Experts warn of AOL botnet threat

Win32.Pipeline creates a sophisticated botnet that can be used for a range of malicious purposes

Security analysts have identified a new worm known as Win32.Pipeline that is propagating over AOL Instant Messenger.

Researchers believe that the ultimate goal of the worm is to create a sophisticated botnet that can be used for a range of malicious purposes.

FaceTime Security Labs said that the worm delivers an executable file disguised as a JPEG image.

The file calls out to various host computers that download a variety of other files including rootkits and Trojans that may further propagate the worm through the user's AIM Buddy List.

Once the user's PC is infected, it becomes part of a botnet and is under complete control of the hacker to use for a variety of purposes.

These could include relaying spam, performing distributed denial-of-service attacks or committing financial fraud against online advertisers.

Like many IM worms, Win32.Pipeline first appears as an instant message from a familiar contact, luring users into clicking on a link with a contextual phrase.

The IM message, which reads 'Hey would it okay if I upload this picture of you to my blog?', downloads a command file called image18.com, which is disguised as a JPEG.

Running the file results in csts.exe being created in the user's system32 folder, which is part of the Windows operating system.

"The emphasis for this latest worm is not so much on the files that are delivered to the users' computers, but the way these files are deposited onto the system," said Chris Boyd, director of malware research at FaceTime Security Labs.

"Previous IM attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC.

"Here, the motivation for the bad guys seems to be in lining up as many 'install chains' as possible to insure a consistent pipeline that can be controlled by their rogue botnet."