Does IM stand for insecure messaging?

Trojan horses are galloping toward instant messaging users, and the attackers are getting smarter.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
9 min read
When Jimmy Kuo gave his 13-year-old daughter permission to begin using America Online's AIM Express, he warned her that if she managed to download any viruses, the result would be no IM for a long, long time.

Of course, since Kuo is a research fellow at IT security specialist McAfee, he's significantly better informed about the risks of instant messaging than the average parent. Because teenagers as a group are among the most active regular users of IM, lax habits at the keyboard on their part could result in a serious problem, Kuo said.

At the heart of the matter is the growing number of IM-borne threats, most of which rely for their proliferation on ignorance of their existence among users and IT administrators.


What's new:
Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts say.

Bottom line:
Experts agree that all IM users--whether on a home computer or a corporate network--need more education in how to protect themselves.

More stories on IM security

"I sat her down and made her read a story about attacks before I let her log onto IM," Kuo said. "Unfortunately, the average parent isn't going to be aware of this problem, and a person unaware of the IM threat is the biggest risk that exists for these viruses to have some success."

Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts have said.

Nearly all agree that all IM users--whether adults or teenagers, whether on a home computer or a corporate network--need more education in how to protect themselves.

This month, two offshoots of the rapidly evolving Bropia IM worm emerged, called Kelvir and Serflog. In less than three months, 2005 has already established itself as a watershed year for attacks. Since January, antivirus researchers have identified more than a dozen of the threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.

To Phillip Hallam-Baker, principal scientist at VeriSign, which sells network security software, the only thing that's surprising about the IM threats is that the malicious code has taken so long to materialize.

Back-stabbing buddies

Recent attacks have seen IM used to spread viruses and worms.

Date: March 8
Method: Worm sent via URL in message.
Affects: MSN Messenger
Serflog.A (Sumom)
Date: March 8
Method: Attachment carries worm. IM reads: "????omg click this!"
Affects: MSN Messenger
Date: February 3
Method: Worm in picture of a roast chicken with tan lines. Releases a second more dangerous worm, called Agabot.AJC.
Affects: MSN Messenger
Date: January 20
Method: Worm sent via URL in message. Installs bot software.
Affects: MSN Messenger
Date: September 30
Method: URLs to Web sites that host images with virus. Reads: "Check out my profile, click GET INFO!"
Affects: AOL Instant Messenger

"It's actually been interesting how few attacks there have been up to this point," Hallam-Baker said. "I think one of the things that's going on here is that as e-mail systems are being secured, there's a displacement effect and people are moving their efforts over to IM."

The vast majority of these attacks--in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread--come cloaked in messages that appear to have been sent by a known IM contact. They encourage the targeted individual to click on a Web link or to download an attachment enclosed in an IM message. In reality, these hide some form of malicious code.

Once sprung, the infectious message forwards itself to all of the names on the victim's IM buddy list, without ever giving the person who opened the threat any sign that they've launched malicious software. Some variants of Bropia also hide themselves on a PC, only to re-emerge at a later date.

One notable aspect of the recent Kelvir and Serflog offshoots of Bropia was that they bore signs that attackers have begun to use the malicious code to communicate with one another, in the same way street gangs use graffiti tags to mark their territory.

A text file deposited on infected machines by Serflog features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.A, which attempted to disable the Bropia worm.

A social, not software, glitch
Microsoft is quick to point out that Bropia and its offspring don't take advantage of any vulnerability in its IM client software. The software maker said that it is already working hard to combat the spread of the Trojan threats.

Stephen Toulouse, security program manager at Microsoft, compared today's IM-borne attacks to early e-mail viruses from the mid-1990s. When it comes to keeping IM infections from rivaling e-mail epidemics, he believes that educating customers could have a bigger impact than building better safeguards into IM applications.

"Most of the threats we've seen with IM aren't that new. They're the same sort of attacks we saw with e-mail, just delivered on a new

medium," Toulouse said. "We're already employing technological measures to help fight the problem in the next version of Messenger. But at the end of the day, it's really a matter of trying to help people to better protect themselves."

But the attackers don't have to look for new ways to formally hack IM applications while the current software remains open to Trojan-based infections, said Shimon Gruper, vice president of technology at antivirus specialist Aladdin Knowledge Systems.

How to protect yourself on IM

Take the same protective measures that you use in opening e-mail and build them into your IM habits.

Use a secure browser
Internet Explorer, Firefox, Mozilla, Safari and Opera all have the ability to encrypt Web communications and typically indicate that security is in use with a padlock icon.
Know your merchant
Check out smaller companies online by searching for complaints. If in doubt, just use sites that you know or that others have recommended.
Look before you click
Never open a link or attachment sent to you via IM until first making sure it is legitimate.
Double-check sender
Even if a message looks like it's from someone you know, make sure it's not a hoax before clicking on any links or attachments.
Protect your PC
Use firewall software to limit the kinds of data that can be sent to you over IM.
Don't talk to strangers
Do not accept IM invites or messages from contacts you don't already know.
Stay alert
Check with IM software providers to ensure that your applications are patched and up to date.

Source: CNET News.com

"There's no need for hackers to attack the IM software yet, because unlike in e-mail, where applications have been set to block the dangerous types of attachments, there's little to no security built into IM," Gruper said. "The IM protocol, especially for Messenger, is very open and easy to use, so people can exploit that without a lot of effort, and they won't stop until the methods they're using now become less effective."

America Online, another leading provider of IM software, said that it is working to add new protections to its applications. It also said that getting the word out to consumers about the threats could have the biggest effect in alleviating the problem.

"In some cases, there are technological fixes we can use to help protect members, such as putting some automated blocks in place to keep the bad links from going through," said Andrew Weinstein, an AOL spokesman. "But we feel the best solution for protecting people is installing a healthy dose of caution among users. Even if an IM looks like its coming from someone they know, people should check with buddies to try to ensure everything is what it appears to be."

Yahoo, another major provider of instant messaging software, said it has already put preventative measures in place to help protect its IM users from attacks. These efforts include adding a mechanism to its application that limits the number of messages that can be sent out simultaneously from one of its individual customer accounts.

Until now, all the IM threats reported have been Trojan attacks that sit on top of IM software code, rather than a worm that takes advantage of a flaw to penetrate the applications themselves. But some experts believe that it's only a matter of time before such worms are released.

"We haven't seen attacks on the IM code yet, but won't surprise me if it does happen," said Ero Carrera, an antivirus researcher at security software maker F-Secure. "All it takes is for people to find one IM client that has some small code error for things to develop very quickly. Any application has some holes, and history has shown us that someone usually finds a way to hack those flaws."

Smart phone risk
There's another potential IM time bomb. The communications software is becoming popular for exchanging messages between smart phones and computers, which means it could help viruses spread from PCs to mobile devices.

Vincent Weafer, senior director of Symantec's Security Response organization, said that once IM threats begin to spread rapidly, it will be hard to keep them off wireless gadgets.

"A huge amount of IM is now translated onto smart phones, especially in Europe and Asia," Weafer said. "So when you start

looking at the problem, there's the reality that some of these threats could merge with the mobile threats."

Weafer contended that even when IM software makers address new viruses, it will be very hard to get people to update their devices, especially mobile phones.

"It's a social engineering issue," he said. "It's not so difficult to correct software flaws, but it's a monumental task in order to get people to download patches, or even to be aware that they need to get the necessary changes."

On the other hand, viruses that spread through PC-based IM clients might not be able to infect phone-based IM software, Weafer pointed out. In addition, most handset makers download automatic software updates to their models, which means they could protect devices without telling consumers they were doing so.

Neither AOL or Microsoft have made plans to launch marketing campaigns to alert people to IM threats, representatives for the companies said.

The increasing popularity of public IM applications in workplaces has opened corporate networks up to the threat of attacks too. But businesses tend to be less vulnerable targets than consumers, experts said, because most companies already have already installed firewalls and other protective technology. In addition, many companies won't allow employees to download certain files, such as attachments, over public IM networks.

Despite all this, some experts have predicted that a sharp increase in instant messaging virus attacks could cause many businesses that do not use corporate IM systems, or customized software meant just for in-house use, to reconsider whether to let workers install the applications.

According to these industry watchers, the best way to help people protect themselves is to instill the same distrust regarding Web links or attachments sent via IM that they have been taught to apply to e-mail.

"People will need to relearn what they've been told in the past about e-mail, but there are some new things, and it will take time to get the message across," said Shane Coursen, senior technology consultant for antivirus researcher Kaspersky Labs. "Software companies can only do so much to inform their customers. You have to convince them to look at every link or attachment with suspicion."