Paris Hilton being exploited? It's hard to believe, but virus writers are becoming more sophisticated in their use of celebrities such as Paris Hilton to entice users to unknowingly install malware.
It may be hard to understand that any users would believe Paris Hilton is inviting them to chat on instant messaging or sending a copy of "that" video via email, but they do — or maybe they're just hopeful.
The IRCbot and IM-Worm-based Kelvir families, made famous by the use of videos and images of Hilton, are becoming more sophisticated, according to antivirus vendor Kaspersky Labs.
To date celebrities, security and law enforcement agencies and politicians have been used to create fast, high-profile infections in devices using IM programs, says the company's senior research engineer Roel Schouwenberg.
But bot masters are now controlling malware distribution and execution by separating the worm from the backdoor.
"The worm will only start spreading when the IRC operator (the bot master) gives a specific command in the channel, or to one specific victim machine," Schouwenberg says. "It should be noted that in such cases, the worm spreads as a link to the backdoor, not to itself."
IM malware evolved from basic IRCBot installers such as Bropia and Kelvir, to Prex which uses links to separate worm and bot, to social-engineered "chatboxes", which incorporate messages to fool users into thinking Paris is offering her explicit personal imagery, or that the FBI will confiscate your PC unless you visit a web site.
These may lure more users into responses that lead to infection, but such infections are inevitably terminated due to high media attention which result in the quick release of fixes.
Schouwenberg says the use of .php dynamic content to steal email addresses led to a leap in IM hacking.
"The most common scenario in the case of IM worms is that the email address will be stored in a database for spamming purposes, then an executable will be presented to the user for download," he says.
He says new IM malware, such as IRCBot.lo, controls botnet size unlike earlier Kelvir variants that spread uncontrollably.