Instant Messaging: A New Front in the Malware War

Attacks targeting major IM networks have risen 400 percent, and anti-virus vendors report a sharp rise in high-profile threats.

The recent appearance of the Oscabot-F IM worm is the latest in a series of increasingly serious attacks affecting instant messaging networks, a trend that is forcing IT managers to choose between banning the popular chat technology and opening their networks to a host of IM-borne worms and viruses.

Attacks against major IM networks rose 400 percent last quarter, when there were 25 major IM attacks, compared with five in the same quarter last year, according to figures compiled by IM security vendor Akonix Systems Inc., in San Diego.

Anti-virus company Symantec Corp. has also seen a sharp rise in high-profile threats that spread over IM and peer-to-peer networks, said Vincent Weafer, senior director of Symantec Security Response, in Cupertino, Calif.

Oscabot-F is typical of new threats aimed at IM. That worm spreads through America Online Inc.s AOL Instant Messenger client.

AIM users receive an instant message that reads "lol have you seen this?" and seems to come from an AIM contact.

Clicking on a link in the message downloads and installs the Oscabot-F worm onto the victims computer and sends identical messages to all the victims AIM buddies.

IM worms behave like e-mail worms in many ways. However, unlike e-mail clients, IM clients such as AIM and MSN Messenger are designed to be flexible, or "port agile," when trying to communicate with their host networks.

IM users whose communications are blocked by a corporate firewall can configure some IM clients to communicate via port 80, which is used for HTTP traffic and commonly left open on firewalls. This can make it more difficult for administrators to block IM use on their networks.

/zimages/4/28571.gifColumnist Larry Seltzer offers suggestions on how to avoid mail worms. Click here to read more.

The growing adoption of IM in the enterprise and the growing number of IM threats may pressure messaging security vendors to support IM security as well, said John Pescatore, an analyst at Gartner Inc., of Stamford, Conn.

Secure messaging gateways that consolidate SMTP traffic, Web-based e-mail traffic and IM, as well as firewall and intrusion prevention features, are the right medicine for evolving threats such as IM worms and viruses, he said.

Adding to the problem is that IM clients have bulked up in recent years and now support a host of features, such as file transfer, that can pose a serious risk to security- and privacy-conscious organizations, said Rex Voorheis, senior manager of network infrastructure at Crowe Chizek and Co. LLC, an accounting firm in Grand Rapids, Mich.

Crowe Chizek last year debuted IM as an internal tool using IBMs Lotus Sametime. The company supports public IM clients such as MSN Messenger and AIM.

The companys clients requested IM to coordinate with their consultants. Crowe Chizek works with a number of large financial institutions, which typically have stringent security policies on IM use, and purchased IM security technology from FaceTime Communications Inc. so it could block IM file transfers and audit IM use, Voorheis said.

The firm hasnt been hit by any IM worms yet.

Experts say the number of IM threats is still comparatively small—Symantec counted 50 last quarter, a fraction of the more than 2,000 unique Windows threats in that quarter—but Voorheis sees them as an evolving problem.

/zimages/4/28571.gifRead more here about researchers proposed worm early-warning system.


Long a malicious code oddity, IM-based worms and viruses are becoming more common

* Oscabot-E (May 05) A worm that targets users of AOL Instant Messenger

* Kelvir (Feb 05) An IM worm spread through Microsofts Windows Messenger and MSN Messenger

* Bropia (Jan 05) An IM worm that monitors MSN Messenger conversations and displays text and links to sites with malicious code

* MyDoom Some variants spread via ICQ IM network

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.