Reuters worm a "wake up" call

Reuters’ recent forced shutdown of its instant messaging system following a blitz of attacks from a new Kelvir worm should be seen as a “wake-up call” to other users, industry experts claim.

  • E-Mail
By  Jane Plunkett Published  April 20, 2005

Reuters’ recent forced shutdown of its instant messaging system following a blitz of attacks from a new Kelvir worm should be seen as a “wake-up call” to other users, industry experts claim. The media giant took the decision to close its Reuters Messaging IM system completely on April 14, following a series of attacks. The worm spread so fast and infected so many users that Reuters shut down rather than let it propagate further. The service was only restored the following day. Security firms have reacted by issuing alerts and raising overall threat warnings for the new worm. Customers were urged to take steps to secure their own networks. “This is certainly a wake-up call,” said Francis DeSouza, the chief executive of IMlogic, an instant messaging security and management company, talking to journalists after. “IM is just like any other communication media. The media needs to go hand in hand with security.” The new variant of the worm attempted to spread by sending fake IM messages to people in contact lists on infected systems, a technique famously used by earlier Kelvir strains. The messages, crafted to look exactly like legitimate IM correspondence, attempted to lure people to a web site, a Reuters spokesman said. Users who clicked on the link were then infected with the Spybot spyware software, which, among other things, watches for passwords and usernames, then sends them to the controller attacker via an IRC (internet relay chat) channel. “In order to protect our customers and other users, and to prevent RM from being used to propagate this worm, Reuters has temporarily suspended the RM service and is working to resolve this matter,” the company said in a statement after shutting off its IM service. “Because Reuters targets the financial industry, it holds itself to higher bar,” DeSouza said. “It’s a mission-critical application for its users, while IM for, say a consumer, really isn’t.” The worm that temporarily closed down Reuters was labeled as Kelvir.re by IMlogic and its Threat Centre. That version was just one of a long line of Kelvir variants that have appeared in the last six weeks. According to Symantec’s count, for example, two-dozen different Kelvir worms have popped up, all of which take aim at Microsoft’s MSN Messenger and Windows Messenger. According to reports, the worm only attacked version 3.1 of Reuters, not the later version 4.0. Those customers who had upgraded were protected. In a recent report on IM-borne viruses, the IMlogic Threat report indicated that Kelvir was among the most frequently detected IM infections at work places, along with the Bropia and Serflog worms.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code