IM And P2P Malware Threats Nearly Triple

The IMlogic Threat Center, a database of past and emerging IM and P2P worms, viruses, and other exploits, is a joint effort among public IM providers America Online, Microsoft, and Yahoo, along with security firms such as Symantec, McAfee, and IMlogic.

Its first IM Security Threat Report, released Tuesday at the InfoSec security conference in Orlando, Fla. noted a 271 percent increase in threats in the first quarter of 2005 over the same quarter in 2004.

"Most of that increase occurred just this quarter," said Jon Sakoda, chief technology officer at IMlogic, "but with a huge spike in March. The number of threats had essentially doubled by the end of February over the first quarter of 2004, but March was the real kick."

March's total of 48 identified threats, in fact, was over 50 percent more than January and February's combined (30), Sakoda said. Most of these attacks, in March, and before, were worms directed at IM clients, and took a bewildering array of forms, from those that tried to turn the target computer into a spim (spam on IM) spewing zombie to, in a new twist, phishing scams based on IM rather than e-mail. "Their sophistication is increasing," said Sakoda about IM and P2P malware writers. "Whether they're using IM to deposit adware and spyware on systems or using it for phishing attacks, like last month's on Yahoo, they're getting more professional."

Eighty-two percent of the attacks in the last year were IM worms, said the report. Like mass-mailed worms, IM worms live as much to spread as inflict damage or distress. Another 14 percent were meant to hijack IM clients' file-transfer capabilities, while 11 percent exploited known IM vulnerabilities. (The total exceeds 100 percent because some threats had multiple purposes.)

Three out of every four attacks are directed at clients for Microsoft's public IM network -- a number slightly up from numbers released earlier this year by the center -- while Yahoo accounts for only 14 percent and AOL just 11 percent.

"MSN has a global presence, so it's likely to be used internationally, which is where most of these worms originate," said Sakoda. "On top of that, the API for the service is embedded in the operating system, and easy to figure out and use."

More proof in MSN's special vulnerability to current threats is in the center's top 10 most reported IM worms: nine of the ten target MSN and Windows Messenger, Microsoft's IM clients.

In both the short and long run, said Sakoda, users and businesses should expect a further surge in IM threats.

With 85 percent of businesses harboring users of public IM networks, but with fewer than 10 percent deploying any IM-specific defenses, the continued use of IM poses a problem.

"The macro trend is that IM is everywhere, and it's hard to see any change in that," said Sakoda. "Businesses love IM, even if it's out of control, security-wise, at the moment."

On the hacker side, Sakoda sees those malcontents and criminals moving quickly from today's predominant motivation of notoriety to one of profit, following in the footsteps of mass-mailed worms over the last 24 months.

"Notoriety is a driver for most IM worms now, but as the phishing attacks on the Yahoo prove, there's an increasing pressure to generate profit," said Sakoda.

Contrary to some claims that stopping IM threats should be relatively easy, since all traffic passes through a set of central servers at the provider, Sakoda said that stymieing worms will remain difficult as long as users click on embedded links.

"IM is a double-edged sword," he said. "Once you're able to figure out what the attack is and create a signature, you're able to rapidly respond to it, but because of the real-time nature of IM, threats spread very quickly. You don't have days to react as you might with, say, e-mail worms, but just hours.

"Because many of these attacks are coming from rolling bogus [IM] accounts, or worse, from hijacked existing accounts, it's hard to detect the attack patterns at the network level," said Sakoda.

"IM security is going to be a very big problem in 2005," he promised. "Everyone, from businesses and users to security companies, is going to have to focus on it."