orions'

This section describes significant vulnerabilities that are present in common instant messaging
systems and the types of attacks that can exploit them. A discussion on safeguarding corporations
from these threats immediately follows in the next section entitled “Securing instant messaging in
your corporation.”
EAVESDROPPING0
Given that most IM systems do not encrypt network traffic, a determined third-party can eavesdrop
on conversations between two IM users using a packet sniffer or similar technology. As discussed
previously, this holds true for both client-server and peer-to-peer messaging models.
ACCOUNT HIJACKING
Many instant messaging systems are vulnerable to account hijacking or spoofing, allowing an attacker
to hijack another user’s instant messaging account and impersonate that user in conversations with
others. A number of Web sites provide do-it-yourself tools or describe techniques for launching such
an attack.
Password protection is very limited in most instant messaging systems. Some IM systems store
user passwords in data files on the client’s PC. In some cases, these passwords are encrypted; in
other cases, they are plainly visible. There currently exists at least one Web site that gives detailed
instructions on how to crack the password encryption scheme for one popular IM system.
DATA ACCESS AND MODIFICATION
Like all Internet-enabled software, IM programs could have bugs that may be exploited by attackers
over the Web. Using attacks such as buffer overflows or malformed data packets, an attacker could
gain access to a PC on which a vulnerable IM client is installed. Given the large number of ancillary
features present in many IM products, there are numerous potential areas for attack.
As an example, in May 2002, a hacking group known as w00w00 identified a vulnerable piece of
computer code in a popular instant messaging program. This vulnerability could have been exploited
by an attacker to gain full access to targeted systems. From there, the attacker could have installed
computer viruses, stolen or deleted data, and even grabbed passwords. Fortunately, the IM vendor
moved quickly in this situation and issued a fix for the vulnerability to protect their customers.
WORMS AND BLENDED THREATS
Like email systems, instant messaging platforms provide the enabling technologies that are needed
for spreading worms and blended threats (such as CodeRed).
First, the instant messaging software provides a robust communications channel between system
users. Second, virtually all IM software products maintain a list of buddies with whom the user
frequently interacts. Like email address books, buddy lists can be leveraged as hit lists to spread
a worm rapidly through the IM user base. Lastly, some of the instant messaging systems are
scriptable or programmable, providing malicious programs targeted at these systems with a
mechanism by which to spread.
Given the ubiquity of popular instant messaging systems, a blended threat targeted at such a system
could potentially spread to tens of millions of personal and business computers in just a few hours. Once
in each system, a worm could delete data, install back doors, and possibly export critical data.
Symantec™ experts predict that such an attack will more than likely happen within the next decade, if not
sooner. The fast growth of broadband Internet connections will only exacerbate these security problems.
Blended threats and computer worms can spread through instant messaging systems in two ways:
by leveraging IM scripting and by exploiting a buffer overflow or other vulnerability in an instant
messaging system.
Scripting instant messaging threats
As described earlier, IM systems provide scripting capabilities that let other programs or script files
(e.g., Visual Basic or JavaScript) control the client IM software via simple programming commands. By
taking advantage of such commands, malicious code can use the IM system as a communications
platform to send itself into other members of the system, change program settings, steal confidential
information, and perform other potentially malicious actions. Similar functionality in traditional email
clients has been exploited in the past by malicious worms such as LoveLetter and SirCam.
There are dozens of real-world worms that propagate using IRC as a communications platform.
These worms are written in a scripting language provided by popular IRC client software and typically
work as follows: a user with a computer that has been infected by a worm joins a discussion group
and begins chatting. As subsequent (and still as yet uninfected) users join the same chat group, the
worm detects the new users and sends a copy of itself to them in the form of a script file. In some
instances, the receiving user is prompted to open the file; in others, the user receives no notification.
Once the worm infects the new computer, the cycle begins anew.
In addition to IRC worms there now exist a number of Windows®-based worms targeted at certain
IM systems. These worms use scripting techniques similar to those used by the Nimda and
LoveLetter and SirCam threats, to send themselves from user-to-user via instant messaging software.
Fortunately, none of these worms have been widespread so far, but they clearly demonstrate that
instant messaging platforms are susceptible to such attacks.
INSTANT MESSAGING THREATS THAT EXPLOIT VULNERABILITIES
As we have seen with CodeRed and Nimda, it is possible to construct a blended threat that spreads
without user interaction by exploiting vulnerabilities in an Internet-enabled software platform such as
a Web server. In the future, we could see similar worms or blended threats that exploit bugs or other
vulnerabilities in client-side IM software. Such a threat could, for instance, use a buffer overflow
attack on an IM client program to gain access to a new system. Once in the system, it could access
the user’s buddy list to gain a new set of targets.
This is an area of great concern, given the speed at which such a threat could possibly spread
and the large number of machines the threat could affect. While CodeRed was able to attack
several hundred thousand Internet servers in hours, a well-crafted IM-based worm would have the
potential to hit millions or even tens of millions of home computers or wireless devices in the same
amount of time.
Denial-of-Service
Like other communications systems, instant messaging platforms are susceptible to denial-of-service
attacks. For example, an attacker could send large numbers of specially crafted TCP/IP packets to IM
servers residing in the IM provider’s infrastructure to prevent legitimate messages from flowing
through the system. This would be similar to the denial-of-service attacks launched on major Internet
properties in the last few years. Alternatively, an attacker could send large numbers of packets to a
specific user or set of users to flood them with chat or file transfer requests.
Instant messaging server vulnerabilities
While many security experts have focused on the vulnerabilities of IM clients, it is also important to
consider potential IM server vulnerabilities. If attackers gained access to these servers, they could also
eavesdrop on all conversations, impersonate any user, launch denial-of-service attacks, or spread
malicious threats with little effort. Recall that little, if any, IM traffic is encrypted, meaning that an
attacker in control of an IM server can gain access to the contents of every transmission.