Wednesday, October 17, 2007

Thousands of IM Screen Names in the Wild

In the past, malware interested in establishing a one-to-one social engineering communication channel with potential victims, used to crawl the hard drive, even the web address book of the infected party looking for emails to self-email the binary to. And with the rise of instant messaging communications, malware authors adapted old techniques such as harvesting for emails to IM communications by introducing IM screen names harvesting and positioning the practice as both a product in the form of the segmented email databases of millions of emails already harvested, and as a service, by aggregating publicly available profile data to deliver targeted messages often in the form of phishing, malware embedded URLs, and spam. Hitlist's based malware is nothing new, it's actually malware authors borrowing the spammers "direct marketing" communication model, and while you cannot change your email's account name unless of course you're using a disposable or temporary email service, you can easily, in fact periodically change your screen name.

IM networks are on the other hand, slowly adopting a "save the world from the clicking crowd" security awareness model by blocking common malicious file and domain extensions, an initiative that's both applaudable and futile at the same time given the failure of URL filtering in today's dynamic and user-generated content Web. Go through an informative article by ScanSafe's Dan Nadir with comments on Signature-based detection, Heuristics, Code Analysis, Code reputation, URL Reputation, and Traffic Behavioral Analysis.

No comments:

Post a Comment