Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

Release: IM Rootkit, BotNet Linked to Hacker Group in Middle East

by SpywareGuide Staff

Date: 11.17.2005

FaceTime Communications Warns Customers and Federal Authorities of New Threat

Foster City, CALIF – November 17, 2005 - Experts at FaceTime Security Labs™ , the threat research division of FaceTime Communications, identified and reported a new threat today related to the AOL Instant Messenger (AIM) “RootKit” worm they first identified on October 28, 2005. New research completed on the AOL rootkit worm confirms it acts as a back door for additional malware to be downloaded. The additional malware is capable of stealing usernames, passwords, and other personal information, and can be managed and controlled by a hacker through IRC communication sessions.

FaceTime security researchers confirmed that computers infected with the lockx.exe rootkit file are being further compromised by a group in the Middle East. The attackers have compromised multiple servers hosted by ISPs worldwide to distribute the malware payload. The additional malware includes a “ster.exe” file that contains six additional files to provide the attacker with the capability to upload, download, and monitor the infected host PC. It has also been found that the malware has the potential to steal Microsoft Outlook Express email passwords and log keystrokes. The infected computers can also be used as a platform for launching attacks on Web sites or networks.

Who is affected: All users who have been infected by the ‘lockx.exe” rootkit or its variants are at most risk. Users of other messaging applications may also be affected by the ster.exe payload as it can be distributed by the lockx.exe infected PCs. All PC users can initiate a free online scan which can detect and disable the lockx.exe file by visiting: www.facetime.com.

Additional Information:

  • The lockx.exe rootkit and its variants connect to an IRC server, where it is capable of receiving instructions through private, automated messages from an IRC operator. These messages can open a browser session or install an unwanted application
  • Over 17,000 users were found to be compromised on a single server, and multiple servers exist worldwide
  • Users may receive the instant message text consisting of:
    • “evilday.us/pic####.com”, or
    • “how do I look[ipaddress]/~q8army/pic0023.com” which links them to one of multiple worldwide servers to deliver additional malware
  • Additional malware includes self-extracting zip files including a “Ster.exe” file which utilizes the compromised machine to deliver multiple payloads that:
    • Can steal your browser auto-complete data which may leak confidential personal information
    • Gain access to Microsoft Outlook Express
    • Open browsers to launch a denial of service attack, and/or
    • Download additional malicious applications

“We have delivered detailed research information to the U.S. federal authorities and are fully cooperating with their efforts,” said Kailash Ambwani, president and CEO of FaceTime Communications. “This army of ‘bots could be used for any number of malicious purposes including a denial of service (DoS) attack against targeted Web sites.”

FaceTime Customers Can Prevent This Threat
FaceTime Enterprise Edition and IMAuditor customers can proactively block these malicious threats and prevent infections before they happen by blocking downloads of the specific executable files associated with the threat. FaceTime also recommends activating the Day Zero Defense System within IMAuditor 6.5. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against these threats without the need for traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime’s X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC to detect and remove lockx.exe files.

About FaceTime Communications
Founded in 1998, FaceTime Communications is the leading provider of security solutions for the management and control of greynet applications such as adware/spyware, instant messaging, webmail, P2P file sharing, web conferencing and instant voice. FaceTime delivers the industry’s first IMPact Index, which assesses “point-in-time” risks posed by viruses, worms and other malware propagating through greynet applications. FaceTime's award-winning solutions are used by over 500 customers, among them seven of the eight largest U.S. financial institutions. FaceTime supports or has strategic partnerships with all leading public and private IM network providers, including AOL, Google, Microsoft, Yahoo!, IBM, Bloomberg, Jabber and Reuters. For more information, visit www.facetime.com.

pqnelhleyy 2cc963de 639441f8

FaceTime is headquartered in Foster City, California. For more information visit http://www.facetime.com or call 888-349-FACE.


PR Contact:
Bridgett Coates

Unless otherwise noted this article is Copyright © 2022 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts
Notice: Undefined index: version in /data/www/spywareguide/magpierss/rss_parse.inc on line 228
  • A Year In Security
  • Youtube Comment Bot Spams In Waves
  • VGA Awards Trailers Used As Bait For Spam Offers
  • Fake Visa Electronic Report Serves Up Zbot Data Stealer
  • Banned Console Owners Beat The System - With Stickers
  • Spot The Hack
  • The Futility Of EULAs
  • Auto Whaler Spears Phishers
  • Fake Porn Grabbers Snag Nothing But Malware
  • Console DDoS Botnets - A Thriving Industry
  • Recent Modifications
    2022-11-28  Adult Networks/Services
    2017-2-10  Adult Hosts
    2016-3-30  CoolWebSearch
    2015-9-29  Malicious URLS
    2015-5-19  Dialers
    2015-1-5  Email Threats
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.