Report: IM Viruses on the Rise

Instant messaging might be one of the hottest new channels of communications to hit the enterprise, but it’s also widely known to bring with it a myriad of security holes, if the IM used is of the public, consumer-grade variety.

Now enterprise security technology vendor Symantec has some figures to back up that suspicion — and they’re not pretty.

In its latest Internet Security Threat Report, the firm found that of the top 50 virus threats during the first six months of the year, IM and peer-to-peer technology played a role in 19 — a 400 percent increase from the previous year.

“It’s still a very small percentage of the overall virus or worm attacks out there,” said Vincent Weafer, senior director at Symantec Security Response. “However, it’s growing, and there are a number of reasons for that. There is the increasing popularity of instant messaging programs in general — we’re getting more people online and more people using them — and more functionality, with published APIs, and the ability to connect with additional clients.”

The concern is that IM and P2P applications provide users — and viruses — ways of circumventing traditional security measures. For instance, most public instant messaging clients attempt to connect to their networks’ central servers or other users through a variety of ports, some of which may not be blocked by corporate firewalls. As a result, file-sharing can be taking place without IT’s safeguards — potentially opening the door for hacker or worm attacks.

“As both legitimate and unapproved use of instant messaging (IM) clients and peer-to-peer (P2P) networking increases, new worms and viruses use these mechanisms to spread,” the firm said in the report. “Unlike other avenues of propagation such as e-mail, IM and P2P often have little to no security in place.”

The findings drew on data collected from Symantec’s Managed Security Services customers, and the company’s 20,000 DeepSight Threat Management early-warning sensor partners.

Complicating the issue, IM viruses attack using a variety of mechanisms.

“MSN and ICQ are two good examples of protocols that publish their APIs, and an example of a worm that uses published APIs is W32.Choke.worm,” Weafer said. “Using MSN Messenger, it simply sends itself as a reply to any incoming messages. Also … within Windows, you can actually use the ability … to enumerate some of the processes there to gain control. The ‘Goner’ worm does this — it enumerates Windows to try to get control and to spread itself.”

Weafer also singled out viruses like the “Aplore” worm, which spreads itself using AOL Instant Messenger by “sending a link that points to a worm residing on a remote server … and getting the user to click it using social engineering.”

In a growing number of cases, viruses have started using instant messaging as a supplement to other channels of infection, like e-mail. That was the case with so-called “blended attacks” used by the Fizzer worm and others. These viruses might enter via e-mail, but they’re equally capable of spreading via IM, since instant messaging clients typically maintain a list of contacts that could be infected by a worm.

“It’s not that IM itself is becoming a target,” Weafer said. “We’re seeing a trend of blended threats, where the attackers are using any available protocol and any available vector to get their ‘malcode,’ malicious code, out there.”

IM software also can open the door to remote-control by hackers, in connection with chat rooms. In examples like Fizzer and AIM-Canbot, once a virus has control of a target’s PC, its IM client can join a chat room (for instance, on AIM or Internet Relay Chat) and then advertise itself as being available to receive new commands from a hacker monitoring those chat rooms.

Viruses and the threat of hacker intrusion aren’t the only persistent concerns with unregulated instant messaging. Pundits have warned for years about the fact that most public IM relies on a centralized server — meaning that IMs are at least as secure as using a public e-mail service. Furthermore, IMs that rely on a central server — or using a P2P connection with at least one participant outside of the corporate firewall — typically cross the Internet unencrypted. Thus, they’re prone to being read or manipulated by malicious interlopers.

“Many IM products transmit unencrypted data outside of the firewall, making it easy to intercept this traffic on a network,” the report said. “The minimal security associated with P2P and IM invites malicious code propagation.”

Worse still, the problems don’t seem to be likely to abate anytime soon.

“Instant messaging is becoming more ubiquitous and more featureish, and the instant messaging clients are becoming interoperable, which will give more of an opportunity for malcode in there,” Weafer said. “All of that means we will absolutely see more and more attacks using IM vectors than we have in the past.”

Recent examples

The report comes following a slew of virus activity within just the past month. Last week, Asian Internet security firms reported an outbreak of a virus that spreads using MSN Messenger. Korea-based Global Hauri and AhnLab both said the virus, “Smbmsn,” hijacks users’ MSN Messenger accounts and distributes copies of itself to everyone in a user’s contact list.

An MSN spokesperson said the company was aware of the virus, and that users’ best means of protection was to have a desktop anti-virus solution already installed and being used in connection with MSN Messenger 6’s automatic virus-scan feature. MSN also said it was allowing anti-virus solution vendors to do most of the handling of the issue, but that it is in active contact with the anti-virus community.

Last week, security experts also reported that a lingering hole in Microsoft Internet Explorer has been exploited to give a hacker access to a PC user’s AOL Instant Messenger account. Microsoft released a patch for the vulnerability in August, but acknowledged shortly thereafter that the patch might not fix all instances of the problem.

The vulnerability is said to enable a hacker to infect a computer through e-mail or a Web page, after which the user’s PC e-mails links to the infected site to users in the victim’s Buddy List. Earlier this week, AOL said it was looking into the reports, but has been hampered by the fact that the infected site evidently has been taken down.

To the rescue: enterprise-grade IM solutions

If anything, the increase in IM- and P2P-related security vulnerabilities should indicate a need for businesses to consider investments in enterprise IM security and management solutions — and to ensure that their anti-virus software is up-to-date.

“Typically, what you’re seeing more of is people getting corporate versions of these same [IM] protocols,” Weafer said. “There, we have a server inside the company that keeps messages within the company. It’s secure, we have the ability to do all logging of content and communications and forensics, and if [communications] are going out of the company, we proxy that through our server so we can keep a log.”

“Also, anti-virus programs have been expanded to also look at instant messaging as another method of delivery, much like SMTP and POP3,” he added. “We’re starting to look at these when we scan protocols.”

Christopher Saunders is managing editor of

How can enterprises safely leverage the benefits of instant messaging? Join us at the Instant Messaging Planet Fall Conference and Expo, Oct. 15 and 16 in San Jose, Calif. Sessions include: “Public vs. Enterprise IM” and “Special Workshop: How to Pick and Buy an Enterprise IM Solution.”

News Around the Web