March 23, 2005 11:51 AM PST

Does IM stand for insecure messaging?

When Jimmy Kuo gave his 13-year-old daughter permission to begin using America Online's AIM Express, he warned her that if she managed to download any viruses, the result would be no IM for a long, long time.

Of course, since Kuo is a research fellow at IT security specialist McAfee, he's significantly better informed about the risks of instant messaging than the average parent. Because teenagers as a group are among the most active regular users of IM, lax habits at the keyboard on their part could result in a serious problem, Kuo said.

At the heart of the matter is the growing number of IM-borne threats, most of which rely for their proliferation on ignorance of their existence among users and IT administrators.


What's new:
Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts say.

Bottom line:
Experts agree that all IM users--whether on a home computer or a corporate network--need more education in how to protect themselves.

More stories on IM security

"I sat her down and made her read a story about attacks before I let her log onto IM," Kuo said. "Unfortunately, the average parent isn't going to be aware of this problem, and a person unaware of the IM threat is the biggest risk that exists for these viruses to have some success."

Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts have said.

Nearly all agree that all IM users--whether adults or teenagers, whether on a home computer or a corporate network--need more education in how to protect themselves.

This month, two offshoots of the rapidly evolving Bropia IM worm emerged, called Kelvir and Serflog. In less than three months, 2005 has already established itself as a watershed year for attacks. Since January, antivirus researchers have identified more than a dozen of the threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.

To Phillip Hallam-Baker, principal scientist at VeriSign, which sells network security software, the only thing that's surprising about the IM threats is that the malicious code has taken so long to materialize.

Back-stabbing buddies

Recent attacks have seen IM used to spread viruses and worms.

Date: March 8
Method: Worm sent via URL in message.
Affects: MSN Messenger
Serflog.A (Sumom)
Date: March 8
Method: Attachment carries worm. IM reads: "????omg click this!"
Affects: MSN Messenger
Date: February 3
Method: Worm in picture of a roast chicken with tan lines. Releases a second more dangerous worm, called Agabot.AJC.
Affects: MSN Messenger
Date: January 20
Method: Worm sent via URL in message. Installs bot software.
Affects: MSN Messenger
Date: September 30
Method: URLs to Web sites that host images with virus. Reads: "Check out my profile, click GET INFO!"
Affects: AOL Instant Messenger

"It's actually been interesting how few attacks there have been up to this point," Hallam-Baker said. "I think one of the things that's going on here is that as e-mail systems are being secured, there's a displacement effect and people are moving their efforts over to IM."

The vast majority of these attacks--in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread--come cloaked in messages that appear to have been sent by a known IM contact. They encourage the targeted individual to click on a Web link or to download an attachment enclosed in an IM message. In reality, these hide some form of malicious code.

Once sprung, the infectious message forwards itself to all of the names on the victim's IM buddy list, without ever giving the person who opened the threat any sign that they've launched malicious software. Some variants of Bropia also hide themselves on a PC, only to re-emerge at a later date.

One notable aspect of the recent Kelvir and Serflog offshoots of Bropia was that they bore signs that attackers have begun to use the malicious code to communicate with one another, in the same way street gangs use graffiti tags to mark their territory.

A text file deposited on infected machines by Serflog features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.A, which attempted to disable the Bropia worm.

A social, not software, glitch
Microsoft is quick to point out that Bropia and its offspring don't take advantage of any vulnerability in its IM client software. The software maker said that it is already working hard to combat the spread of the Trojan threats.

Stephen Toulouse, security program manager at Microsoft, compared today's IM-borne attacks to early e-mail viruses from the mid-1990s. When it comes to keeping IM infections from rivaling e-mail epidemics, he believes that educating customers could have a bigger impact than building better safeguards into IM applications.

"Most of the threats we've seen with IM aren't that new. They're the same sort of attacks we saw with e-mail, just delivered on a new

Page 1 | 2 | 3


Join the conversation!
Add your comment
BlowSearch Offers Secure IM
4,096 bit encryption too. It's called BSM and we use it exclusively for our corporate network for over 50+ employees in our office. We've put it through testing and it's a good product. It also interfaces with AOL,MSN, and Yahoo's messenger products.

In my opinion this article really isn't necessary with products like BlowSearch's BSM Messenger around. Instead of complaining about the issue - offer a solution.
Posted by (1 comment )
Reply Link Flag
Is IM the real problem ?
Q. Does anyone really NEED IM ? I know that, at work, the last thing I wanted was somone messaging me, when I was in the middle of coding - it could cost me hours of work. If people wanted me, they could email & I would read the email, when appropriate.

Perhaps there may be one or two groups of people who NEED IM. But for the remaining 99.9% - it's unnecessary & a security risk. Why take risks with security ?

Hell - most of today's population don't even NEED cell phones, if they could just ORGANISE themselves ;-)
Posted by (409 comments )
Link Flag
well, i say that anyone using msn deserves everything they get. sorry i couldn't resist snide jabs at m$
Posted by Scott W (419 comments )
Reply Link Flag
Well you should target yahoo, aim, ICQ, Trillion and others as well. :)
Posted by Sboston (498 comments )
Link Flag
One of the biggest problems here... the idea of putting 13 year old children on the internet. The internet is no place for children. There is a reason why ISP's do not sell to 13 year olds. There are too many things out on the net that only represents trouble for children this age. Wether it be viri or pedophiles, extreme porn to getting sued by the RIAA. I do agree that parents need to teach their children about computers. But, just cutting them loose to be exposed to the world like this is nothing short of irresponsible.
Posted by Prndll (382 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.