When Jimmy Kuo gave his 13-year-old daughter permission to begin using America Online's AIM Express, he warned her that if she managed to download any viruses, the result would be no IM for a long, long time.
Of course, since Kuo is a research fellow at IT security specialist McAfee, he's significantly better informed about the risks of instant messaging than the average parent. As teenagers are widely recognised as one of the largest categories of regular IM users, this whole scenario could result in a serious problem, Kuo says.
At the heart of the matter is the growing number of IM-borne threats, most of which rely on ignorance of their existence among users and IT administrators to spread.
"I sat her down and made her read a story about attacks before I let her log onto IM," Kuo says. "Unfortunately, the average parent isn't going to be aware of this problem, and a person unaware of the IM threat is the biggest risk that exists for these viruses to have some success."
Rapid development in the sophistication and frequency of IM-borne attacks is almost guaranteed, security industry experts have says.
Nearly all agree that all IM users — whether adults or teenagers, whether on a home computer or a corporate network — need more education in how to protect themselves.
This month, two offshoots of the rapidly emerging Bropia IM worm emerged, called Kelvir and Serflog. In less than three months, 2005 has already established itself as a watershed year for attacks. Since January, antivirus researchers have identified more a dozen of the threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.
To Phillip Hallam-Baker, principal scientist at VeriSign, which sells network security software, the only thing that's surprising about the IM threats is that the malicious code has taken so long to materialise.
"It's actually been interesting how few attacks there have been up to this point," Hallam-Baker says. "I think one of the things that's going on here is that as email systems are being secured, there's a displacement effect and people are moving their efforts over to IM."
The vast majority of these attacks — in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread — come cloaked in messages that appear to have been sent by a known IM contact. They encourage the targeted individual to click on a Web link or to download an attachment enclosed in an IM message. In reality, these hide some form of malicious code.
Once sprung, the infectious message forwards itself to all of the names on the victim's IM buddy list, without ever giving the person who opened the threat any sign that they've launched malicious software. Some variants of Bropia also hide themselves on a PC, only to re-emerge at a later date.
One notable aspect of the recent Kelvir and Serflog offshoots of Bropia was that they bore signs that attackers have begun to use the malicious code to communicate with one another, in the same way street gangs use graffiti tags to mark their territory.
A text file deposited on infected machines by Serflog features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.A, which attempted to disable the Bropia worm.
