The Anatomy of IM Threats

Transcription

1 The Anatomy of IM Threats INTRODUCTION: INSTANT MESSAGING THREATS AT RECORD LEVELS While instant messaging (IM) has grown steadily in popularity over the past few years, the threats associated with IM communications are showing a massive surge in According to the IMlogic threat center, the volume of IM threats is more than 3,000 percent higher in the third quarter of 2005 compared to a year ago. The Threat Center, launched with the support of Internet security leaders such as Symantec, Sybari, and McAfee, and global instant messaging leaders America Online, Microsoft and Yahoo!, is one of the most comprehensive knowledge bases for known and newly discovered IM and P2P vulnerabilities. Most attacks occur against public IM networks such as those provided by Microsoft MSN Messenger, Yahoo! Messenger, and AOL s AIM client. With analyst research firms such as Radicati Group, META Group, Gartner and Osterman Research showing IM usage in the workplace exceeding 70 percent or more and growing at an accelerated pace IT operations and security managers need to educate themselves as to the risks involved in IM for their particular organization. THE UNUSUAL SUSPECTS According to a recent report from IMlogic, IM worms now represent the most threats to enterprise systems. MSN Messenger was the most frequently attacked public network, accounting for 62 percent of reported incidents, while AOL was hit 31 percent of the time, and the remaining seven percent aimed at Yahoo Messenger users. See Figure 1. TYPES OF IM THREATES CLIENT VULNERABLITIES 2% VIRUSES & TROJANS 12% WORMS 86% Figure 1: IM worms represent by far the greatest threats to enterprise networks according to the IMlogic threat center. 1

2 Some of the most reported IM worms and viruses in 2005 include: Kelvir: Worm sent via URL in message (MSN & Windows Messenger): hey its you! gallery/pictures.php? = Clicking on the hyperlink in the IM may result in the worm file being downloaded and subsequently executed by the user. Note: The actual address has been blocked here to prevent infection. Serflog: Attachment carries worm. (MSN Messenger) IM based file transfers are particularly dangerous as they do not typically go through the corporate A/V filters. would have to open the attachment in order to infect their computer. The IM chat window appears to be from a trusted sender making it seem safe to open. Bropia: Worm in picture (MSN & Windows Messenger) If targeted recipient clicks on the picture, spyware software is copied to the hard-drive, additional.pif files are copied to the hard drive and ed to other recipients on the user s contact list. SIMILAR TO PEER-TO-PEER COMMUNICATION Most communications in IM systems are clientserver based, where each user shares a typically weak password with the IM server. Technically, IM operates in a fashion similar to peer-to-peer exchanges, utilizing non-standard protocols that mount on top of HTTP or HTTPS protocols. IM conversations occur in real-time once the user has authenticated to the IM servers belonging to the public IM network such as AOL. Communications can traverse various paths including client-to-server, server-to-client, client-to-client and intra-server within the same network. Once logged in the user is basically open to receiving any message from any other IM client. See Figure 2. One of the more disturbing aspects of IM communications is the relative ease with which the IM client can be installed on any enterprise NORMAL IM CONVERSATIONS Company A Company B AIM Network Figure 2: This example represents AOL IM users using the AIM protocol. This allows communications directly between clients through the AOL/AIM network via company-to-company, intra-company or with others outside of either company. 2

3 computer without the knowledge or supervision of IT staff. In addition, public IM clients utilize multiple access methods and ports to communicate with the IM network servers, without standard protocols, allowing IM to bypass typical enterprise anti-virus and other defenses. See Figure 3. Once installed, IM connections are capable of transferring not only active technologies such as scripts and macros, but also data attachments such as Word files, zip archives, and others, including viruses and worms. HOW AN IM ATTACK WORKS The vast majority of IM threats occur in the form of worms, and in many cases rely on social engineering, not necessarily a flaw in the client software, to exploit the medium s users. These worms are hidden in messages that appear to be sent by a known IM contact. The targeted person is encouraged to click on a web link or open an attachment or image file enclosed in the IM. Once opened or downloaded the infected message forwards itself instantly to all names on the victim s IM buddy list. In nearly all cases, the victim is not even aware that he or she has propagated the malicious code. Because of the instant connection nature of IM, worms and viruses propagated through IM networks spread very rapidly. In one example using Time to infect 500,000 hosts as a comparison, IMlogic maintains that Code Red, a virus targeting IIS Servers discovered in 2001, required 14 hours to infect the 500,000 hosts; Slammer, a SQL Server Exploit attack discovered in 2003, took 20 minutes; and IM worms can spread to 500,000 hosts in a matter of seconds. KELVIR THE MUTATING MONSTER IM WORM The IM worm known as Kelvir provides a perfect IM GENERAL DEPLOYED THROUGH GRASS-ROOTS ADOPTION Easy to install / Difficult to Block Designed for easy install by nontechnical users Finds IM networks in a variety of network configurations Instant Messaging Clients AOL Corporate Uses multiple access methods & ports Most clients can also communicate via port 80 (http) No standard protocols (protocols change frequently) MSN Yahoo! IM Network Default Ports Used: and 80 Figure 3: IM clients can be easily installed and operated by any user in an enterprise environment even those companies that may have their own Enterprise IM network. 3

4 example of how these mutating monsters can infect enterprise networks and quickly spread havoc. The first variation of Kelvir was reported in December 2004, utilizing the MSN Messenger public IM network. MSN users received an IM similar to that shown in Figure 4 from what appeared to be a legitimate sender. Once the victim clicked on the URL, the worm deployed a variant of a backdoor Trojan called SpyBot that allowed hackers to disable a computer s security software Figure 4: The IM infected with the Kelvir worm was displayed to the unsuspecting user as a suggested URL link from a buddy list. and take over an infected machine. Initially, one user gets infected from the seemingly innocuous message. Through hyperlinks to his buddy list, the worm self-propagates to other trusted connections within the enterprise. These other users, in turn, also become a launching pad to infect the connections in their buddy lists as the infection quickly cascades throughout and beyond the enterprise. As the process continues, messages bounce back to the original senders since they are also on subsequent buddy lists and the process starts all over again. Once the initial host is infected, the real-time instantaneous nature of IM virtually assures the rapid proliferation of malicious messages across multiple user communities and IM networks. Because the cascading cycle of propagation occurs so quickly, it s nearly impossible to detect in time to quarantine or stop the infection by conventional IT security methods that rely on anti-virus software. See Figure 5. Over time, the IM worm actually mutates as it IM WORM Company A Company B Process Starts Over! Figure 5: Postini Perimeter Manager for IM sits between you and the public IM carriers to protect your network and users from IM threats such as IM worms, as well as enabling you to block attachments and prohibit file transfers. 4

5 distributes itself through hundreds of thousands of users. More than 20 mutations of the Kelvir worm were reported over a three-month period as the worm spread through countless buddy lists. Variations of Kelvir are still being reported and it ranks among the top five most reported threats of IM worms are capable of propagating via more than one IM protocol and since many of them have roots to borne worms, they are also capable of crossing into the corporate network. See Figure 6. In April of 2005, an outbreak of the Kelvir worm caused the Reuters Group to shut down its IM system. The London news and information provider detected the external worm on its network coming though a customer Internet portal. The variant that hit Reuters, W32/Kelvir-Re, was not unique to their Reuter s proprietary IM system, which has more than 60,000 users and is interoperable with MSN Messenger and AOL public IM networks. Corporations that have Microsoft Live Communications Server, IBM s Sametime or another proprietary IM application also need to perform a risk assessment. Kelvir is an ideal illustration of the malicious potential in the IM communications medium. It uses a simple social engineering technique that takes full advantage of the trusted nature of buddy links and the personalization in the message, displaying the user s name. IM THREATS POSE SIGNIFICANT CHALLENGES FOR ENTERPRISES At the time of this writing, entering the fourth quarter of 2005, the risks associated with IM continue to show hyper growth as the attacks become more sophisticated by the week. As IM usage by business also continues to increase, IT managers must recognize that the challenge of IM threats must be managed more effectively to protect their enterprise information assets in light of current trends: IM worms are growing exponentially every quarter, at a pace that is not likely to subside anytime soon. IM WORM Worm Mutates Company A Company B MSN Network Yahoo! Network AIM Network Figure 6: An infected IM is not locked into a single IM protocol. that have more than one IM client installed could be unknowingly propagating an IM worm across more than one IM network. 5

6 IM worms mutate frequently and are increasing in sophistication such that the infected message is injected into a current conversation between the infected user and a target on their contact list. IM worms spread rapidly and in many cases can compromise and enterprise network in less than 20 minutes. IM worms capitalize on social engineering techniques to turn even technology savvy end users into victims. POSTINI PROVIDES A MANAGED SERVICE SOLUTION TO COMBAT IM THREATS As the first enterprise class IM managed service, Postini enables enterprises to manage the challenge of IM threats by outsourcing IM security and management using the same type of managed service that Postini customers rely on to secure their systems and ensure that usage is consistent with corporate guidelines. Postini Perimeter Manager for IM acts to stop the threats such as IM worms before they can ever enter the enterprise network via the major public IM networks. The service blocks infected or spoofed IM messages so targeted users never see them so can not unknowingly activate a worm by clicking on a malicious URL. It also provides the tools to control and manage content policies to block any attachments to IM s, block any unacceptable topics from being discussed and prevent the loss of valued files and intellectual property. Postini Perimeter Manager for IM gives you the confidence to enable IM as a business productivity tool for your organization by giving you the ability to manage and control: Threat Prevention Postini ensures that IM worms and other threats are effectively blocked from the recipient. Content Management Enterprises gain the capability to block file transfers, as well as inappropriate content, from being transmitted via IM in order to mitigate the loss of intellectual property and legal liabilities. POSTINI PERIMETER MANAGER FOR IM Public IM Networks (Yahoo, AOL, MSN, Google) Perimeter Manager for IM Inbound Customer IM User (Protected) Outbound Block Archive/Log Local DNS Figure 7: Postini Perimeter Manager for IM sits between the enterprise DNS server and public IM carriers to protect the network and users from IM threats such as IM worms. 6

7 User Management Through Postini s exclusive Active Policy Management IT managers can apply IM policies to the entire organization, sub-organizations and individual users. Anonymous screen names are linked to the corporate mail profiles to provide identity management services. Compliance Enterprise IT managers can configure policies for archiving IM transactions according to organization, group or individual users for better record keeping and to demonstrate compliance with corporate and industry regulations. References: (1) IM Threats Adding Up, Tim Gray, October 5, (2) Does IM Stand for Insecure Messaging?, Matt Hines, March 23, (3) Reuters Shuts Down System to Fight Kelvir IM Worm, Laura Rohe, IDG News Service, April 15, 2005 (4) IMlogic Threat Center Q Security Threat Report, To find out more about how you can benefit from Postini Perimeter Manager for IM and other Integrated Message Management services, visit our website at call toll-free , or sales@postini.com. ABOUT POSTINI As the leader in Integrated Message Management, Postini managed services protect businesses from a wide range of IM and threats, provide message archiving and encryption, and enable the management and enforcement of enterprise policies to meet regulatory compliance requirements. Corporate Headquarters San Carlos, CA USA Toll-free: info@postini.com EMEA Headquarters London, UK Tel: +44 (0) info_emea@postini.com Asia Pacific Headquarters Tokyo, Japan Tel: info_apac@postini.com Copyright 2006 Postini, Inc. All rights reserved. WP Postini, the Postini logo and Postini Perimeter Manager are registered trademarks or service marks of Postini, Inc. PREEMPT is a trademark of Postini, Inc. All other trademarks listed in this document are the property of their respective owners. 7