NetTrends: Instant Messaging - Hackers Like It, Too
By Peter Henderson

SAN FRANCISCO (Reuters) - A hacker named Methodic spotted a hole in America Online's(NYSE:AOL - news) instant messaging system, so he penned a program to crash the chat program of any AOL ``buddy'' he targeted.

Luckily, Methodic wasn't a malicious hacker, and he settled for just proving a point: Instant messaging systems used by millions around the world are vulnerable to the same types of lightning attacks spread by e-mail causing billions of dollars in damages.

Methodic, also known as Tony Lambiris, says AOL patched up its system a week later, and the hole was gone, forever.

AOL said it spends heavily on security and fixed the problem. ``It could have potentially been annoying but the user's password and account remained secure and we quickly resolved the issue when it was discovered,'' Andrew Weinstein, a spokesman for AOL, said.

That's not the point, according to Lambiris.

Instant messaging, a faster and more direct form of e-mail that allows written conversations and file transfers, is growing faster than the Internet according to researchers. The speed and vigor of programs that make it perfect for a quick chat are also becoming attractive as ways to launch a quick attack, security analysts say.

Lambiris' program proved capable of shutting down the AOL program by overwhelming it with data, a so-called buffer overload attack that is strategically similar to the Code Red e-mail worm that caused an estimated $2.6 billion in damage.

``To have an e-mail attack be successful, you need to send it, have the party download it, save the attachment, and run it. With a messaging system, all you need to know is the persons user name,'' Lambiris wrote in an e-mail message.

There were some 90 million active home and business instant messaging users in September, according to Jupiter Media Metrix.

The most popular providers are America Online, which has a stand-alone program that works outside the AOL network, Microsoft Corp.'s (Nasdaq:MSFT - news) MSN Messenger, and Yahoo! Inc's (Nasdaq:YHOO - news) messenger service.

And as the popularity of instant messaging grows, so does its attraction to malicious hackers, says MSN, for one.

``Computer viruses can be passed around in a variety of ways: via e-mail messages, on floppy disks, and increasingly, through messaging applications like MSN Messenger,'' it warned on Web site

A spokeswoman said MSN was working with the anti-virus software community.

Instant messaging systems have become very good at tunneling through corporate security systems, for example, says Carey Nachenberg, chief architect at anti-virus firm Symantec Corp.'s (Nasdaq:SYMC - news) security response team.

``Imagine a day when all these people are on with broadband connections -- they are always connected, their computers are always on, and a computer worm targeting a popular messaging system starts spreading. That would potentially ravage hundreds of millions of machines,'' he said, cautioning that such a worm had not reared its head and desktop anti-virus software was very effective now.

The ``buddy lists'' popularized by AOL are address books of best friends, but for a hacker they are also a road map for where to send a virus, said Nick Weaver, a graduate student at the University of California, Berkeley, who has studied what kind of hacks could most quickly paralyze the Internet.

``You use the list of known machines as your source for what machines you try to infect,'' he said. Under the right circumstances, such an attack could easily spread around the Net in a matter of minutes, while it takes the Internet community a good hour to begin responding to trouble, he estimated.


There is a bright side. Instant messaging systems are always being updated automatically, which means its makers can send out a patch to all users immediately. ``You have to find a security hole that you can use autonomously without user intervention that hasn't been discovered yet,'' Weaver said.

Furthermore, corporations can make the systems more secure by requiring users to route messages through a server computer, called a proxy, that can scan and strip out threats.

And Symantec and others say anti-virus software should protect desktops while the companies work on corporate network tools. However, instant messaging will evolve, and that could be dangerous. ``Adding features increases risk,'' said Matt Blaze, a network security scientist at AT&T Labs(NYSE:T - news).

Gartner Inc. technology researcher Martin Reynolds argued that the self-updating program could update itself with new holes. ``There is no certainty that there is going to be an instant messaging virus but if there were the risk is enormous,'' he said.

Hacker Lambiris says the providers are only looking in the rear view mirror. ``The big guys (AOL, MSN, etc.) only seem to address an issue at a time, instead of fixing the problem from the ground up,'' he lamented.

Back To The Study