Network News

X My Profile
View More Activity

Instant Messaging Street Smarts

I know I just recently wrote about the dangers of instant-message-borne viruses and worms, but a co-worker's brush with what was in all likelihood an IM worm yesterday served as yet another reminder of how insidious these things can be. So, I thought a more thorough primer on IM threats was probably in order.

My co-worker, who we'll just call Amanda, hurried over to the cubicle pod for the tech section to say she'd just received an AOL Instant Message from a friend that prompted her to click on a link. If I recall from viewing the thing on her screen, it said something like "lol! check out this: [deleted hyperlink here]."

Amanda said she didn't think twice about clicking because it came from a friend she chats with all the time. The link opened her Web browser and took her to a site that was not the same as the one listed in the IM invitation, but the page failed to render anything except a cryptic error message.

"So then I cut and pasted the link into a different browser, like an idiot, but the same thing happened," Amanda recalled in an IM conversation after the incident.

Growing more suspicious by the second that she might have just been duped into doing something very bad to her computer, Amanda sent a reply message back to her friend, who of course said she hadn't sent anything recently.

The operations people here got involved, and a virus scan was run on Amanda's machine, but it gave her PC a clean bill of health. I told Amanda she'd probably just had a close call; based on past experience with these things -- and a bit of detective work I did on the link -- it appears she had received an invitation to infect her computer with spyware or a virus.

I still haven't determined if this particular nastygram has earned a name from the spyware or anti-virus companies yet, but I was able to tell that the link she received attempts to redirect the recipient's Web browser through a series of at least three different Internet addresses (including a Web "anonymizer" service), which is almost universally a bad sign because it usually means the sender is trying to hide something.

Even after the "all clear" from the anti-virus test, Amanda says several things aren't working as they did before the whole incident. She's all jittery and not entirely convinced that her PC isn't sick with something.

Even more dangerous than e-mail viruses, IM attacks exploit the very essence of the medium -- speedy and casual communication with trusted sources. While most companies nowadays use anti-virus tools to scrub employees' incoming e-mail, few set any restrictions on their IM usage, which can cause a single infection to spread quite quickly among co-workers accustomed to messaging each other over the cubicle walls and sharing links to amusing Web sites.

IM viruses and worms have grown 50 percent each month so far this year, according to the IM Logic Threat Center, a joint project coordinated by several anti-virus companies including McAfee, Symantec and Sybari Software.

Like e-mail viruses, IM worms spread by sending themselves to people listed in the victim's contacts list, while pretending to have been sent by one of those contacts. Consequently, IM viruses will often appear to come from screen names that you recognize, and may even come from people in your own contacts list.

The lesson here is that you should be just as cautious about opening links or attachments that arrive via IM as you (hopefully) are about clicking on those that show up in your e-mail inbox.

open, accept or download a file in an instant message from someone you don't know -- and even if you do know them, don't open it unless you know what the file is and were expecting it. If it comes from someone you know and you weren't expecting it, contact the sender by phone, e-mail or reply back to the message and ask what they're asking you to look at. In Amanda's case, had she asked first before clicking on the link, she wouldn't be so paranoid right now.

Have a personal experience to relate about an instant-message virus? Post a comment below. Alternatively, feel free to drop me an e-mail, but if you do, please also let me know if you don't want your e-mail comments published.

By Brian Krebs  |  June 2, 2005; 2:15 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Security Updates, But at What Cost?
Next: New York City Most Bot-Infested In the Nation


The number of malicious e-mail and instant messages are increasing every day. It is very easy to be taken off guard. I know one person who was expecting a message at a certain time from a certain person and sure enough, an infected message came in "from that person" at the expected time leading the operator to trust it and infect the computer.

All it takes is one mistake. Risk can be decreased using the following actions:

1. It goes without saying that Windows updates must be religiously applied. Many web sites led to by malicious links will take advantage of unpatched browser defects to install software without operator approval. It goes without saying if the browser warns of a potentially risky operation the default answer should be No or Cancel, or closing the window entirely. And don't forget to update software that isn't updated by Microsoft's site. Especially instant messaging software and media players. Security defects, and the need for regular updates, affect almost all products:

2. Much of today's malicious software requires high privileges to install itself completely. Most people don't need those high privileges on a day to day basis. So doing day to day browsing and messaging using a Windows limited account decreases the potential damage in the case of an inadvertent slip of the mouse button. One day, when everyone is running that way, malicious software will change to accomodate it but for now, its an effective risk reduction technique.

3. Most browser defects require scripting to be enabled to be exploited. While scripting is necessary on some sites, and required to get the full effect of many sites, a person desiring to decrease risk, for example on a computer used for electronic banking, can browse quite well without it. If using Internet Explorer, as sites are found that require scripting AND THAT ARE TRUSTED, they can be added to Internet Explorer's trusted machine zone to allow scripting to work only with them.

The last two suggestions require some upfront setup costs and some ongoing inconvenience. Each individual will have to decide if the decrease in risk is worth the cost. As incidents increase in frequency and sophistication, and as the consequences of losing control of a computer increase, the equation may change. Many, if not most "viruses" today contain functionality that turn the infected computer over to criminals for whatever purpose they desire.

Many folks suggest changing browsers and even operating systems. There is certainly value in switching from a product that has become a popular target. But if the computer is used for serious business, it must also be remembered that a serious criminal can find defects and vulnerabilities in any browser or platform and that simple fraud doesn't care what type of computer is visiting a criminal web site. Compare the situation to driving a car that is the most often stolen versus driving a car that is less popular with thieves. You still want to lock the doors, keep up with inspections, and drive safely.

P.S. I ran across the Security Fix column just a couple weeks ago and I'm really impressed with it.

Posted by: Gary Flynn | June 2, 2005 8:17 PM | Report abuse

Last year the public agency where I work suffered an attack that shut down our internal network for 2 days. The post-incident investigation determined that this attack entered the network via IM/chat. The solution was to block all external IM/chat traffic at the firewall.

Posted by: Bryant Payne | June 3, 2005 11:41 AM | Report abuse

When my 13 year old came back from summer camp last year, she changed the settings on her AOL IM to accept mail from people not in her buddy list, so she could initiate contact with her new camp friends. She received an IM inviting her to click a link. Like your friend, the page didn't seem to open correctly, so she cut and pasted it into IE. Our Windows ME box was wrecked. The download included multiple adware applications, trojan installers and a nice keylogger (courtesy of syncroAd, Bargain Buddy, BetterInternet, n-CASE, Golden,, bonzibuddy, NicTech and coolwebsearch.) The silent installation took place through a security hole in the OS, which hadn't been patched for ten days. As a lay computer user, it took an enormous amount of effort to clean my computer. I remain angry that companies who advertize on the internet pay creepy "affiliates," like the one who attacked my child, to place advertizing tools on home PCs by attacking kids with trojans and keyloggers. I am disappointed that the FTC has done no enforcement against companies in the US who advertise this way. I am disappointed that Microsoft no longer releases "critical" patches for Windows ME, an OS less than 4 years old, with the result that these PCs can't be safely connected to the internet, and consumers like me own $1500 paper weights.

Posted by: L | June 6, 2005 8:21 PM | Report abuse

IMO, Amanda's machine should be, if it has not been, inspected with anti-spyware and adware applications, beginning with ad-aware and spybot S&D, in addition to whatever "anti virus" package was used in the checkup mentioned in the article.

If Amanda still reports novel post incident behavior by her machine, then reasonable caution would also suggest additional tests by JavaCool's Spyware Blaster.

If any non removable or repeating problems are disclosed by these tools, then a full "HiJack This" analysis should be done under the supervision of an HJT qualified technician.

Posted by: Jim Pivonka | June 7, 2005 1:59 AM | Report abuse

I have AOL and received instant messages from weird screen names when I am online. I have a feeling these may be viruses / spyware. This happens a few times everytime I am online. It is as if someone is waiting for me to be online and then hits me with 2 or 3 IMs. The IMs are captured by the IM catcher. A friend of mine in California told me he had sent an keylogger to his ex girlfriend via e mail and even if she Xed it out, it would activate and send him reports of her computer activities. I don't know what to do in this case. The IM catcher automatically captures the IMs which means I don't have to do a single thing if this thing is activated via anything like an IM catcher. The screen names usually are weirs, don't make any sense and have breaks in between them such as sani cdsdsd (with the space between sani and cdsdsd). Can anyone help?

Posted by: TONY | July 23, 2006 9:26 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company