MVP-HELP for Windows

...where you can have fun AND be secure

Blog

Windows Security Checklist - Part 8: IM Insecure

Posted on July 8, 2011 at 4:02 PM

by Larry Stevenson, aka Prince_Serendip, (former) CastleCops Staff Writer

Revised and republished: June 8, 2011

-

This article was first published on January 16, 2005. It's been six years, and not that much has changed in the instant messaging game. It's still insecure, and many of the tips and techniques provided then are just as useful now.

-

IM Insecure

-

Instant messaging allows you to know when your friends are online and send them messages in real-time. It's a great way to keep in touch with friends, family and business associates. It's is one of the fastest-growing and largest segments on the Internet. Instant messaging, or just IM, makes it easy and fun to keep in touch. As with any other activity on the Internet, pitfalls and dangers await the unwary. How can you use Instant Messages while still maintaining your privacy and security?

-

IM Threatened

-

Instant messenger server networks provide the ability to transfer text, voice, video messages and files. Thus, instant messages can transfer worms, viruses, trojans and spyware, otherwise known collectively as malware. IM's can also provide an access point for backdoor trojan horses. Cyber-criminals can use IMs to gain backdoor access to computers without opening a listening port, effectively bypassing the firewall. Finding victims does not require scanning unknown IP addresses, but by simply selecting from an updated directory of Buddy Lists. In addition to file transfers, all the major instant messenger networks support peer-to-peer (P2P) file sharing where one can share a directory or an entire drive. This means that all the files on a computer can be shared using the IM application, thus leading to the spread of files that are infected with malware. This also makes information being shared by IMs available for unauthorized viewing.

-

IM Wormy

-

Worms not only travel by email but also through instant messages. These threats can be dealt with by effective gateway (firewall) monitoring and by installing desktop antivirus protection. Be sure that the antivirus is set to maximum protection, and use the heuristics if you use Instant Messengers.

-

The way in which these worms replicate varies. Some of the worms spread by both email and instant messaging. Others spread only via IM. As more IM users become aware of the threats and how to prevent them, the success of these worms can be significantly reduced.

-

IM Backdoor Trojans

-

One can share every file on another computer using an instant messenger. All the popular instant messengers have file sharing capabilities or the ability to add how to do that by applying patches or plug-ins. As the instant messaging applications allow peer-to-peer file sharing, a trojan horse can configure the instant messaging application to share all files on the system with full access to everyone, and in this way gain backdoor access to the computer. The benefit for a cyber-criminal using an instant messenger to access files on a remote computer instead of installing a backdoor trojan horse is that even if the computer is using a dynamic IP address, the login name will probably never change. The cyber-criminal will also get a notification each time the victim computer is on-line. Keeping track of and accessing infected computers is very easy for the cyber-criminals. They do not need to open new suspicious ports for communication, but can use already open instant messaging ports.

-

Trojan horse programs exist that target instant messaging. Some modify configuration settings so file sharing is enabled for the entire hard drive. These types of trojans pose a large threat, as they allow anyone full file access to the computer. Trojans need you to install them, by clicking on a link, or downloading and installing something right away. Viruses and worms don't need you to infect your machine.

-

Classic backdoor trojan horses can use instant messengers to send messages to the author of the trojan, giving the cyber-criminal information about the infected computer. The cyber-criminal can harvest system information, cached passwords, and the IP address of the infected computer. In addition, the cyber-criminal can send messages to the infected computer via IM instructing it to perform some unauthorized action.

-

Backdoor trojan horses that allow access to the computer by using instant messenger applications may be harder to prevent than classic backdoor trojans. Classic backdoor trojans open an outgoing listening port on the computer, forming a connection with a remote machine. This can be blocked by a desktop firewall. If the trojan operates via the instant messaging application, it does not open a new port. The users have already created an "allow rule" in their desktop firewall products for instant messaging traffic to be outbound from their machines, thereby allowing the backdoor trojan horses using the same channels to go unblocked. The number of backdoor trojan horses using instant messengers is increasing steadily.

-

IM Hijackings and Impersonations

-

Cyber-criminals can impersonate other users in many different ways. The most frequently used attack is simply stealing the account information of an unsuspecting user.

-

To get the account information of a user, the cyber-criminal can use a password-stealing trojan horse. If the password for the instant messaging application is saved on the computer, the attacker could send a trojan to an unsuspecting user. When executed, the trojan would find the password for the IM account used by the victim and send it back to the cyber-criminal. The means for sending back the information varies. They include using the instant messenger itself, IRC, and email.

-

Since most of the major instant messaging protocols don't encrypt their network traffic, attackers can hijack connections via middleman attacks. By inserting messages into an ongoing chat-session, a cyber-criminal can impersonate one of the chatting parties.

-

Though more difficult, one can also hijack the entire connection by using a middleman attack. For example, a disconnect message, which appears to come from the server, can be sent to the victim from the cyber-criminal. This will cause the application to disconnect. The cyber-criminal can also use a simple denial of service exploit to keep the application disconnected.

-

Since the server keeps the connection open and does not know that the application has been disconnected, the cyber-criminal can then impersonate the victim.

-

IM Encrypted

-

Stolen account information for any instant messenger can obviously be very damaging. Because the cyber-criminals can use this information to disguise themselves as trusted users, the people on the victims Buddy Lists will trust the cyber-criminals and may share confidential information or execute malicious files. Losing a password for an instant messenger account can be dangerous for more people than just the user who lost it.

-

To mitigate against these kinds of problems you can share encrypted instant messages using products such as Trillian, IMsecure by ZoneLabs, Meebo, and Pidgin. All have/are freeware versions.

-

IM In-Denial

-

Instant messaging can make a computer vulnerable to denial of service (DoS) attacks. These attacks may have different end results: some DoS attacks make the instant messenger application crash, others will make it hang, and consume a large amount of CPU resources, causing the entire computer to become unstable.

-

Cyber-criminals have many ways to cause a denial of service on an instant messenger program. One common type of attack is flooding a particular user with a large number of messages. The popular instant messaging applications contain protection against flood-attacks by allowing the victim to ignore certain users. However, there are many tools that allow the cyber-criminal to use many accounts simultaneously, or to automatically create a large number of accounts to accomplish the flood-attack. Adding to this is the fact that once the flood-attack has started, and the victim realizes what has happened, the computer may become unresponsive. Putting the attacking user accounts on the ignore list of the IM program may be very difficult.

-

Even though denial of service attacks are more of an annoyance than they are dangerous, they can be used in combination with other attacks, such as the hijacking of a connection.

-

IM Not Keeping Secrets

-

Information disclosure could occur without the use of a trojan horse. When the data that is being transmitted over the instant messaging network is not encrypted, a network sniffer, which can sniff data on most types of networks, can be used to capture the instant messaging traffic. By using a sniffer, a cyber-criminal could sniff the packets from an entire IM chat session. This can be very dangerous, as they may gain access to privileged information. This is particularly perilous in the corporate environment, in which proprietary or other confidential information may be transmitted along the IM network.

-

IM Keeping Secrets

-

Most instant messaging applications allow all communications to be saved in log-files. Even though this is a feature that is often requested and required by businesses, it can be very dangerous to keep logs, as the logs may include sensitive data. This was made evident in a case where a cyber-criminal stole logs from an IM application belonging to the CEO for a company. The cyber-criminal posted the logs to several places on the Web, creating one of the worst possible corporate nightmares. The logs included sensitive company data regarding business partners, employees and affiliate websites. After the posting of the logs, several members of their senior staff resigned.

-

This case shows how dangerous it can be if a cyber-criminal is able to monitor IM sessions. Even though the log-files were stolen in this case, sniffing the data-packets could have caused the same damage. Encrypted IM chat and log files would have helped prevent this catastrophy. Storing sensitive files and chatlogs in an application such as My Lockbox is a way to worry-free computing. It has both a free version and paid.

-

Blocking IM: Forget it

-

The most effective way of preventing instant messaging is to deny it access to the network in the first place. Preventing the use of instant messaging is difficult. Simple port blocking firewalls will not be effective because IM applications can use common destination ports such as HTTP port 80 and FTP port 21. Most of the IM applications will auto-configure themselves to use other ports if the default port is blocked.

-

Firewalls with protocol analysis may prevent instant messaging applications from communicating via common destination ports, such as port 80, because instant messaging traffic is different from HTTP traffic. However, the latest versions of all the various IM applications embed the traffic data within an HTTP request, bypassing protocol analysis.

-

IM Security

-

Securing instant messaging is not a difficult task. One of the best ways to secure the information being transmitted along an IM network is to encrypt it. There are currently many companies that offer encrypted instant messaging communication. IM encryption applications are available, four of which are noted above. If P2P file transfer via the instant messaging network is not required, then disable it. A comparison and list of all IM applications can be seen at Wikipedia. Comparison of IM Clients.

-

Cyber-criminals generally target specific computer systems, so they are not the biggest threat for any IM network as a whole. However, worms are non-discriminating and target all the computer systems of a particular network. They appear to pose the biggest threat for the future. We have seen worms that use security exploits, becoming widespread in a very short period of time.

-

The number of worms for instant messaging is increasing each year, and looking at the success of some of these worms, clearly instant messaging is a primary platform for malicious threats. Many exploits are available for the various IM applications. Computer professionals and users alike need to be aware of the security issues involved with instant messaging. The best way to ensure the security of IM services is to educate users to the risks involved and the means of mitigating those risks.

-

Basic good security for instant messaging can be obtained, even for free.

-

Use a reputeable antivirus such as Avira AntiVir Personal Edition (When you install it you will be asked to install the Ask Toolbar and/or Webguard. It's up to you but you may not need them. See the Beefs and Bouquets heading of this site for more info.) Most antivirus applications can do the more popular trojans and worms.

-

MBAM: Detect and remove spyware and trojans using Malwarebytes Anti-Malware. The free version works only as an on-demand malware scanner and remover. The Pro version comes with realtime scanning and removal, which can be important to users of IM.

-

MSMVP HOSTS: Please refer to the previous article 7 for more info. The HOSTS can block any address, with or without a browser. It can protect you from clicking on links to malware sites in IM.

-

Windows Firewall or better

-

IMsecure by Zonelabs

-

Trillian

-

More about Meebo and Pidgin can be discovered at How to Encrypt Your Instant Messaging Chats by Tim Watson.

-

If you need further help with anything here, then come see us at SpywareHammer.

-

-

Best regards and always take care of your security.

Categories: Security Articles

Post a Comment

Oops!

Oops, you forgot something.

Oops!

The words you entered did not match the given text. Please try again.

Already a member? Sign In

4 Comments

Reply Ken
8:23 AM on July 20, 2011 
Great informative article(s)! My congratulations on a well thought out and informative site!
Reply Lyle Frink
5:43 PM on July 21, 2011 
Hello Larry. I have a question about your Rootkits for Dummies book. Are you going to do a refresh? I'm with AVAST Software in the Czech Republic and was curious.
Reply mvp-help
12:04 AM on July 22, 2011 
Thank you Ken! As to Lyle's question, to the best of my knowledge Wiley Publishing Ltd. has no plans to provide an updated edition of Rootkits For Dummies.
Reply mvp-help
2:46 AM on July 22, 2011 
I should add here that the two co-authors of Rootkits For Dummies, and many of the researchers who helped develop it are at SpywareHammer.