Reuters IM Worm Attack Seen As ’Wake-Up Call’

Reuters' instant messaging service, purposefully taken offline by the U.K.-based firm Thursday in a last-ditch effort to stymie a fast-spreading IM worm, was back in operation early Friday morning.

The service, which is built atop Microsoft's Messenger technology, but is a separate, closed service that caters to 60,000 workers in the financial sector, was up and running again at 7 a.m. London time (2 a.m., Friday, EDT; 11 p.m., Thursday, PDT).

At 10 a.m. Thursday, London time, Reuters shuttered the service because another variant of the persistent and pernicious Kelvir worm -- which targets Microsoft instant messaging clients -- was spreading. "This action was taken in order to prevent further propagation of the virus that is attempting to spread by using the messaging service," Reuters said in one of several alerts it posted throughout the day.

"The service will remain suspended until Reuters are confident the virus has been removed," it added in a follow-up alert.

Security firms reacted by issuing alerts and raising their overall threat warnings. FaceTime, for instance, which on Monday debuted a new IM threat center, raised its IMPact Index to "8" from "3" to mark the occasion.

"We know a bit more today about what happened," said Francis DeSouza, the chief executive of IMlogic, an instant messaging security and management company. "The Kelvir worm attacked only version 3.1 client of Reuters, not version 4.0. Large customers, who had mostly upgraded, were okay."

Even so, the worm spread so fast and infected so many of users that Reuters shut down rather than let it propagate further.

"Because Reuters targets the financial industry, it holds itself to higher bar," DeSouza said. "It's a mission-critical application for its users, while IM for, say a consumer, really isn't."

The Kelvir worm that knocked out Reuters was tagged as Kelvir.re by IMlogic and its Threat Center. That versions was only the most recent in a long line of Kelvir variants that have appeared in the last six weeks. By Symantec's count, for example, two dozen different Kelvir worms have popped up, all of which take aim at Microsoft's MSN Messenger and Windows Messenger.

This Kelvir, like all the others, spread by sending copies to everyone on the IM contact list of the infected client. The message, which read "Is it you?" was accompanied by a link to a Web site. Users who clicked on the link were then infected with the Spybot spyware software, which, among other chores, watches for passwords and usernames, then sends them to the controller attacker via an IRC channel.

The Web site which hosted the malicious code was shut down Thursday, although not in time to save Reuters.

"There's nothing dramatically different about this version of Kelvir," said DeSouza. "In fact, it wasn't designed to attack Reuters specifically, but all Microsoft IM clients."

Was Reuters just unlucky? Security analysts are often unable to explain why one variant of a worm spreads like wildfire, while nearly identical version languish in the worm version of Purgatory.

That may have been what happened here, said DeSouza. "Other Kelvirs were just as capable, but they didn't bring down any of the networks. In fact, that happens very infrequently.

"But this is certainly a wake-up call," said DeSouza. "IM is just like any other communication media. The media needs to go hand in hand with security."

DeSouza also called any link between Thursday's attack and other events this week -- including the disclosure of an MSN Messenger vulnerability by Microsoft and the announcement by America Online that it would make its network accessible to users of several other IM clients, including the open-source Jabber -- just coincidence.

"They had nothing to do with this," he said. "It was just another Kelvir."