February 24, 2004 4:00 AM PST
Perspective: Will IM be the next security culprit?See all Perspectives
These days, IM has become nearly ubiquitous.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
IM-based attacks present particular danger because they would not cause the changes to machines or networks that make an attack visible. In fact, compared to past attacks, they would need very few connections for full infection.
Today's worms take time to spread because they must find hosts to infect through scanning, e-mail distribution and file sharing--in the process creating a lot of unproductive traffic. For example, MSBlast, which ranks as one of the fastest-spreading worms, created so much traffic that it disabled Internet service providers and impacted high-priority services such as 911.
In contrast, an IM-based attack eliminates nuisance traffic almost completely. Once it has infected a machine, the code gains direct access to your buddy list and learns who is currently online.
Once it has infected a machine, the code gains direct access to your buddy list and learns who is currently online.
This would not raise alarms because the Internet would not be clogged with useless attempts at infection or propagation. Also, the infected computers would not suffer poor performance or change their behavior in any way.
The social-engineering aspect of the attacks presents a couple interesting possibilities.
Assume that the user on the other end of the IM client needs to perform an action to be infected. Most IM services give the client access to other users' profiles, which may contain everything from classifications such as co-worker or friend to more subjective information, like gender, age or employment type. This offers the attack code a number of possibilities. It could send co-workers a message asking them to look at a document and send your friends a photo of last week's party. With logging turned on, the attack code could increase the risk of infection by scanning for and repeating commonly used conversations.
Worse, the user might not have to do anything to infect the system. Once that happens, however, the possibilities are endless.
To make matters even worse, many organizations have blocked IM-based traffic from their networks. People who are unhappy about losing IM access may tunnel it through common applications such as Hypertext Transport Protocol.
Typical network monitoring tools will classify this as normal traffic, since it may be tunneled on top of common high-usage applications, and there will be no invalid connection attempts to give it away.
The first attacks may have had minimal impact so far, but it's clear that the number of IM attacks will worsen over time.
The first attacks may have had minimal impact so far, but it's clear that the number of IM attacks will worsen over time. Due to the benefits of using instant messaging as an attack tool, as well as the increase in the number of devices adopting IM clients, this technology may emerge as the preferred method of propagation for the next generation of attacks.
Companies can always choose to install internal IM systems, but that does not always limit the personal use of other messaging clients. Network and security administrators' safest bet is to enforce strong policies around IM usage--and make sure that employees comply. Only then will they know what patches to apply when new vulnerabilities are discovered or viruses strike.
William "Sandy" Bird co-founded Q1 Labs, where he currently serves as chief technology officer.