Symantec Warns That IM Worms Could Devastate Business - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Symantec Warns That IM Worms Could Devastate Business

With use of public IM services growing among businesses, the vendor says, the threat of infections and blended attacks is increasing.

Companies whose workers use one of the free public instant-messaging networks, such as AOL, Microsoft, or Yahoo--risk malicious attacks that could make the quick-spreading Sasser worm look like a snail, said a security analyst said Friday.

"In instant messaging, we have a lot of the same security issues as in E-mail and networks," said Eric Chien, a senior researcher with Symantec's security response team. "Attacks can come in as attachments. There have already been some IM-related worms that send themselves to people on your buddy list, and IM lacks encryption."

Public IM services such as those hosted by AOL, Yahoo, and Microsoft are extremely popular in the workplace. According to a recent study by the Ridicati Group, by the end of 2008, 88% of business IM users will rely on a public network.

"No one wants to pay for something that they are already using for free," Ridicati analyst Genelle Hung said in an interview Monday.

Using public IM networks poses some special problems for businesses.

"IM the guy down the hall, and the message doesn't stay within the perimeter, as does E-mail," Symantec's Chien said. "It goes from the desktop onto the broader Internet to, say, Yahoo's servers, then from their servers back to the guy down the hall."

That means it's difficult for a company to secure the clear-text of IM sent over public networks--and makes it much easier for hackers to exploit any IM client vulnerabilities.

Among the most dangerous security problems that may face IM in the enterprise, said Chien, are what he dubbed "blended threats." Like network-attacking worms such as Code Red, Blaster, and Sasser, an IM blended threat could exploit a vulnerability in the instant-messaging client or service and infect systems without any human interaction.

"A blended threat could happen today or tomorrow," Chien said.

Such an attack could be devastating, due to the much faster speed that IM-targeting worms would propagate.

"Propagation speed [for worms] is limited only by their ability to find new hosts," said Chien. "Code Red, for instance, took about 14 hours to ping every IP address in the world looking for vulnerable systems. Slammer took 20 minutes. If we have a similar threat targeting IM, the time to infect every vulnerable machine could be as low as only seconds, and certainly under three minutes."

That's because an IM blended threat wouldn't have to use time-consuming brute force to locate vulnerable systems. Instead, an IM worm along the lines of Blaster or Slammer could simply hijack the contact lists of vulnerable clients, then use that list to send itself to others.

"That limits the amount of time needed to infect," said Chien, "since the worm would already have a list of vulnerable machines [in the buddy list]."

Symantec has done some simulations, said Chien, of possible IM client infection speeds, and has found that a half-million systems could be infected in a little as 30 to 40 seconds.

"It only takes one vulnerability," Chien said, for something like this to happen.

There are mitigating factors, however, that make it unlikely that an IM worm could spread to every vulnerable computer. "The likelihood of that happening is low. If millions of messages were sent out in a short span of time, the IM servers would probably go down before the threat spread completely," Chien said.

Also, public IM networks have a built-in defense mechanism that, if reaction time was swift on the part of the providers, could stymie a blended threat attack.

Once a threat was discovered, IM service providers could block it by filtering at their servers, or by updating the client and banning access from clients that were vulnerable.

"If they patched the vulnerability or filtered at the server, the threat would be gone," said Chien. "And if they forced the client to upgrade, the threat could be cleaned up very quickly."

Still, he recommended that businesses steer clear of public IM networks if possible and instead use an enterprise-level IM client that sits inside the firewall for intracompany communication. "Bring IM under the IT umbrella," he argued.

At the least, Chien said, companies should implement an IM usage policy that lays out what public IM clients are permitted and how they can be used. Blocking public IM clients, for instance, can be done at the gateway.

"There's no silver bullet here," said Chien. "What's needed more than anything is just an awareness of the potential danger of public IM."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll