Group Enlists Honey Pots to Catch IM Threats

Instant messaging "honey pots" will serve as the hub for a new Threat Center created by a consortium of IM and security vendors.

IMlogic Inc. on Tuesday announced plans to use so-called honey pots, or vulnerable machines, to track malicious virus activity on instant messaging and peer-to-peer networks.

In partnership with a slew of big-name IM and anti-virus vendors, the Waltham, Mass.-based IMlogic is heading up the establishment of a Threat Center to gather intelligence and provide early virus warnings.

The Threat Center initiative revolves around the controversial honey-potting technique used to monitor and track illegal intrusions on a host or network that has been deliberately exposed with known security vulnerabilities.

Honey pots have been used in the past—mostly in e-mail environments—to trap malicious hackers and to collect data on the way intruders operate. Information collected in honey pots is typically used to power early warning and prediction systems.

According to IMlogic chief executive Francis deSouza, the company will manage a system of honey pots running on IM networks powered by America Online Inc., Yahoo Inc., Microsoft Corp., IBM Corp. and Jabber.

"These are IM honey pots that are specially created. They shouldnt be receiving any IM traffic outside of spam or malware so when we detect any activity on those IMs, it sets off a warning," deSouza said in an interview with

He said IMlogics engineers will manage and monitor the honey pots on IM networks around the world. When virus activity is detected, deSouza said the honey pot will transmit the data to IMlogic for posting on the public Web repository. "We will then pass that information on to the affected IM network and to the anti-virus firms to stop the spread immediately," he added.

In addition to providing early detection to the IM providers and anti-virus vendors, deSouza said the work of the Threat Center will power updates to its enterprise-facing IM Manager product.

deSouza declined to say how many honey pots had been deployed or how the company planned to work around the legal ramifications of using the technique. In the past, the use of honey pots has raised questions about whether it constitutes entrapment.

"Weve obviously paid attention to the mistakes made by e-mail honey pots. There is a preferred way to deploy honey pots and we have the advantage of launching now and incorporating everything weve learned from the e-mail honey pots," deSouza said.

Among other things, the data from the Threat Centers honey pots will be used to create a knowledge base of IM/P2P viruses and worms and an alerts-and-notification mechanism (by e-mail and IM) of new and emerging threats for subscribers.

The plan calls for a rapid response mechanism to provide guidance and protection against IM and P2P threats for both enterprises and consumers, deSouza said.

It will also provide protection against "spim" (spam IM) and known hacker vulnerabilities in the IM clients, servers and networks.

/zimages/2/28571.gifClick here to read more about spim and other issues facing instant messaging.

The launch of a dedicated IM virus data repository comes amid a noticeable increase in malicious action on the public chat networks. Symantec Corp. estimates that IM viruses increased by 400 percent in 2003 and played a key role in 40 percent of the top computer viruses. Symantec has previously warned that an IM virus could infect as many as half a million users in as little as 30 to 40 seconds.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.