Will IM be the next security culprit?

Q1 Labs CTO Sandy Bird cautions that the number of instant messaging attacks is likely to worsen over time.

Sandy Bird
William "Sandy" Bird co-founded Q1 Labs, where he currently serves as chief technology officer.
Sandy Bird
4 min read
Might instant messaging become the next preferred propagation method for computer worms and viruses? It's not such a remote prospect. The past year has witnessed the rise of several high-impact worms and viruses that shared three common transmission media: e-mail, network scanning or file sharing. While good patch policies and strong security postures minimized massive infections, a few attacks invariably slipped through the cracks and caused network havoc.

These days, IM has become nearly ubiquitous.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Every current Windows installation has at least one IM client installed by default, while personal digital assistants and cell phones also have implemented IM software.

IM-based attacks present particular danger because they would not cause the changes to machines or networks that make an attack visible. In fact, compared to past attacks, they would need very few connections for full infection.

Today's worms take time to spread because they must find hosts to infect through scanning, e-mail distribution and file sharing--in the process creating a lot of unproductive traffic. For example, MSBlast, which ranks as one of the fastest-spreading worms, created so much traffic that it disabled Internet service providers and impacted high-priority services such as 911.

In contrast, an IM-based attack eliminates nuisance traffic almost completely. Once it has infected a machine, the code gains direct access to your buddy list and learns who is currently online.

Once it has infected a machine, the code gains direct access to your buddy list and learns who is currently online.
The code needs only to send a few small requests to the online users. As uninfected buddies sign on, the code sends the exploit to the new hosts one at a time. Each newly infected computer then only has to send a few requests. Once that is done, the worm removes the buddy from its list of attempts. For even greater efficiency, the worm keeps a distributed list of infected host-user combinations so that it doesn't keep trying to infect already-exploited hosts.

This would not raise alarms because the Internet would not be clogged with useless attempts at infection or propagation. Also, the infected computers would not suffer poor performance or change their behavior in any way.

Social engineering
The social-engineering aspect of the attacks presents a couple interesting possibilities.

Assume that the user on the other end of the IM client needs to perform an action to be infected. Most IM services give the client access to other users' profiles, which may contain everything from classifications such as co-worker or friend to more subjective information, like gender, age or employment type. This offers the attack code a number of possibilities. It could send co-workers a message asking them to look at a document and send your friends a photo of last week's party. With logging turned on, the attack code could increase the risk of infection by scanning for and repeating commonly used conversations.

Worse, the user might not have to do anything to infect the system. Once that happens, however, the possibilities are endless.

To make matters even worse, many organizations have blocked IM-based traffic from their networks. People who are unhappy about losing IM access may tunnel it through common applications such as Hypertext Transport Protocol.

Typical network monitoring tools will classify this as normal traffic, since it may be tunneled on top of common high-usage applications, and there will be no invalid connection attempts to give it away.

The first attacks may have had minimal impact so far, but it's clear that the number of IM attacks will worsen over time.
Encryption also adds to the detection problem. Fear of data loss or theft has encouraged us to encrypt IM communications, making it impossible to detect an IM worm with network-based signature models.

The first attacks may have had minimal impact so far, but it's clear that the number of IM attacks will worsen over time. Due to the benefits of using instant messaging as an attack tool, as well as the increase in the number of devices adopting IM clients, this technology may emerge as the preferred method of propagation for the next generation of attacks.

Companies can always choose to install internal IM systems, but that does not always limit the personal use of other messaging clients. Network and security administrators' safest bet is to enforce strong policies around IM usage--and make sure that employees comply. Only then will they know what patches to apply when new vulnerabilities are discovered or viruses strike.