab's Australian marketing manager Andrew Antal said ISPs are caught between a rock and hard place when it comes to protecting their customers.

"Telcos should be adding an extra layer of security as part of a broadband service -- much in the same way as we expect clean water from a utility provider. However what's prohibiting this is that broadband is a commodity item, driven on price, so often a minimal level of security is offered so that [telcos] can maximise the margin on overall broadband costs they face," said Antal.

Antal said that Telstra has started to offer MessageLabs services to SMB customers but is not yet offering this service to consumers.

IBRS's Turner believes the lack of action by ISPs may offer encouragement to worm writers.

-If the worm writers have success in one area, they will take their lessons of success and apply them to other areas. This could mean other IM packages, or it could be an application in Facebook. The attack vector is the relationship that the victims have with each other," he said.

Paul Ducklin, head of technology at security firm Sophos, said the worm is nothing new.

"The first piece of malware was developed for Apple II computers in 1982. By 1992 we had our thousandth virus. Now we're at 250,000 and 50,000 of these have come out in the last six months. We're not dealing with kids who write a virus as a challenge. Now, criminals are pursuing opportunities as any business would," he said.

Ducklin said that the profit motive has enriched the market for malware to the extent that cybercriminals can order a suite of features that come with the malware, for example how it should spread and the level of infection.

Backdoor.IRCBot.gen is a variant of a worm reported a month ago by US security specialists, PrevX. MSN users were asked to download a file called "Myalbum2007.zip" from a trusted contact, which then opened a backdoor to the infected computer.

MSN users should treat with suspicion files named: photo_album [number], photos2007_[number], images[number], photo[number], album [number].

It's not just IM transfers that users should concern users, said Sophos's Ducklin..

"IM with file transfer facilities can be considered a similar problem as P2P file sharing. IM and P2P allow much more casual sharing of files across a network than an administrator would allow off a Web server," he said.

Ducklin suggested that administrators need tools to monitor and control accepted IM clients.