Your Next IM Could Be Your Network's Last

The rising tide of instant messaging threats will eventually lead to an automated worm that will strike hundreds of thousands of machines in seconds, IM security firms warn.

According to data collected by IM security vendor IMlogic, the number of instant messaging-oriented attacks climbed by 30 percent over September's. The increase is even more dramatic when compared to last year, said Art Gilliland, the vice president of product management for the Waltham, Mass.-based firm. October 2005 counted 1300 percent more threats than the same month in 2004.

"The continuing trend is the increase in the growth rate of attacks," said Gilliland. "That trend has been consistent through the year."

What's different in the last four to six weeks, he added, is a big boost in the maliciousness of the IM exploits.

"In the past couple of months, threats have gone from simple keylogging and adware to actually disabling security software, rebooting systems, and adding more dangerous spyware to capture specific passwords," Gilliland said.Rival IM security firm Akonix, which also released attack data on Tuesday, said that the increase from September to October was only 19 percent, but confirmed that several new threat trends were developing, including the tweaking of the long-running Sdbot Trojan to attack IM networks.

That Sdbot variant, in fact, was the focus last week of a warning issued by FaceTime, yet another IM security software provider. FaceTime alerted users that Sdbot.add posed a special danger because it included a rootkit that tried to disguise the presence of the malicious code from anti-virus software.

"That's not really new," claimed IMlogic's Gilliland. "Since early October we've been seeing IM threats armed with rootkits. In general, rootkits are the way that aggressive spyware is spreading itself via IM."

What with the rising numbers of IM attacks and the notoriously rapid spread of instant messaging worms, some experts think it's only a matter of time before an automated exploit knocks out hundreds of thousands of computers.

Current IM exploits all require some sort of user interaction -- generally clicking on a link embedded in a bogus message supposedly sent by a trusted "buddy" -- but it's possible to automate the attack, much like network worms such as Slammer and Sasser required no human interaction to wreak their havoc.

"It's not something I've seen, but I think it will," said Gilliland. "For one thing, the clients themselves are automatable. MSN and AOL's have keystroke macros to automate themselves, so I can see the possibility of viruses that take over the client and run it."Akonix's Don Montgomery, the San Diego-based company's vice president of marketing, agreed in a statement issued Tuesday. "It's just a matter of time before we see an IM or P2P attack that will bring down entire networks," Montgomery said.

"The scary part is that the IM worms are becoming very smart on how they use buddy lists," said Gilliland. "You could see infection happening relatively instantaneously."

In 2004, Symantec ran simulations that showed an IM worm could spread to s many as 500,000 machines in under 30 seconds.

"An automated, network-style IM worm would be orders of magnitude faster than that," claimed Gilliland.

One answer, put forward by several IM-oriented security vendors, including IMlogic and FaceTime, is to use behavioral-based defenses to quickly detect an ongoing IM attack, then quarantine infected systems before the exploit can spread.

IMlogic, for instance, uses something it calls RTTPS (fro Real-Time Threat Protection System) to shut down an attack, even a nearly-instantaneous one. "RTTPS looks at client behavior in the client protocol or the system itself, then when it detects odd behavior, blocks any transmission from that client to others on the network," said Gilliland."Typically, we can stop an attack within five messages sent by an infected client."

FaceTime, a Foster City, Calif.-based IM security firm, is so sure that its behavioral-based defense will stop attacks that it issued a "Worm Free Guarantee" on Tuesday as it launched IMAuditor 6.5, saying that it would compensate customers "upon a single instance of an IM worm propagating in the customer's environment."

"Even a short 'window of vulnerability' for IM based attacks is unacceptable," said Kailash Ambwani, FaceTime's chief executive, in a statement announcing the guarantee. "Enterprise organizations require a solution that prevents new infections before they start."