Prodigy

Threat Increases From IM-Based Attacks

A study released today by instant messaging security vendor IMlogic reported that hackers and virus writers are recognizing and exploiting the opportunities presented by IM-based attacks, the numbers of which have risen sharply over the last two quarters.

The number of IM attacks such as viruses, worms, and phishing scams has increased from 20 for all of 2004 to 571 in the second quarter of 2005 alone, representing an increased threat to both enterprise users and the average consumer, the study said.

The study--performed by the IMlogic Threat Center with the support of IT security companies Symantec, McAfee, and Sybari, as well as IM leaders America Online, Yahoo, and Microsoft--reported that 70 percent of IM-based attacks target public IM networks and 30 percent target enterprises.

"IM usage has reached critical mass, and virus writers have now recognized it as a mostly undefended medium," said IMlogic Chief Executive Officer and cofounder Francis deSouza. "These [viruses and worms] are mutating, high-velocity, and invisible to most companies until they hit. All these factors combine to create a serious risk."

IMlogic sells products that protect against IM-based attacks, as do Akonix Systems and Trend Micro.

How Attacks Happen

IM attacks act much like e-mail worms and viruses, stealing information from the user's computer or turning that computer into a so-called zombie by tricking users into clicking on phony links or into opening malicious attachments. IM-based attacks can be even more threatening because people receive false instant messages from a name on their buddy list rather than a strange e-mail address, DeSouza said.

"Having an army of zombies is the economic equivalent of having an oil well," said analyst Alan Paller of SANS Institute. "The two most important things [for a user] to do are block all attachments on IM and to filter IM traffic so you only get it from trusted sites."

The Kelvir, Opanki, and Gabby worms were the most common in corporate environments, the study said.

Most IM Services Vulnerable

Some attacks are tailored to a specific user and appear to be, for instance, a highly personalized message. The study said that these attacks made up less than one percent of the recorded IM attacks. For the most part IM attackers aren't sophisticated enough to single out any one user, Paller said. However rare "targeted" attacks may be, Paller emphasized that they are the most dangerous.

The vast majority--86 percent--of reported attacks involved viruses or worms that capitalize on real-time protocols. The study showed that all of the most successful IM services--AOL Instant Messenger, MSN Messenger, Windows Messenger, and Yahoo Messenger--were vulnerable to and affected by IM attacks.

__________________

Prodigy

Zombie PCs: Silent, Growing Threat

Spam, worms spread malware to build a spam-bot army of unwitting recruits.

The seemingly endless spate of worm infestations over the last year has left something even more troubling in its wake: armies of zombie PCs that can be used to send spam, attack Web sites, and generally wreak havoc over the Internet.

Worms such as Sobig, MyDoom, and Bagle have been identified as containing malicious code (malware) that allows remote attackers to take over infected machines--while their victims are blithely oblivious.

Spreading Nasties

UK security firm Sophos estimates that 40 percent of spam is now sent by zombie machines. Sandvine, a network security firm, puts the figure at 80 percent. Distributed computing company Akamai blames zombie PCs for a denial of service attack that briefly blacked out sites like Google, Microsoft, and Yahoo in June. Reuters reports that British teen hackers are hiring out their zombie networks for around $100 an hour.

Besides relaying spam and launching DOS attacks, a zombie machine can be used to send phisher scams, spread viruses, download pornography, and steal personal information, says Carole Theriault, a Sophos security consultant.

"Basically, it is a complete invasion of privacy that can leave you penniless, can have your computer send out all kinds of nasties to innocent computers, and as part of the collective--sorry for Star Trek terminology--contribute to the cyberhavoc going around," Theriault says.

Are You a Zombie?

Sophos estimates half a million zombie PCs are operating worldwide; other sources put the figure as high as two million. A recent Earthlink study hinted of widespread malware installations. Those numbers are likely to climb even further, says Steve Gibson, president of Gibson Research Corporation and well-known PC security guru.

"There's a tremendous incentive for hackers to infect other people's PCs," Gibson says. "They don't care about your financial records, letters to your mother, or pictures of your family album. All that machine represents is bandwidth they can use for targeting other people."

Determining whether your PC is a zombie isn't always easy, says Fred Felman, vice president of marketing for Zone Labs, a San Francisco security software maker. Symptoms can include a suddenly sluggish broadband connection, excessive hard drive activity, an unresponsive mouse or keyboard, or bounce notifications in your inbox from people you never tried to contact. Yet you could show all of these symptoms and still not be infected.

Experts agree that you can reduce your risk by installing a personal firewall and antivirus software, and keeping your Windows Updates up to date. Yet most home users remain woefully unprotected. A study conducted in May 2003 by the National Cyber Security Alliance found that two-thirds of home users did not have a properly configured firewall.

Last summer Microsoft released XP Service Pack 2, which features a beefed-up firewall and other security enhancements designed to reduce remote access to PCs. But Gibson fears widespread adoption of SP2 will cause new problems by creating a single point of attack for malware to defeat.

Good Fences, Good Neighbors

Even security-savvy users are at risk. Zone Labs' Felman says his own notebook was infected by the Sasser worm while he was attempting to uninstall one firewall and install another. He says users need to take a neighborhood-watch approach to fighting malware.

"We're all responsible for looking out for weird behavior in airports and our neighborhoods; we should also be looking out for weird behavior on the network," he says. "And we need to start by looking at our own machines."

__________________