[ISN] Viruses wiggle into IM chats

From: InfoSec News (isnat_private)
Date: Wed Aug 15 2001 - 00:49:43 PDT

  • Next message: InfoSec News: "[ISN] MS patch-scanner for Win-NT, 2K, IIS, SQL"

    By Jim Hu
    Staff Writer, CNET News.com 
    August 14, 2001, 12:45 p.m. PT 
    Corey Bates was chatting on his MSN Messenger recently when his high
    school buddy Trey sent him a winking-face icon. Then Trey sent him
    another icon. Then another.
    Bates, an 18-year-old who will start his freshman year at Oklahoma
    University this month, knew it was uncharacteristic of Trey to flood
    him with winking faces--a popular "emoticon" used to color text-based
    IM conversations. His suspicions grew when the alias
    "george.w.bushat_private" suddenly flashed on his screen along
    with an invitation to accept an attached file called "choke.exe."
    Unlike his friend, who obviously had been bitten by a virus, Bates
    knew better than to accept it.
    "I was like, 'What the heck? Something is wrong,'" Bates said in an IM
    exchange with CNET News.com on Monday.
    Having long targeted e-mail with sometimes devastating effects, virus
    and worm creators are setting their sights on IM services. Infected
    files, for example, have been burrowing their way slowly through
    Microsoft's MSN Messenger network over the past few months.
    Discovered by virus hunters in late June, the so-called Choke worm
    marked the second attack aimed at MSN Messenger in as many months. In
    May, the service was struck by the W32/Hello worm. Security experts
    said they are as yet unaware of any virus attacks that might have
    targeted AOL Time Warner's AOL Instant Messenger (AIM) and ICQ or
    Yahoo's Yahoo Messenger.
    Virus writers in search of the biggest bang for their bugs have
    targeted various types of networks, including peer-to-peer file
    exchanges and wireless Web systems. None have proven as effective as
    e-mail, however, where some viruses have rapidly gained the force of
    an avalanche through large corporate e-mail systems. Once a virus is
    activated, it can shoot itself out to everybody in a victim's address
    book, leading to an exponential growth rate.
    IM viruses discovered so far have been relatively innocuous compared
    with virulent e-mail-borne infections such as the Love Bug, Anna
    Kournikova and Melissa.
    "E-mail is still the most effective way to get viruses around," said
    Richard Smith, chief technology officer of the Privacy Foundation.
    Nevertheless, some computer security experts say it is only a matter
    of time before similar outbreaks plague IM services.
    Already, millions of people on the Internet communicate through
    instant messengers, which let people exchange text messages in real
    time and have become some of the most popular features on the
    Corporate acceptance?
    Instant messaging has yet to gain an official foothold in many
    corporations, but that is likely to change. For example, Microsoft's
    upcoming Windows XP operating system will add new features to its
    instant messenger that may be attractive to corporations, such as
    document sharing and video conferencing.
    "As more people migrate to XP, there is an increased risk because it
    becomes an attractive element for a virus writer," said Vincent
    Gullotto, the senior director of McAfee's Avert group.
    In addition, computer security experts said they are particularly
    concerned because few defenses have been developed to protect IM
    networks from viruses.
    "One of the interesting aspects of instant messaging viruses is most
    antivirus products don't necessarily stop them," said Elias Levy,
    chief technical officer of SecurityFocus.com. "There are antivirus
    products that attempt to detect e-mail messages, but I don't know of
    any that will support instant messaging protocols."
    Microsoft urges defense
    In response to the Choke worm and other potential viruses sent through
    its IM systems, Microsoft believes the user is the first line of
    Like other viruses propagated through e-mail, Choke is contained in an
    attachment. Once opened, Choke can send itself out to people on one's
    MSN Messenger buddy list, increasing the chances that someone else
    will open an infected file and repeat the cycle.
    That means people can prevent its spread with a little common
    sense--for example, by treating attachments sent by strangers with
    "An MSN Messenger user needs to go through a few steps, which include
    warning messages, in order to receive and download the file," said
    Sarah Lefko, an MSN product manager. "Then, the user would have to
    actually double click and execute the file itself in order to
    propagate the virus."
    Lefko said Microsoft has issued an alert on its MSN Messenger site.
    MSN's service competes with the two largest IM services, AIM and ICQ,
    which are owned by AOL Time Warner. That company's America Online
    service, which runs the instant messengers, has been the target of
    hackers and scammers trying to steal passwords and credit card
    A spokesman from the company's AOL division said security measures are
    used for the IM services but would not go into detail for fear of
    tipping off virus writers. Since e-mail and instant messaging run on
    separate systems, AOL must develop separate security measures.
    "Both systems have security measures built into them," said Andrew
    Weinstein, an AOL spokesman. "But the systems are obviously designed
    for the needs of each product."
    For now, security experts appear to be hedging their bets, warning of
    the danger without predicting the imminent arrival of an IM Love Bug.
    "If history tells us anything, technologies used by many people can be
    used by other people on the fringes," said Steve Trilling, director of
    research at Symantec's antivirus research center. "From a security
    perspective, it's of immediate concern. But at this point it's
    difficult to say what sort of problem this will become down the road."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 02:54:11 PDT