C4.1 Description

The widespread use of instant messaging (IM) continues to increase the security risks for both organizations and individual users. While instant messaging can be a very useful communication tool, it is also subject to many security concerns. Recent attacks include new variations in the establishment and spread of botnets, and the use of compromised instant messaging accounts to lure users into revealing sensitive information. Variants of e-mail worms (such as the Mytob family) have also been spread through the use of instant messaging. The general risk areas related to instant messaging are:

• Malware -- Worms, viruses, and Trojans transferred through the use of instant messaging. Many bots are controlled via IRC channels.


• Information confidentiality -- Information transferred via instant messaging can be subject to disclosure along any part of the process.


• Network -- Denial of service attacks; excessive network capacity utilization, even through legitimate use.


• Application vulnerabilities -- Instant messaging applications contain vulnerabilities that can be exploited to compromise affected systems.

Popular instant message applications include: AOL Instant Messenger (AIM), Gaim, ICQ, Jabber Messenger, Lotus Sametime, Skype, QQ, Windows Live Messenger (WLM), Google Talk, Trillian and Yahoo! Messenger. Instant messaging protocols include: IRC, MSNP, OSCAR, SIMPLE, XMPP and YMSG.

C4.2 Affected Operating Systems

Instant messaging applications are available for all popular operating systems.

C4.3 CVE Entries

CVE-2006-0992, CVE-2006-4662, CVE-2006-5084


C4.4 How to Protect against IM Vulnerabilities and Unauthorized IM Usage

• Establish policies for acceptable use of instant messaging and ensure that all users are aware of those policies and clearly understand the potential risks.


• Standard users should not be permitted to install software. Restrict Administrative and Power User level privileges to support personnel acting in their support capacity. If a user must have Administrative or Power User privileges, create a separate account to be used for his/her daily office functions, internet surfing and on-line communication.


• Ensure that vendor patches are promptly applied to instant messaging software, interrelated applications, and the underlying operating system.


• Employ antivirus and antispyware products.


• Do not rely on external IM servers for internal use of instant messaging;Provide a commercial grade IM proxy or internal IM server.


• Create secure communications paths when using instant messaging with trusted business partners.


• Appropriately configure intrusion detection/prevention systems. Understand that many instant messaging applications are capable of enabling associated communications to masquerade as otherwise legitimate traffic (e.g. http).


• Consider deploying products specifically designed for instant messaging security.


• Filter all http traffic through an authenticating proxy server to provide additional capabilities of filtering/monitoring instant messaging traffic.


• Block access to known public instant messaging servers that have not been explicitly authorized. (Note: Offers only partial protection due to the number of potential external servers.)


• Block popular instant messaging ports. (Note: Offers only partial protection, due to the number of potential protocols and associated ports, and the ability of applications to bypass port restrictions.)


• Monitor using an Intrusion Detection/Prevention system for users creating tunnels for IM or bypassing proxies.

C4.5 References

Phishers hijack IM accounts

http://news.com.com/Phishers+hijack+IM+accounts/2100-7349_3-6126367.html


Rich presence: a new user communications experience

http://www.alcatel.com/doctypes/articlepaperlibrary/html/ATR2005Q1/ATR2005Q1A17_EN.jhtml


Instant messaging: a new target for hackers

http://www.leavcom.com/ieee_july05.htm


AIM bot creates "fight combos" to spread

http://www.securityfocus.com/brief/305


Secure Instant Messaging in the Enterprise

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1199405,00.html