Worms wiggle into IM

Von Cathleen Moore

Like airborne viruses, instant messaging worms are fledglings, but very much on the rise. These new worms are also proving that once inside a corporate network they can be just as destructive, if not more so, than traditional e-mail attacks.

E-mail remains the most widely used and destructive vehicle for spreading viruses and worms over the Internet, but the first three months of 2005 saw a rise in the number of worms using IM to propagate.

Anti-virus company Trend Micro recently released its first quarter 2005 virus roundup, in which half of the reported outbreaks were IM worms. Since emerging as a proof of concept in 2001, IM worms have taken a back seat to e-mail worms. But the sharp increase in IM-based outbreaks this year signals a revival of the IM vehicle, according to Trend Micro officials.

IM worms are on the rise primarily because of the publishing of the source code for existing attacks, said David Perry, global education director at Trend Micro.

"There have been a couple successful [IM worms] and the source code was made available," Perry said. "Most viruses are minor variations on existing viruses."

IM management and security vendor Akonix Systems noted an alarming 400 percent rise in IM attacks in its Q1 IM and peer-to-peer threat summary.

Akonix"s numbers showed more than double the total number of targeted attacks on IM and p-to-p networks in the first quarter of 2005 than in all of 2004, according to Francis Costello, chief marketing officer at Akonix.

"We"ve seen published threat methods, which lets other virus writers jump in," Costello said.

Just this week virus alerts were issued for the latest variants of the Kelvir worm -- W32.Kelvir.U, W32.Kelvir.T, and W32.Kelvir.N  -- which targets Microsoft"s MSN Messenger and Windows Messenger. The Kelvir worm sends a URL via IM; once a user clicks on the URL, a worm is downloaded that sends itself to the now-infected user"s contact list.

Although most IM worms target consumer systems such as MSN Messenger, Yahoo Messenger, and AOL"s AIM, corporations still should be concerned.

According to IM security tool vendor IMlogic, nearly 85 percent of enterprises use public IM systems, and most do not have any additional security in place.

In fact, most enterprises are severely unprepared for IM-based malware attacks, according to Michael Osterman, president of Osterman Research.

The various types of IM attacks are not a critical problem yet for enterprises, but are rapidly becoming one, Osterman said.

"Within a matter of months this could become a huge problem that could do a lot of damage," Osterman said. "It would take very little to get totally out of control."

IM by its nature is a little more secure than e-mail, Osterman said. IM requires a user to grant permission to incoming contacts and is not as widely used as e-mail for file transport, through which many malicious payloads are sent.

Once inside a company, however, IM worms can wreak havoc because they bypass existing security defenses in place for e-mail, Osterman said.

Firstly, organizations without enterprise-grade IM in place should find out exactly how much public IM is now running on their network, he said.

"A lot of organizations really underestimate the amount of IM they have deployed," Osterman said. "Sometimes IT managers say they have none but if you put a sniffer on you can see thousands of IM [chats] on the network."

Corporations can deploy enterprise IM systems, such as Microsoft"s Live Communications Server or IBM"s Lotus Instant Messaging, or they can secure public systems by adding overlay management tools from vendors such as Akonix, FaceTime, IMlogic, and others.

"If you secure the public system and provide security against viruses plus namespace control and auditing and logging, then you have an enterprise grade system," Osterman said.

In addition to a growing number of worms, the types of IM threats are expanding to include SPIM (spam over IM) and phishing attacks. In fact, the first phishing attack using IM hit the Yahoo Messenger application last month. The scam sent a link to an official-looking but fake Yahoo Web site that asked users to provide account and password information. MSN IM users, too, were the targets of a then-new IM worm in March. 

As for the SPIM threat, The Radicati Group estimates that SPIM will grow to 17.9 billion messages in 2008, fueled by the growing IM adoption and a sharp increase in published IM names in corporate and public directories.

Akonix currently offers protection from SPIM through dynamically updated SPIM policies, and is paying close attention to the SPIM problem in its development efforts, said Costello.

"SPIM is potentially the next big thing. There is SPIM on IM networks but it is not nearly as bad as e-mail spam," he said. "It is harder to do unsolicited messaging in IM, [but] as more and more people use IM it will become more targeted."