Volume 1, Issue 1
April 18, 2006
Risk # 3: Bypassing Anti-Virus Gateways
Most organizations implement anti-virus (AV) gateways as a preventive measure to avoid virus infections; how- ever, unlike e-mail viruses, IM applications can bypass these gateways because they communicate directly to the desktop, and infected files riding on IM can slip past the AV scanners. Unless the desktops have active scanning and updated signatures, IM can easily intro- duce viruses, worms and Trojans to the network. In addition, if remote workstations don't execute the firms’ supported Operating Systems, it is unlikely that there is adequate AV in place or that the vendor is contracted to provide regular updates. Desktop anti- virus is currently the last line of defense against such malicious codes.
Examples of Attacks:
⇒ W32. Choke Worm - This worm uses the MSM Messenger Service program to replicate ; it is the second worm that is known to do so. The worm itself does nothing more than replicate, and if it is executed remains on a computer that does not have MSNMS installed, it simply remains resident
in memory without replicating. ⇒ W95.SoFunny.Worm@m
stealing Trojan horse that has worm capabilities and targets AOL IM users and is distributed as So- funny.exe or Love.exe.
⇒ W32.Goner.A@mm Worm - A mass-mailing worm that is written in Visual Basic and spreads using the ICQ IM.
⇒ W32.Led - A mass-mailing worm that propagates itself through Microsoft Messenger.
⇒ W32.HLLP.VB.14336.C - A worm which spreads using MSN Messenger using the file name Black Hat.exe. The worms appear originate from Sweden, and the only thing it does is attempt to spread using MSN Messenger.
⇒ W32.Kelvir.BA - A worm that attempt to spread W32.Spybot.OFN to all MSN Messenger contacts on the compromised computer through MSN Messenger. This network-aware worm has distributed denial of service and back door capa- bilities.
⇒ Backdoor.Doyorg - A back door Trojan which allows unauthorized remote access. The Trojan may arrive via an instant message received in AOL Instant Messenger (AIM)
Risk # 4: Unencrypted Communications
Most Instant Messaging applications don't encrypt mes- sages as they travel from client to server and to other clients. Security controls that require authentication credentials and log session data are critical to mitigat- ing those risks. While some non-standard IM applica- tions protect the authentication credentials, few pro- tect the session. As a result, eavesdroppers can read the transmitted information, which can have serious consequences if propriety or other confidential data is transmitted.
Another concern with unencrypted sessions is the is- sue of “Identify Theft”. Because IM sessions can be started impersonating other ’buddies’, there is no as- surance that the IM senders who he supports to be, there is a very real risk that recipients of such mes- sages might be duped into unknowingly revealing per- sonal or private information.
Risk # 5: Hyperlink Security Lapses and Phish- ing
Instant messages may contain hyperlinks for free of- fers, phishing attacks and other downloads that when clicked provide way for viruses to enter the corporate network. Instant message attachments cannot be easily scanned with common virus software prior to execu- tion. In addition, virus can be disguised as other for- matted files (e.g. music or pictures) that once downloaded can wreak havoc on your network. In addition, IM text-including potentially confidential in- formation– can be readily viewed over the Internet.
Risk # 6: Social Engineering
Instant Messaging services are also a great conduit for social engineering attacks. These attacks, whose objec- tive is to trick people into divulging information that can be used to break normal security procedures, can take the form of persuading its victims to download and execute malicious software that allows entry into the network; becoming a zombie attack platform for launching denial-of-service attacks or establishing back- door networks tunnels that bypass firewalls and other filtering devices. Once an unsuspecting user executes the malicious software, their system is co-opted by the perpetrator for use as an agent resident on the trusted side of the network.
To be continued ……………………….