Learn the basics of Instant Messaging to stave off attacks

The seemingly overnight appearance of Instant Messaging (IM) software in the corporate environment took most IT departments by surprise. Before IT could put formalized policies and security procedures in place, IM clients were popping up everywhere. To make the best use of IM, you need to know which types of IM networks are the most popular, how they work, what their vulnerabilities are, and how to minimize the risk to your end users and network. As you'll learn, the world of IM is full of malicious activity, automated bots, channel wars, and Denial of Service (DoS) attacks.

What Is IM?
Unlike traditional email, which has a store-and-forward model, IM sends messages immediately. Different types of computers can communicate with one another, as long as they have a version of the appropriate IM client. Macintosh users can talk with Windows users, who can talk with IBM AS/400 users. To receive a message, a user must be running an IM client and participating in the same IM network as the sender when the sender sends the message. A user can send a message to another user or to a group of participants. An IM session discussing a common subject, such as sports or a favorite rock star, is called a channel.

Public channels let anyone participate. A private channel is one in which users must be specifically invited to participate. Users can password-protect and encrypt private channels to prevent outside interference. They can place participants in a private channel on their contact list, or buddy list. Either type of channel can have a controlling operator (also known as a moderator or sysop) who determines the rules and decides who can and can't participate. Early IM clients sent text only, but today's clients also send graphics, sounds, voice, video, online gaming, workgroup collaboration, and files. This additional functionality presents new hacking opportunities.

IM Network Models
Each type of IM uses a particular network structure and protocol. In a peer-to-peer model, an IM client on one computer uses a network address to connect directly to another computer running the same type of client. These types of IM networks don't grow very large because of their peer-to-peer structure. Peer-to-peer IM sessions are high risk because participating computers must give away telltale identification details that expose them to direct attacks.

Most of the larger, popular IM networks are of the peer-to-server variety that Figure 1 shows. Participating servers use a common protocol to share synchronized channels. When an IM client sends a message on a particular channel, all participating servers receive and distribute it to all channel participants. Users with IM client software connect to a participating server and join different chat channels. AOL's, Microsoft's, and Yahoo!'s IM networks are all examples of the peer-to-server model.

The peer-to-server IM network model can handle millions of users, but such a large network requires coordinated effort. The servers must stay synchronized with one another and manage their connected clients. Any breakdown in server-to-server communications results in messaging problems and potential vulnerabilities. The larger the IM network, the more likely it is to have moderators, participation rules, and mechanisms to do the grunt work of managing channels. Many peer-to-server IM networks allow peer-to-peer connections for private chats and file exchanges. Intruders often exploit this additional functionality.

Each IM user must have a unique chat name (also called a screen name, nickname, or handle). Intruders often steal handles (called name hijacking) to pose as another user. An intruder who has hijacked a moderator's name can decide who can and can't join the channel and what can happen on it—or delete it altogether.

IM Networks
Four major IM networks have most of the market: AOL Instant Messenger (AIM), ICQ ("I Seek You"), Internet Relay Chat (IRC), and MSN Messenger. In addition, many other chat services exist.

AIM. AOL claims that more than 100 million people have used AIM (which Figure 2 shows), giving it the majority of the IM market. Users can download AIM for free at http://www.aol.com. AIM's emphasis is on private chats. Intruders attempt to crash or disrupt private chat channels and send malicious files. Because of these attacks, when you receive a file from AIM, it warns you about malicious programs and viruses. Hackers and others discover a few major AIM vulnerabilities every year, and AOL usually responds quickly with a fix.

ICQ. Israel-based Mirabilis started ICQ (http://web.icq.com) in 1997, and it immediately became very popular. AOL acquired ICQ in 1998 to capture its user base, but ICQ and AIM continue to thrive separately. ICQ users register for an account ID called a universal Internet number, instead of an AOL screen name.

ICQ suffers malicious attacks, but not as often as its popular AOL cousin. Like some other IM networks, ICQ lets users automatically accept file transfers from trusted chat partners. Because of the nature of IM worms and viruses, you should always disable this feature.

IRC. In 1988, a Finn named Jarkko Oikarinen created IRC—the original Internet chat medium. I cover IRC in more detail than the other IM networks because it's more complex than the others, more frequently attacked, and more often used as an attack tool.

Whereas AIM and ICQ are inherently private, IRC thrives on public channels. The IRC network is divided into subnets such as DALnet, Undernet, EFnet, and ChristiaNet, and each subnet has multiple synchronized servers with multiple chat channels. The subnets are separate—the servers and channels on one subnet aren't synchronized with those on the other subnets. When users select and connect to a server, they see a list of as many as 10,000 channels to choose from. Figure 3 shows mIRC, a shareware IRC client popular with beginners, displaying a portion of a channel list. Some IRC subnets, particularly EFnet, are havens for mischievous users and are under constant assault. Other IRC subnets such as Undernet and DALnet are less susceptible to cracking because of automated control mechanisms.

All IRC channel names begin with a pound sign (#). Almost anyone can create a channel, but after everyone has left the channel, it deletes itself. After you join a channel, you begin to see the public messages and nicknames of participating users. Channel operators or their managing programs (called bots) have an at symbol (@) at the beginning of their nicknames.

Most IRC commands have the format /Command. Some commands have arguments. The /List command displays a list of all the available public chat channels on a subnet and server. The /Join command lets you join or create a channel, /Msg lets you send another user a private message, and /Part lets you leave a channel. Sysops use /Kick to remove offending users from a channel.

When you install an IRC client, it installs a configuration file and script files that direct the software's behavior. Script.ini was once a popular configuration filename, but the file can have any name today. You can modify the configuration file and create additional script files that contain macros to automate commands. These scripts are the bots (bots can also be made using external languages such as Perl and C) I mentioned earlier. IRC moderators use bots to protect the channel and kick or ban hostile users. However, malicious code writers can put viruses, worms, and Trojan horse programs in bots and use IRC's file-sharing mechanism to send the files to unsuspecting users. If a user installs such a file, an intruder can take complete control of the user's PC and even use it to initiate maliciousness. Good bots and bad bots often fight channel wars. Whoever wins can take complete control of the channel. Legitimate users always lose—at the very least because of the overhead this activity creates.

IRC has two mechanisms for peer-to-peer communications: Direct Client-to-Client (DCC) and Client-to-Client Protocol (CTCP). IRC users often use DCC to send or receive files. By default, DCC prompts IRC users to accept or deny received files. IRC users can use CTCP to expand an IRC client's functionality or to allow remote control of a particular client. Unfortunately, malicious script files often contain DCC and CTCP commands that turn over control of the exploited PC to the script's creator.

The majority of IRC traffic is legitimate chatting, and in some computing environments, IRC is the only available IM choice. Regardless, anyone using IRC should be aware that it offers plenty of opportunities for maliciousness.

MSN Messenger. Microsoft has been experimenting with different types of IM for more than a decade and has nearly a dozen IM programs. MSN Messenger (called Windows Messenger in Windows XP) requires a Microsoft .NET Passport account and is Microsoft's biggest IM hit. MSN Messenger is an AIM clone. Both are primarily private, have buddy and group lists, and have most of the same features. MSN Messenger even lets you talk to your AIM buddies if you also have an AOL screen name. Microsoft is integrating MSN Messenger with its .NET infrastructure, and its feature set will surely explode in the future.

Other chat services. Dozens of other popular IM networks exist, most notably Yahoo! Messenger, which has Windows, Mac, UNIX, Java, Palm, Windows CE, and cell phone clients. Novell, Netscape, and IBM have their own IM networks that legions of loyal users use. Most private chat services use their own servers and protocols. Open-source projects such as Linux have their own IM clients, although most of them use IRC or ICQ protocols. Web browser and Internet email client vendors are integrating IM software into their products. Many IM choices exist, and each presents its own security risks.

IM Port Usage
As Table 1 shows, each IM network uses a default TCP or UDP port number to establish communications. You can use a firewall or network traffic monitor to watch these ports and detect IM traffic on your network. These port numbers are defaults only. Several IM clients let users specify any port number as a proxy to get around firewalls. AIM automates the search for an open port and correctly configures the client. Other IM users employ SOCKS proxy servers to accomplish the same task. (SOCKS is a protocol that lets software programs work over any IP port.) So, although you might not detect any activity on the default ports, IM traffic can be slipping in under the radar on other ports. I cover how to stop this type of activity later in this article.

IM Attacks
Malicious intruders are on every popular IM service. The more users an IM network has, the more attacks occur on that network. Attacks take one of the following forms.

Attacks disrupt legitimate traffic. Mischievous users try to disrupt or destroy IM chats and channels. On AIM, intruders routinely use AOL-hacking utilities called punters and busters. Punters generate extremely large amounts of legitimate traffic (e.g., 1000 chat invitations), which cause the AIM servers to drop users or channels. Busters exploit weaknesses in AIM's protocols to join private chat discussions. Sometimes they listen silently in the background and record confidential conversations. Several IRC clients allow silent listening by default.

In the past, problems with AOL's registration process have let intruders take over other users' screen names. When one user can impersonate another user, the impersonator can cause unlimited mischief. In February 2000, an intruder hijacked the name of a corporate ICQ user and asked the user to pay a ransom to get his ICQ identity back.

IRC networks are famous for attacks that disrupt traffic. Attackers use bots to try to flood a channel or subnet with enough traffic to desynchronize the IRC servers. Unsynchronized servers offer more opportunities for attacks and let more name hijacking take place. Some IRC networks force users and channels to use identserv and chanserv authentication mechanisms to guard against hijacking attacks.

Attacks compromise computers. Some intruders use IM and its obviously open IP ports to break into computers. Intruders publish malicious Web sites that lure unsuspecting users to links that flood users' computers with buffer-overflow data. Worse, in some cases, IM software need only be installed (not necessarily used or active) for the overflow attack to work.

In January, ICQ reported a buffer-overflow vulnerability. An intruder could send voice, video, and game requests that would immediately overflow the recipient's machine. For example, instead of a game request containing the name of the game that was to be played, it could contain a long stream of characters that the IM client wasn't expecting, causing the system running the client to crash. ICQ had to modify its servers and offer an upgraded client to solve the problem.

More often, IM users accept a file from an intruder disguised as a legitimate source. The file contains a virus, Trojan horse, or worm. IRC users often receive malicious script files that give the intruder complete control over their machine. The remote intruder can initiate file downloads, delete files on the user's hard disk, or send one keyword command to a common public channel to cause all exploited PCs to begin attacking another victim or Web site. That way, intruders can further their rogue objective without having evidence point to their machines. IRC intruders used Distributed Denial of Service (DDoS) attacks years before those attacks showed up on the Web in Trojan horse zombie programs.

Attacks spread malicious software (malware). Intruders have coded hundreds of worms, viruses, and Trojan horses to spread over IM channels. Typically, after an exploited user's PC executes a malicious script, the script propagates like an email worm but uses IM instead of Internet email. Users in the exploited user's contact list receive an IM message telling them to accept and run the infected file, and the cycle continues.

Attacks use IM to advertise their successes. Many worms and viruses use IM to let their originator know about a new victim. The intruder waits in a private, password-protected, encrypted channel. When his or her malware is activated on a new host, the software reports the victim's name and IP address back to the secret channel (and often installs its own IM client). The intruder can then break directly into the compromised machine or wait for a large collection of exploited machines to develop and then trigger a DDoS attack. Intruders frequently break into corporate networks, set up an IRC server, then advertise the break-in and invite other intruders to participate. I've come across more than one corporate file server running IRC servers that the network administrators didn't know about.

IM presents a significant new opportunity for malicious code and programs to infiltrate a network. Unfortunately, many network administrators are treating IM as a nuisance that they hope will go away. They haven't taken the time to learn the software as well as their end users have and certainly don't understand its inherent risks. Don't wait for your first IM attack to occur—take action to protect your network.

Protecting Your Network
First, determine whether your company and its security policies allow IM traffic. If not, turn your efforts to eradication. Make sure your firewall is configured to disallow traffic on common IM ports, and search client machines for IM clients and uninstall them. To defeat IM clients using nonstandard ports, configure your firewall or proxy server to prohibit all traffic to common IM server addresses. For a list of some of these addresses, see Web Table 1.

If you must live with IM traffic, accept responsibility for securing its use on your network. Convince users to use a lower risk IM client. AIM and MSN Messenger are often attacked, but AOL and Microsoft are quick to patch security problems. ICQ is a relatively safe choice if end users have current client software and refrain from trading files. If users insist on using IRC, convince them to join safe IRC subnets with a minimum of malicious activity. IRC subnets with identserv and chanserv mechanisms are the safest.

Make sure all IM client desktops have a virus scanner that detects all incoming files and network traffic, not just email or browser activity. Virus scanners installed on Internet gateways and firewalls look at email, Web, and FTP activity by default. Most don't analyze IM traffic. Security software installed on email servers will miss IM traffic, too. Server-based virus scanners might not see IM traffic if clients use peer-to-peer connections to transport files.

If you support a particular type of IM client, create a safe-configuration installation and require all users to use it. Disable automatic file downloading and peer-to-peer functionality if you can (most IM networks have FAQs telling you how). If your users have an IM client that uses script files, create a safe script file, install it, and protect it from being overwritten or modified. You can find information about writing safe and protected scripts at IM network Web sites (e.g., you can link to sample IRC scripts at http://www.mirc.org/links.shtml). IM FAQs also list known malware script files. Search for and eradicate these files. Install IM clients in nonstandard installation directories. Many of the less sophisticated attacks work only on software installed with the default directory choices.

Also, the less personal information users can supply when installing the IM client, the better. Some clients let you make your IM session or identifying information invisible. Invisibility means less chance that an intruder will steal users' online identity or locate their machines to attack them.

Educate your end users about IM hazards. Explain that all IM use carries risk but that regular text typing with known friends and business partners is less risky than sharing files. Let them know that a file someone on their buddy list sends could easily be a malicious program.

Stay up-to-date on the latest IM vulnerabilities. Subscribe to newsgroups or online newsletters that follow and publish IM vulnerabilities, such as the ones at http://www.ntbugtraq.com, http://www.securityfocus.com, and http://www.secadministrator.com. Actively review and install IM updates. If you hear about a new exploit and the risk of being attacked seems unacceptably high, take steps to block outside IM traffic until a patch is released.

IM is becoming a fact of life in many environments. Review what IM activity is taking place in your organization, compare that activity with your organization's acceptable use and security policies, and take appropriate ownership. (Remember that even if you decide to prohibit IM for the time being, it could still be running on your network because proxies let IM clients use any open firewall port.) Conventional wisdom says that IM will be a part of your life within a few years, if it isn't already. Learn about it and stay prepared.