Windows Security Checklist - Part 8: IM Insecure

by Larry Stevenson, aka Prince_Serendip, CastleCops Staff Writer
January 16, 2005

No one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it can bring their chances of being infected by malwares almost to zero. Now we begin our next installment of the Windows Security Checklist - Part 8: IM Insecure.

It is not as complicated as it may first appear, although there is a lot of information to absorb. The Security Experts, 1st Responders, Special Response Team members and Host Consultants at CastleCops can help you, if you have questions about any of these techniques or featured applications.

IM Insecure

Instant messaging allows you to know when your friends are online and send them short messages in real-time. It's a great way to keep in touch with friends, family and business associates. It's is one of the fastest-growing and largest segments on the Internet. Instant messaging, or just IM, makes it easy and fun to keep in touch. As with any other activity on the Internet, pitfalls and dangers await the unwary. How can you use Instant Messngers while still maintaining your privacy and security?

IM Threatened

Instant messenger server networks provide the ability to transfer text, voice, and video messages and files. Thus, instant messengers can transfer worms, viruses, trojans and spywares. IM's can also provide an access point for backdoor trojan horses. Cyber-criminals can use IMs to gain backdoor access to computers without opening a listening port, effectively bypassing the firewall. Finding victims does not require scanning unknown IP addresses, but by simply selecting from an updated directory of Buddy Lists. In addition to file transfers, all the major instant messaging networks support peer-to-peer file sharing where one can share a directory or an entire drive. This means that all the files on a computer can be shared using the IM application, leading to the spread of files that are infected with viruses or other malwares. This also makes information being shared by IMs available for unauthorized viewing.

IM Worms

Worms not only travel by email but also through instant messages. These threats can be dealt with by effective gateway monitoring and by installing desktop AV protection. Be sure that the AV is set to maximum protection, using heuristics if you use Instant Messengers.

The way in which these worms replicate varies. Some of the worms spread by both email and instant messaging. Others spread only via IM. As more IM users become aware of the threats and how to prevent them, the success of these worms can be significantly reduced.

IM Backdoor Trojan Horses

One can share every file on another computer using an instant messenger. All the popular instant messengers have file sharing capabilities or the ability to add such functionality by applying patches or plug-ins. As the instant messaging applications allow peer-to-peer file sharing, a trojan horse can configure the instant messaging application to share all files on the system with full access to everyone, and in this way gain backdoor access to the computer. The benefit for a cyber-criminal using an instant messenger to access files on a remote computer instead of installing a backdoor trojan horse is that even if the computer is using a dynamic IP address, the login name will probably never change. The cyber-criminal will also get a notification each time the victim computer is on-line. Keeping track of and accessing infected computers is very easy for the cyber-criminal. They do not need to open new suspicious ports for communication, but can instead, use already open instant messaging ports.

There are currently trojan horse programs that target instant messaging. Some modify configuration settings so file sharing is enabled for the entire hard drive. These types of trojans pose a large threat, as they allow anyone full file access to the computer.

There are also classic backdoor trojan horses that use instant messengers to send messages to the author of the trojan, giving the cyber-criminal information about the infected computer. Including things such as system information, cached passwords, and the IP address of the infected computer. In addition, the cyber-criminal can send messages to the infected computer via IM instructing it to perform some unauthorized action.

Backdoor trojan horses that allow access to the computer by using instant messenger applications may be harder to prevent than classic backdoor trojans. Classic backdoor trojans open an outgoing listening port on the computer, forming a connection with a remote machine. This can be blocked by a desktop firewall. If the trojan operates via the instant messaging application, it does not open a new port. The users have already created an "allow rule" in their desktop firewall products for instant messaging traffic to be outbound from their machines, thereby allowing the backdoor trojan horses using the same channels to go unblocked. The number of backdoor trojan horses using instant messengers is increasing steadily.

An anti-trojan program such as TrojanHunter, TDS-3, or Ewido Security Suite can help protect you from this menace. All of these, and more are available from CastleCops Downloads Anti-Trojan Tools:

To clear your cache and temp folders of typed passwords get Crap Cleaner available at CastleCops Downloads Disk & Track Cleaners: or from http://www.ccleaner.com/

IM Hijackings and Impersonations

Cyber-criminals can impersonate other users in many different ways. The most frequently used attack is simply stealing the account information of an unsuspecting user.

To get the account information of a user, the cyber-criminal can use a password-stealing trojan horse. If the password for the instant messaging application is saved on the computer, the attacker could send a trojan to an unsuspecting user. When executed, the trojan would find the password for the IM account used by the victim and send it back to the cyber-criminal. The means for sending back the information to the cyber-criminal varies. They include using the instant messenger itself, IRC, and email.

Since none of the four major instant messaging protocols encrypt their network traffic, attackers can hijack connections via middleman attacks. By inserting messages into an ongoing chat-session, a cyber-criminal can impersonate one of the chatting parties.

Though more difficult, one can also hijack the entire connection by using a middleman attack. For example, a disconnect message, which appears to come from the server, can be sent to the victim from the cyber-criminal. This will cause the application to disconnect. The cyber-criminal can also use a simple denial of service exploit, or other unrelated exploits, to keep the application disconnected.

Since the server keeps the connection open and does not know that the application has been disconnected, the cyber-criminal can then impersonate the victim.

Stolen account information for any instant messenger can obviously be very damaging. Because the cyber-criminals can use this information to disguise themselves as trusted users, the people on the victims Buddy Lists will trust the cyber-criminals and may share confidential information or execute malicious files. Losing a password for an instant messenger account can be dangerous for more people than just the user who lost it.

To mitigate against these kinds of problems you can share encrypted instant messages using products such as Trillian or IMsecure by ZoneLabs. Both have freeware (for personal use) versions. Of course, this means that everyone you speak with also needs the same encryption. To prevent passwords being lost or stolen get this little freeware (for personal use) tool called Any Password.

IM In Denial

Instant messaging can make a computer vulnerable to denial of service (DoS) attacks. These attacks may have different end results: some DoS attacks make the instant messenger application crash, others will make it hang, and consume a large amount of CPU resources, causing the entire computer to become unstable.

Cyber-criminals have many ways to cause a denial of service on an instant messenger program. One common type of attack is flooding a particular user with a large number of messages. The popular instant messaging applications contain protection against flood-attacks by allowing the victim to ignore certain users. However, there are many tools that allow the cyber-criminal to use many accounts simultaneously, or to automatically create a large number of accounts to accomplish the flood-attack. Adding to this is the fact that once, the flood-attack has started and the victim realizes what has happened, the computer may become unresponsive. Putting the attacking user accounts on the ignore list of the IM program may be very difficult.

Even though denial of service attacks are more of an annoyance than they are dangerous, they can be used in combination with other attacks, such as the hijacking of a connection.

IM Not Keeping Secrets

Information disclosure could occur without the use of a trojan horse. Since the data that is being transmitted over the instant messaging network is not encrypted, a network sniffer, which can sniff data on most types of networks, can be used to capture the instant messaging traffic. By using a sniffer, a cyber-criminal could sniff the packets from an entire IM chat session. This can be very dangerous, as they may gain access to privileged information. This is particularly perilous in the corporate environment, in which proprietary or other confidential information may be transmitted along the IM network.

IM Keeping Secrets

Some instant messaging applications allow all communications to be saved in log-files. Even though this is a feature that is often requested and required by businesses, it can be very dangerous to keep logs, as the logs may include sensitive data. This was made evident in a case where a cyber-criminal stole logs from an IM applications belonging to the CEO for a company. The cyber-criminal posted the logs to several places on the Web, creating one of the worst possible corporate nightmares. The logs included sensitive company data regarding business partners, employees and affiliate websites. After the posting of the logs, several members of their senior staff resigned.

This case shows how dangerous it can be if a cyber-criminal is able to monitor IM sessions. Even though the log-files were stolen in this case, sniffing the data-packets could have caused the same damage. Encrypted IM chat and log files would have helped prevent this catastrophy.

Blocking IM: Forget it

The most effective way of preventing instant messaging is to deny it access to the network in the first place. Preventing the use of instant messaging is difficult. Simple port blocking firewalls will not be effective because IM applications can use common destination ports such as HTTP port 80 and FTP port 21. Most of the IM applications will auto-configure themselves to use other ports if the default port is blocked.

Firewalls with protocol analysis may prevent instant messaging applications from communicating via common destination ports, such as port 80, because instant messaging traffic is different from HTTP traffic. However, the latest versions of all the various IM applications embed the traffic data within an HTTP request, bypassing protocol analysis.


IM Security

Securing instant messaging is not an easy task. One of the best ways to secure the information being transmitted along an IM network is to encrypt it. There are currently many companies that offer encrypted instant messaging communication. IM encryption applications are available, two of which are noted above. If file transfer via the instant messaging network is not required, then disable it.

Cyber-criminals generally target specific computer systems, so they are not the biggest threat for any IM network as a whole. However, worms are non-discriminating and target all computer systems of a particular network. They appear to pose the biggest threat for the future. We have seen worms that use security exploits, becoming widespread in a very short period of time.

The number of worms for instant messaging is increasing each month, and looking at the success of some of these worms, clearly instant messaging is a primary platform for malicious threats. Many exploits are available for the various IM applications. Computer professionals and users alike need to be aware of the security issues involved with instant messaging. The best way to ensure the security of IM services is to educate users to the risks involved and the means of mitigating those risks.

Best regards and always take care of your security.