IM threats on the rise

by John McCormick | Aug 08, 2005 3:56:00 PM

Tags: Instant messaging, Peer to peer (P2P), Microsoft Windows Vista (Longhorn), Operating systems, John McCormick, IM, Akonix Systems, P2P, Microsoft Windows, Monad, IM threat, Microsoft Windows Vista, security, IT Locksmith Newsletter

Takeaway: Another quiet week on the security front has produced plenty of news but few immediate threats. At the top of the list are an increase in IM/P2P threats, the first potential risk for Windows Vista, and more fallout from the Cisco vulnerability controversy. John McCormick brings you up to speed in this edition of the IT Locksmith.

It's been another quiet week on the security front. There's been plenty of news, but very few immediate threats. At the top of the list, IM threats are on the rise, the first potential risk for Windows Vista has surfaced, and the dramatic fallout from the Cisco vulnerability controversy at Black Hat rages on. So it's a good time for the company picnic—Cisco users just need to change their passwords before passing the potato salad!

Details

There's been no scarcity of security news in the last week. However, fortunately for all of us in the security industry, no really major threats have emerged that we need to address right this minute.

Security vendor Akonix has published its latest report on instant messaging threats in 2005. The report shows a four-fold increase in instant messaging and peer-to-peer threats for the second quarter of 2005. So, if your company is one that has turned a blind eye toward this sort of activity, the time has come to crack down hard. Even if your organization has a solid, unhackable IM program, remember that most users don't know how to properly define which files are acceptable for someone to upload and which ones must remain private.

Given that IM and P2P code is almost laughably vulnerable, I recommend prohibiting any of your users from downloading or installing any IM or P2P client software without your prior approval. Remember: People often use these apps to illegally download copyrighted material, and your company can be liable for having such files on its networks. IM can certainly be useful in a business context, but it's important to keep it under strict control.

According to Akonix's report, the top five IM and P2P security threats target AIM (Oscarbot), MSN (Kelvir, Bropia, and Microsoft Security Bulletin MS05-022), and Yahoo (a phishing attack). But that doesn't mean you can get complacent if you don't use one of these IM applications. Akonix reported more than 20 new IM/P2P threats since August 1, and all but one target IRC. While Akonix has rated all but one as low-risk, new threats are coming fast and furious—easily matching the occurrence of new virus and Trojan attacks that target e-mail.

Looking ahead, one of our biggest worries will likely be next year's scheduled release of the next generation of Microsoft Windows, recently christened Windows Vista. Antivirus company F-Secure has reported that published examples have surfaced of the first known proof-of-concept malware code for the forthcoming Microsoft OS (formerly code-named Longhorn), which likely won't see a release until the end of 2006.

It turns out that Microsoft intended Vista to include a brand-spanking-new command-line shell code-named Monad (MSH). Monad will reportedly replace the old CMD interface in current Windows versions, which always seemed purposely designed to make it difficult for non-experts to use. (And that's not a complaint—I don't want users I have to support fooling around with the command-line tools any more than I want them trying to edit the registry on their own.)

But there's no cause for worry just yet. Although Monad is available for testing, it's not even shipping with the beta versions of Vista or Windows Server 2003 R2, an update to Windows Server due later this year. Few systems actually have it installed, and any that do are under the care of testers and developers, all of whom should be smart enough not to connect such systems to the Internet or an internal network.

For more information, check out the original report in the August 4 edition of F-Secure's blog. Researchers have dubbed the actual malware code Danom.A through Danom.E.

If Monad actually ships with Windows Vista in late 2006—which insider rumors say is becoming increasingly doubtful—it should prove a bonanza for script kiddies everywhere. The first few pieces of malware code are remarkably simple and easy to construct. However, it should be easy enough to simply delete the new command if versions do include it, which neatly eliminates the problem. (Editor's note: Microsoft announced late last week that it no longer plans to include Monad in Windows Vista.)

As a follow-up to last week's news about Michael Lynn's now-infamous presentation of vulnerabilities in Cisco's IOS, hackers are racing to find a way to exploit the router flaws. Cisco alerted customers about a breach of its Web site last week. This company has denied that the breach was possible due to any vulnerability in Cisco software.

So far, no reports have surfaced of any successful attacks on Cisco routers using the methods described in Lynn's presentation. However, underground rumors abound that there are quite a few people in the hacker community who aren't happy with Cisco. The patch for the vulnerability is available, so anyone who uses Cisco routers connected to the Web—and that's millions of users—should take steps to get the appropriate update ASAP. (For an insider's view of the Cisco controversy, check out Jennifer Granick's blog—Michael Lynn's attorney.)

Final word

I can confirm the rise of IM threats from my own experience. The only malware I've consistently cleaned from my systems lately has been trying to contact IM sites.

I wasn't exactly thrilled to learn that Microsoft plans to make the command line "friendlier" to use. That will only tempt more users to tinker with it. Learning that the first known exploited hole in Vista came in the new command-line tool doesn't surprise me much.

As for Microsoft's scripting tools, I've never been able to get Word macros or other scripts to do exactly what I wanted them to do, so I never use them. But at least they offer new security holes to keep all of us busy. While I've previously written about obscure command-line tools that I do use, I'm always leery of giving out too much information because most users don't have the skills to safely work with these tools anyway.

Even as a staunch defender of the First Amendment, I have a lot of sympathy for Cisco. What would you do if you had millions of vulnerable systems out there and learned that someone was about to tell the world's top hackers about a big hole in the code? Even free speech has its limitations; although I'm not certain I want Cisco in charge of making the determination. And, despite loud cries of foul from the hacker community, I'm not even sure how the First Amendment would apply to a private company attempting to keep intellectual property secret.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

command line, blessing or curse?Tech Locksmith  | 08/08/05