Your IM Buddy, Or A Hacker? It's Getting Harder To Tell

Just before New Year's, some Europeans received a link from the buddy list in their MSN Instant Messenger software to a purported funny Christmas picture. The joke was on them. Clicking on the link let in a worm that exploited the recent Windows Meta File vulnerability, giving hackers access to their PCs.

That's just one example--out of a few thousand--of how hackers used IM to attack computers in the past year. Instant-messaging security vendors FaceTime Communications Inc. and IMlogic Inc. reported last week that malware delivered over instant-message clients has skyrocketed in recent months.

FaceTime cites a more than 20-fold increase in the number of reported IM worm and virus variants since 2004. And in a sign that larger security companies are taking IM threats seriously, Symantec Corp. said last week that it will acquire IMlogic for an undisclosed sum.

In addition to FaceTime and IMlogic, vendors such as Akonix Systems Inc. and MessageLabs Ltd. offer software and hardware to manage enterprise instant messaging and protect networks from attack. According to the Radicati Group, 85% of businesses of all sizes say instant messaging is taking place on their networks.

And, as Gartner analyst Andrew Jacquith puts it, "There's always going to be some dope who clicks on a message, no matter how robotic or obviously fake it looks."

IM client software is pervasive within businesses and can serve as a powerful business tool, so companies should have a plan for dealing with it. Education is key, but so is proper management.
Energy brokerage firm Amerex Energy tracks about 150 IM users in its Houston corporate offices. It bought IMlogic's IM Manager to archive chats when brokers started closing deals via instant messages, but CIO Brian Trudeau says it also offers security. "It gives us the capability to control IMs a little bit more," he says. Using IM Manager, Amerex blocks all file uploads to IM clients and can specify who uses instant messaging and when.

Just Like E-Mail Attacks
IM attacks usually look and feel like E-mail attacks: They try to get targeted users to either download an infected file or click on a link that sends them to a Web site where they'll be infected with a virus. "A lot of the things that you thought about in the last decade about managing your E-mail can be applied to instant messaging," IMlogic CEO Francis DeSouza says.

Like the broader security-software community, vendors specializing in IM have antivirus capabilities and software that lets companies block downloads and blacklist certain Web sites and can log and archive all chats.

But IM attacks are getting more devious. Just last week, FaceTime found one on AOL Instant Messenger. The company quickly contacted AOL, as well as Microsoft and Yahoo, since many attacks are cross-platform.

Tens of thousands of AOL client machines were unknowingly infected with BitTorrent, a peer-to-peer downloading program often used to download copyrighted material. With this installed, hackers could upload a movie to a victim's hard drive and use the PC as a vehicle for sharing the content with others.

Virus attacks are getting more complex, too, moving away from the simple social engineering that might spur someone to send money to a Nigerian "prince" or click the link for a picture of Osama bin Laden.

Late last month, security vendors started seeing malicious code that went beyond a link or file and created automated responses to victim's queries. So a victim might ask his IM "buddy" if the file was safe, and the malicious bot would respond that it was.

IMlogic discovered a bot that responded six different ways, depending on the question a victim asked.

No attack has hit millions of users--yet. But since people often read and respond to IMs more quickly than E-mail, a virus could broadside a company in a matter of minutes.