Does IM stand for insecure messaging?

Trojan horses are galloping toward instant messaging users, and the attackers are getting smarter.

When Jimmy Kuo gave his 13-year-old daughter permission to begin using America Online's AIM Express, he warned her that if she managed to download any viruses, the result would be no IM for a long, long time.

Of course, since Kuo is a research fellow at IT security specialist McAfee, he's significantly better informed about the risks of instant messaging than the average parent. Because teenagers as a group are among the most active regular users of IM, lax habits at the keyboard on their part could result in a serious problem, Kuo said.

At the heart of the matter is the growing number of IM-borne threats, most of which rely for their proliferation on ignorance of their existence among users and IT administrators.


What's new:
Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts say.

Bottom line:
Experts agree that all IM users--whether on a home computer or a corporate network--need more education in how to protect themselves.

More stories on IM security

"I sat her down and made her read a story about attacks before I let her log onto IM," Kuo said. "Unfortunately, the average parent isn't going to be aware of this problem, and a person unaware of the IM threat is the biggest risk that exists for these viruses to have some success."

Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts have said.

Nearly all agree that all IM users--whether adults or teenagers, whether on a home computer or a corporate network--need more education in how to protect themselves.

This month, two offshoots of the rapidly evolving Bropia IM worm emerged, called Kelvir and Serflog. In less than three months, 2005 has already established itself as a watershed year for attacks. Since January, antivirus researchers have identified more than a dozen of the threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.

To Phillip Hallam-Baker, principal scientist at VeriSign, which sells network security software, the only thing that's surprising about the IM threats is that the malicious code has taken so long to materialize.

Back-stabbing buddies

Recent attacks have seen IM used to spread viruses and worms.

Date: March 8
Method: Worm sent via URL in message.
Affects: MSN Messenger
Serflog.A (Sumom)
Date: March 8
Method: Attachment carries worm. IM reads: "????omg click this!"
Affects: MSN Messenger
Date: February 3
Method: Worm in picture of a roast chicken with tan lines. Releases a second more dangerous worm, called Agabot.AJC.
Affects: MSN Messenger
Date: January 20
Method: Worm sent via URL in message. Installs bot software.
Affects: MSN Messenger
Date: September 30
Method: URLs to Web sites that host images with virus. Reads: "Check out my profile, click GET INFO!"
Affects: AOL Instant Messenger

"It's actually been interesting how few attacks there have been up to this point," Hallam-Baker said. "I think one of the things that's going on here is that as e-mail systems are being secured, there's a displacement effect and people are moving their efforts over to IM."

The vast majority of these attacks--in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread--come cloaked in messages that appear to have been sent by a known IM contact. They encourage the targeted individual to click on a Web link or to download an attachment enclosed in an IM message. In reality, these hide some form of malicious code.

Once sprung, the infectious message forwards itself to all of the names on the victim's IM buddy list, without ever giving the person who opened the threat any sign that they've launched malicious software. Some variants of Bropia also hide themselves on a PC, only to re-emerge at a later date.

One notable aspect of the recent Kelvir and Serflog offshoots of Bropia was that they bore signs that attackers have begun to use the malicious code to communicate with one another, in the same way street gangs use graffiti tags to mark their territory.

A text file deposited on infected machines by Serflog features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.A, which attempted to disable the Bropia worm.

A social, not software, glitch
Microsoft is quick to point out that Bropia and its offspring don't take advantage of any vulnerability in its IM client software. The software maker said that it is already working hard to combat the spread of the Trojan threats.

Stephen Toulouse, security program manager at Microsoft, compared today's IM-borne attacks to early e-mail viruses from the mid-1990s. When it comes to keeping IM infections from rivaling e-mail epidemics, he believes that educating customers could have a bigger impact than building better safeguards into IM applications.

"Most of the threats we've seen with IM aren't that new. They're the same sort of attacks we saw with e-mail, just delivered on a new

Featured Video

Leaked photos show off the actual Samsung Galaxy S7

Galaxy S7 pics are in the wild, the S Pen could bring something new, and Google is working on Android VR

by Brian Tong