A social, not software, glitch
Microsoft is quick to point out that Bropia and its offspring don't take advantage of any vulnerability in its IM client software. The software maker says that it is already working hard to combat the spread of the Trojan threats.
Stephen Toulouse, security program manager at Microsoft, compared today's IM-borne attacks to early email viruses from the mid-1990s. When it comes to keeping IM infections from rivalling email epidemics, he believes that educating customers could have a bigger impact than building better safeguards into IM applications.
"Most of the threats we've seen with IM aren't that new. They're the same sort of attacks we saw with email, just delivered on a new medium," Toulouse says. "We're already employing technological measures to help fight the problem in the next version of Messenger. But at the end of the day, it's really a matter of trying to help people to better protect themselves."
But the attackers don't have to look for new ways to formally hack IM applications while the current software remains open to Trojan-based infections, says Shimon Gruper, vice-president of technology at antivirus specialist Aladdin Knowledge Systems.
"There's no need for hackers to attack the IM software yet, because unlike in email, where applications have been set to block the dangerous types of attachments, there's little to no security built into IM," Gruper says. "The IM protocol, especially for Messenger, is very open and easy to use, so people can exploit that without a lot of effort, and they won't stop until the methods they're using now become less effective."
America Online, another leading provider of IM software, says that it is working to add new protections to its applications. However, it also says that getting the word out to consumers about the threats could have the biggest effect in alleviating the problem.
"In some cases, there are technological fixes we can use to help protect members, such as putting some automated blocks in place to keep the bad links from going through," says Andrew Weinstein, an AOL spokesman. "But we feel the best solution for protecting people is installing a healthy dose of caution among users. Even if an IM looks like its coming from someone they know, people should check with buddies to try to ensure everything is what it appears to be."
Yahoo, another major provider of instant messaging software, did not return calls seeking comment for this story.
Until now, all the IM threats reported have been Trojan attacks that sit on top of IM software code, rather than a worm that takes advantage of a flaw to penetrate the applications themselves. But some experts believe that it's only a matter of time before such worms are released.
"We haven't seen attacks on the IM code yet, but won't surprise me if it does happen," says Ero Carrera, an antivirus researcher at security software maker F-Secure. "All it takes is for people to find one IM client that has some small code error for things to develop very quickly. Any application has some holes, and history has shown us that someone usually finds a way to hack those flaws."
