IM security: The worst is yet to come

The number of instant-messaging (IM) worms is on the rise — but users should expect only a short-lived surge before tech administrators act against IM in their companies, a security expert has claimed.

There have been around 40 different worms or variants spreading via IM applications so far this year, the majority of which have targeted Microsoft's MSN Messenger service. Alexander Gostev, senior virus analyst at Kaspersky Labs, said most of these worms were written in Visual Basic and contain similar source code — a sure sign that script kiddies were most likely responsible.

"VB is one of the easiest programming languages to master, but it's unsuitable for serious projects… The source code for some early IM worms was published on a number of virus writers' sites, and most of the new worms are clearly based on this code," said Gostev. "The evidence currently points to IM worms being the domain of script kiddies."

According to Gostev, IM worms are at a similar state of evolution to worms that spread using peer-to-peer (P2P) applications three years ago, which means in the short term a significant increase in the amount of malware targeting IM applications should be expected.

"Between 2002 and 2004, when P2P worms first appeared, they were also mostly written in VB and targeted one P2P client, Kazaa, the most popular client at the time… As P2P-worms were simple to create, and spread rapidly, several hundred families appeared, with numerous versions in each. The increase in this type of malware reached its peak in 2003, with more than 10 new versions being detected every week," said Gostev.

Gostev said that the rate at which P2P worms were evolving slowed rapidly in 2004, which is how he also expects the IM worm 'lifecycle' to unfold.

"The rapid evolution of P2P worms slowed dramatically in 2004 and they currently comprise an insignificant percentage of contemporary malware. It seems likely that IM worms will have the same life cycle," said Gostev.

As administrators realised the dangers of P2P applications and restricted or denied access to those services, they became less of a problem, which is what will have to happen if IM attacks are to be contained.

"System administrators and security managers should be focusing their attention on the potential threat which IM applications represent. One option would be to forbid the use of IM applications in enterprise settings until security improves," said Gostev.