Instant messaging falls prey to worms


A COMPUTER worm called Sober hit the headlines last week, reigniting people's fears about viruses. But while many may fret about infected emails, hackers are increasingly turning to stealthier ways to spread malicious software. Their latest target is instant messaging (IM), a wildly popular alternative to email that allows groups of friends or colleagues to chat online in real time.

"Hackers look at IM and they see fertile new ground," says Jonathan Christensen of FaceTime Communications, an IM security firm based in Foster City, California. "Although email continues to be a target, malicious code writers have become more creative." Even Microsoft, which supplies a proprietary instant messaging service, agrees. "Instant messaging has become a popular target for malicious hackers," says a spokesperson.

IM viruses and worms are not new. In 2001 two IM viruses called Choke and Hello struck, albeit with limited impact. But back then just 141 million people were using IM to talk online. Today 863 million people chat this way, and in March 2004 the volume of IM spam, known as spim, began to skyrocket (New Scientist, 3 April 2004, p 22). But because instant messages from your account can only be sent to your approved contact lists of friends, security experts hoped that IM worms would never take off like email-based malware.

Now, despite these protections, IM worms are beginning to cause similar damage to their email counterparts. "The sweet spot for IM worms is right now," says Jon Sakoda of IM security company IMlogic in Waltham, Massachusetts.

On April 14, the UK-based news agency Reuters had to remove 60,000 clients from its Microsoft messaging service for 20 hours after it detected an attempted invasion by a worm called Kelvir. IMlogic reports a threefold increase in the number of new IM worms released in the first three months of this year compared with 2004. And during this month and last a new IM worm variant has appeared almost every day, according to FaceTime.

Kelvir and another widespread worm called Bropia were detected on 6 March and 19 January respectively. They both use a piece of publicly available code called an application programming interface (API) to infect Microsoft IM networks, and spread via messages that appear to come from a trusted friend, but actually contain malicious web links. Click on one and it automatically downloads a virus that gives a hacker remote control of your PC. The links are embedded within casual, friendly or salacious comments depending on the worm variant.

Hackers have even programmed some Kelvir worms to chat with the victim before sending the link, to persuade the recipient they are talking to a friend. The worm's stock responses are sent blindly, regardless of how the victim replies, so these "conversations" can seem fragmented and illogical. But this is not uncommon even in genuine IM chat, due to the short time delay between sending and receiving messages. "It always shocks me how well these social engineering attacks end up working," says Nicholas Weaver, a security expert at the International Computer Science Institute in Berkeley, California. Other worms such as Gabby, which surfaced on 26 April, target AOL's Instant Messenger, gaining access to contact list addresses through a flaw in the software rather than using API. And in March, a spat broke out between IM virus writers (similar to turf wars between email virus writers) when the IM worm Fatso (otherwise known as Sumom or Serflog) contained expletives aimed at the writer of the worm Assiral, which in turn was designed to disable Bropia.

Graham Cluley, a security consultant at UK-based anti-virus firm Sophos, says that email still poses a bigger threat. "While IM viruses may be on the rise, I think there will always be more people with access to email," he says. He points out that the Sober worm that struck last week, which also gives hackers remote control access to infected computers, accounted for 4 per cent of all email sent on 4 May.

But the danger is that while practically every company today has anti-virus protection for email, Sakoda estimates that 80 per cent of the US's 1000 wealthiest companies are using IM networks, yet just 10 per cent also have IM security protection. "Email worms are clearly alive and well, but the vulnerability of organisations to IM threats is much, much greater than to email," he says.

Source: Eurekalert & others

Last reviewed: By John M. Grohol, Psy.D. on 21 Feb 2009
    Published on All rights reserved.