22 Mar 2005 15:19
When Jimmy Kuo gave his 13-year-old daughter permission to begin using America Online's AIM Express, he warned her that if she managed to download any viruses, the result would be no IM for a long, long time.
Of course, since Kuo is a research fellow at IT security specialist McAfee, he's significantly better informed about the risks of instant messaging than the average parent. As teenagers are widely recognised as one of the largest categories of regular IM users, this whole scenario could result in a serious problem, Kuo says.
At the heart of the matter is the growing number of IM-borne threats, most of which rely on ignorance of their existence among users and IT administrators to spread.
"I sat her down and made her read a story about attacks before I let her log onto IM," Kuo says. "Unfortunately, the average parent isn't going to be aware of this problem, and a person unaware of the IM threat is the biggest risk that exists for these viruses to have some success."
Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts have says.
Nearly all agree that all IM users — whether adults or teenagers, whether on a home computer or a corporate network — need more education in how to protect themselves.
This month, two offshoots of the rapidly emerging Bropia IM worm emerged, called Kelvir and Serflog. In less than three months, 2005 has already established itself as a watershed year for attacks. Since January, antivirus researchers have identified more a dozen of the threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.
To Phillip Hallam-Baker, principal scientist at VeriSign, which sells network security software, the only thing that's surprising about the IM threats is that the malicious code has taken so long to materialise.
"It's actually been interesting how few attacks there have been up to this point," Hallam-Baker says. "I think one of the things that's going on here is that as email systems are being secured, there's a displacement effect and people are moving their efforts over to IM."
The vast majority of these attacks — in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread — come cloaked in messages that appear to have been sent by a known IM contact. They encourage the targeted individual to click on a Web link or to download an attachment enclosed in an IM message. In reality, these hide some form of malicious code.
Once sprung, the infectious message forwards itself to all of the names on the victim's IM buddy list, without ever giving the person who opened the threat any sign that they've launched malicious software. Some variants of Bropia also hide themselves on a PC, only to re-emerge at a later date.
One notable aspect of the recent Kelvir and Serflog offshoots of Bropia was that they bore signs that attackers have begun to use the malicious code to communicate with one another, in the same way street gangs use graffiti tags to mark their territory.
A text file deposited on infected machines by Serflog features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.A, which attempted to disable the Bropia worm.
A social, not software, glitch
Microsoft is quick to point out that Bropia and its offspring don't take advantage of any vulnerability in its IM client software. The software maker says that it is already working hard to combat the spread of the Trojan threats.
Stephen Toulouse, security program manager at Microsoft, compared today's IM-borne attacks to early email viruses from the mid-1990s. When it comes to keeping IM infections from rivalling email epidemics, he believes that educating customers could have a bigger impact than building better safeguards into IM applications.
"Most of the threats we've seen with IM aren't that new. They're the same sort of attacks we saw with email, just delivered on a new medium," Toulouse says. "We're already employing technological measures to help fight the problem in the next version of Messenger. But at the end of the day, it's really a matter of trying to help people to better protect themselves."
But the attackers don't have to look for new ways to formally hack IM applications while the current software remains open to Trojan-based infections, says Shimon Gruper, vice-president of technology at antivirus specialist Aladdin Knowledge Systems.
"There's no need for hackers to attack the IM software yet, because unlike in email, where applications have been set to block the dangerous types of attachments, there's little to no security built into IM," Gruper says. "The IM protocol, especially for Messenger, is very open and easy to use, so people can exploit that without a lot of effort, and they won't stop until the methods they're using now become less effective."
America Online, another leading provider of IM software, says that it is working to add new protections to its applications. However, it also says that getting the word out to consumers about the threats could have the biggest effect in alleviating the problem.
"In some cases, there are technological fixes we can use to help protect members, such as putting some automated blocks in place to keep the bad links from going through," says Andrew Weinstein, an AOL spokesman. "But we feel the best solution for protecting people is installing a healthy dose of caution among users. Even if an IM looks like its coming from someone they know, people should check with buddies to try to ensure everything is what it appears to be."
Yahoo, another major provider of instant messaging software, did not return calls seeking comment for this story.
Until now, all the IM threats reported have been Trojan attacks that sit on top of IM software code, rather than a worm that takes advantage of a flaw to penetrate the applications themselves. But some experts believe that it's only a matter of time before such worms are released.
"We haven't seen attacks on the IM code yet, but won't surprise me if it does happen," says Ero Carrera, an antivirus researcher at security software maker F-Secure. "All it takes is for people to find one IM client that has some small code error for things to develop very quickly. Any application has some holes, and history has shown us that someone usually finds a way to hack those flaws."
Smartphone risk
There's another potential IM time bomb. The communications software is becoming popular for exchanging messages between smartphones and computers, which means it could help viruses spread from PCs to mobile devices.
Vincent Weafer, senior director of Symantec's Security Response organisation, says that once IM threats begin to spread rapidly, it will be hard to keep them off of wireless gadgets.
"A huge amount of IM is now translated onto smartphones, especially in Europe and Asia," Weafer says. "So when you start looking at the problem, there's the reality that some of these threats could merge with the mobile threats."
Weafer contended that even when IM software makers address new viruses, it will be very hard to get people to update their devices, especially mobile phones.
"It's a social engineering issue," he says. "It's not so difficult to correct software flaws, but it's a monumental task in order to get people to download patches, or even to be aware that they need to get the necessary changes."
On the other hand, viruses that spread through PC-based IM clients might not be able to infect phone-based IM software, Weafer pointed out. In addition, most handset makers download automatic software updates to their models, which means they could protect devices without telling consumers they were doing so.
Neither AOL or Microsoft have made plans to launch marketing campaigns to alert people to IM threats, representatives for the companies says.
The increasing popularity of public IM applications in workplaces has opened corporate networks up to the threat of attacks too. But businesses tend to be less vulnerable targets than consumers, experts says, because most companies already have already installed firewalls and other protective technology. In addition, many companies won't allow employees to download certain files, such as attachments, over public IM networks.
Despite all this, some experts have predicted that a sharp increase in instant messaging virus attacks could cause many businesses that do not use corporate IM systems, or customised software meant just for in-house use, to reconsider whether to let workers install the applications.
According to these industry watchers, the best way to help people protect themselves is to instil the same distrust regarding Web links or attachments sent via IM that they have been taught to apply to email.
"People will need to relearn what they've been told in the past about email, but there are some new things, and it will take time to get the message across," says Shane Coursen, senior technology consultant for antivirus researcher Kaspersky Labs. "Software companies can only do so much to inform their customers. You have to convince them to look at every link or attachment with suspicion."
Story URL: http://news.zdnet.co.uk/security/0,1000000189,39192271,00.htmCopyright © 1995-2010 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.