Protect Your Instant Messaging

For safe IM use, learn IM basics, use common sense, and deploy a personal firewall

Instant Messaging (IM) software, such as AOL Instant Messenger (AIM) and Microsoft MSN Messenger, has attracted business and home users alike. IM products let users communicate immediately, exchange files, and collaborate on work. IM software is so popular that it's installed by default on most new name-brand PCs. The software is usually free, relatively easy to use, and activates as soon as the PC is running. Most home users have a copy running.

Unfortunately, IM also provides new avenues for electronic assault. Intruders constantly use IM to achieve their mischievous or malicious purposes. Some IM networks are so overrun by malicious users that no one else participates. No signs accurately warn users about the IM risks and how to reduce those risks. Let me introduce you to the different IM models, discuss how four popular IM networks operate, and describe how you can protect yourself from malicious attacks.

IM Overview
Initially, IM meant sending text messages back and forth. Today, IM users also can exchange files, send voice communications (if they have microphones), send WebCam images, play network games, use email, and even set up virtual communities. However, users also can send viruses, worms, Trojan horses, and other sorts of malicious software (malware) to friends and online associates. If you accept one file that contains malicious code or surf to the wrong place on the Internet, you can open your PC to the world. Attackers can then use your PC to infect other PCs and to launch massive attacks against other Internet-connected servers and networks. But I'm getting ahead of myself.

Most IM clients let you preselect groups of people (called a contact or buddy list) with whom you want to chat. When only invited participants can chat with one another, the chat session (or channel) is private. IM networks have thousands of existing channels that address individual topics, such as Windows XP or PC troubleshooting. If anyone can join a chat discussion, it's considered public. Most public chat channels let participants contact one another and establish a private conversation. Nearly all public channels have a channel operator (also called moderator, chanop, or sysop) who administers and controls the channel. Channel operators can temporarily "kick" users from the channel for violating channel rules or "ban" them for life from a particular discussion group.

IM Networks
Most IM clients work over the Internet. For IM to work between two PCs, the PC users must have a participating client installed, and in most cases, must connect to a particular IM network. One IM network doesn't usually interoperate with another. IM users must have a unique identifier, which might be a screen name, nickname, user ID number, or IP address.

Peer-to-peer IM clients connect directly to each other. A user usually must be invited to communicate or be designated as a trusted user (usually by supplying the trusted person's chat nickname or email address). Some peer IM clients allow only one-to-one connections. Others allow more (you can gather users into a group list), but in all cases, relatively few participants can connect at the same time. The size of peer-to-peer model IM networks is limited because such networks require lots of processing power to manage several connections coming from different locations and communicating everyone's changes to one another simultaneously. Therefore, most popular IM networks are of the peer-to-server type.

The largest IM networks employ the peer-to-server model, in which each client's PC connects to a network of servers. All the related servers in the IM network communicate with one another and transfer their clients' input to the other servers and everyone else's messages and commands back, as Figure 1 shows.

This model reduces each participating computer's workload so that a PC can participate in many public discussions at the same time without dramatically slowing the server or the client. For this model to work, the servers in a particular IM network must stay synchronized with one another. If they become unsynchronized (called a netsplit), they must be able to reconnect and clean up any resulting problems. Two clients on different sides of the networks exchanging messages might be disconnected and reconnected without either party knowing that the other might have missed one or more messages. Intruders will sometimes cause netsplits and try to take advantage of the resulting reconnection process. How an IM network handles this situation indicates the quality of the service.

Because each user must be unique within a particular IM network, servers track user identities. Intruders often attempt to take a user's online identity (called name hijacking). They can then pose as that user to gain other trusted users' confidence. If an intruder hijacks a channel operator's name, the intruder then controls the channel. After they're in control, intruders try to make sure that the legitimate operator doesn't get back in, and they disconnect anyone else who questions them or objects. Intruders and legitimate operators battle to control a channel in channel wars. Often these struggles are automated using programs and scripts known as war bots. Bots, a term that comes from the word robot, contain routines designed to react instantly to a known condition or challenge. For example, if a bot detects the legitimate operator ending his or her chat session, the bot might repeatedly try to join the list by using the operator's credentials, hoping that a hiccup in the channel will grant illegitimate success.

Popular IM Clients
Among the many IM networks and clients, four major IM networks have most of the market. Because most home users have either AIM or MSN Messenger, I discuss those networks first. Two other major IM networks are ICQ ("I Seek You") and Internet Relay Chat (IRC). I cover IRC in more detail because it's more complex than other networks, more frequently attacked, and more often used as an attack tool.

AIM
AOL says that more than 100 million people have used AIM, which Figure 2 shows. Users can download AIM for free at http://www.aol.com. You don't have to be a paid AOL subscriber to use AIM, but you must register a unique screen name, which you can do for free. AIM is a robust client with most of the features you find in any other IM program.

AIM's emphasis is private chats. After AIM is running, it prompts you to create a buddy list. AIM notifies contacts on your buddy list when you're online—that is, able to send and receive messages. Users not on your buddy list must send a request to participate in chats. AIM is probably the most customizable client. You can configure icons and fonts, choose what AIM displays when you're inactive, configure privacy levels (e.g., whether to reveal your real name), set up shared file directories, and choose which Internet IP ports to use—which is important if you must get around a firewall.

AIM has some drawbacks. AOL has consistently resisted other IM vendors' attempts to let messages be exchanged between other IM products and AIM. Also, to use AIM, you must accept lots of advertising. In addition, because AOL is the most popular product, attacks are frequent. AIM users should download the latest versions to reduce the risk of successful attacks. (It's not uncommon for new versions to be released monthly.) You can configure AIM to notify you automatically about new versions by choosing My AIM from the menu, then choosing Edit Options, Edit Preferences. Under Categories, choose Sign On/Off, and in the Auto Upgrade dialog box, select the Notify me when new version is available check box.

MSN Messenger
To use MSN Messenger (known as Windows Messenger in XP), you must register for a Microsoft .NET Passport account (http://www.passport.com). As with AIM, you can register and use MSN Messenger (http://www.msn.com) for free. MSN Messenger, which Figure 3 shows, is another excellent IM client. Microsoft and AOL often copy new features from each other, with each IM network adding the functionality that the other added in its most recent version. With MSN Messenger, you can exchange messages with people on your contact list or join a public chat channel. MSN Messenger, possibly because of increased use through its default installation on XP, is increasingly under attack.

ICQ
AOL acquired ICQ a year after Israeli-based Mirabilis started it in 1997, but it still thrives as a separate IM network. ICQ's home page is at http://www.icq.com. To use ICQ, you register with an ICQ server and receive a unique identifier number. You can put in optional identifying information. You can gather people you want to make part of your chat community. When ICQ runs in the background, it alerts you whenever someone in your community logs on. You can send messages, play games, transfer files, and even transmit messages to cell phone users.

IRC
You often find IRC in the corporate environment, but it's still a popular home option. Created in 1988, IRC was the original IM protocol for the Internet. IRC includes dozens of programs, such as mIRC, Pirch, and BoxedIRC. You can find clients on almost every computer platform, including Windows, UNIX, Macintosh, VMS, WebTV, Java, OS/2, Symbian's EPOC OS for wireless devices, and DOS.

Whereas AIM, ICQ, and MSN Messenger are mostly private chat forums, IRC (http://www.irchelp.org) is an inherently public forum. Clients connect to one of the thousands of IRC servers and select a particular IRC subnet (e.g., EFnet, Undernet, IRCNet). Users can then access thousands of different public chat channels. Users select one or more channels and join in. Some IRC server networks offer more than 26,000 different discussion channels.

Most channels have a channel operator and managing bot programs, both of which have an at symbol (@) in front of their nickname to announce their status, as Figure 4 shows. By default, the person who creates the channel is an operator. Current operators can assign additional operators as the need arises, and large channels have dozens of operators. Channel ops can ban users by nickname, account name, host name, network, or IP address.

IRC scripts. When you install an IRC client, it installs with a configuration file, which in early versions was always script.ini. (Because viruses and worms commonly spread by overwriting script.ini, vendors now use other names for the default configuration file to make the file harder to target.) You can modify the configuration script file and create additional script files to craft macros that automate different commands. You use the commands to participate in a channel, and intruders use them to attack it.

Malicious code writers can use IRC script files to write viruses, worms, and Trojan horses, which they want unsuspecting users to install. Typically, they convince the user to accept a file sent through IRC's file-sharing mechanism (in earlier versions, the IRC client would often accept the file automatically). After such a file is installed, the attacker can take complete control of the user's PC, and even use the PC to initiate maliciousness on the attacker's behalf.

Peer-to-peer IRC. IRC has two mechanisms to allow peer-to-peer communications: Direct Client to Client (DCC) and Client-to-Client Protocol (CTCP). Participants often use DCC to send or get files. They use CTCP to expand an IRC client's functionality or to gain remote control of a particular client.

IRC users might use a combination of CTCP and DCC commands to set up their home PC to permit remote file retrieval from work in case a crucial file is left at home. They can use CTCP to tell the IRC client to respond to a predefined command and use DCC to send the requested file. An attacker often tries to get an IRC user to accept a malicious script file that contains DCC and CTCP commands to turn over control of the exploited PC to the attacker.

If you join IRC. IRC is a great chatting network, but it contains many unregulated areas in which malicious attacks are the norm. Make sure you join IRC networks that deploy security bots (i.e., script files that contain anti-intruder coding that you can add to your client) and authentication services. You can find a good starting point at http://www.mirc.org/links.shtml. However, you must verify the legitimacy of the security bot before you install it. My IRC script experience helps me as I inspect every line of script coding to see what it might do. If you spend a few hours reading the tutorials at the Web site above, you'll be able to do the same even with limited exposure.

IM Attacks
Attackers haunt every popular IM service. The more users each IM network gains, the more exploits attackers launch against that network. Attackers target IM to

Disrupting legitimate traffic. Mischievous and malicious users will try to join, then disrupt or destroy IM chats and channels. In AIM, attackers routinely use AOL utilities called punters and busters to either break into private chat channels or knock legitimate chatters offline. Punters generate extremely large amounts of legitimate traffic (e.g., 1000 chat invitations), forcing AOL servers to drop the user or channel. In IRC, attackers use similar IRC tools for the same purpose—to flood the channel to cause a netsplit, and try to steal a channel operator's name in the reconnection process. To counter such attacks, some IRC networks force users and channels to register themselves, using identification-server (identserv) and channel-server (chanserv) authentication mechanisms. Identserv mechanisms let IM chatters reserve their nickname for a set period of time. Chanserv mechanisms let users reserve chat channels so that the channels don't disappear when everyone leaves them (often the usual behavior). Also, servers can identify channel operators with authentication information.

Busters exploit weaknesses in AIM's protocols to join private chat discussions. Several IRC clients allow silent listening by default. The uninvited users either announce their presence to the private chatters just to prove their presence or listen silently in the background, recording confidential conversations. IM chatters have begun to use encrypted communications to help protect the channel from uninvited guests. Check your IM client's Help file to see whether it supports encryption.

Compromising computers. Some crackers use IM to break into computers. Intruders publish malicious Web sites that lure unsuspecting users to links that flood users' computers with buffer-overflow data. In some cases, IM software need only be installed (not necessarily used or active) for the buffer-overflow attack to work. Such attacks work because a browser can activate most IM software because of keywords the IM client installs in the registry. For example, a hyperlink beginning with aim:// can activate AOL's chat client. A carefully crafted hyperlink can activate the IM client and pass along predefined messages and commands.

More often, IM users sometimes accept a file from an intruder disguised as a legitimate source. The intruder tells the recipient to trust the sender and to execute the file after it's downloaded. The downloaded file might contain a virus, Trojan horse, or worm. Attackers often send IRC users maliciously crafted script files, which give the attacker complete control of users' machines. The remote attacker can then initiate file downloads and delete files on the user's hard disk—or, with one keyword command sent to a common public channel, make the compromised PCs attack another victim or Web site. Attackers can propagate further attacks without having evidence point to their machines.

Spreading malware. Attackers have coded hundreds of worms, viruses, and Trojan horses to spread through IM channels. Typically, after malware executes on the exploited user's PC, it starts to propagate like an email worm, but using IM. The malware uses the exploited user's contact list to send IM messages telling recipients to accept and run the infected file.

Advertising successful attacks. Many worms and viruses use IM to contact their originators to let them know about a new victim. Attackers wait in private, password-protected, encrypted channels for every new infection. After the malware activates on a new host, it reports to the secret channel (often installing its own IM client in the process) advertising the victim's name and IP address. The attacker can then break directly into the compromised machine or wait for a large collection of exploited machines to accumulate, then trigger a Distributed Denial of Service (DDoS) attack against another victim.

Reducing Your IM Risks
Many of the steps you can take to protect yourself against IM attacks are easy to accomplish and free. Most of them involve common sense, including using an antivirus scanner, deploying a current IM client, not accepting default directories when you install your client, and hiding your personal identifying information.

Use an antivirus scanner. Make sure you use a good antivirus scanner with an up-to-date signature database. Enable the software's auto-protect feature so that the software can recognize and block any known malicious programs that a remote computer might send. Make sure that the antivirus protection covers your IM client; also make sure the product addresses malicious threats no matter how they enter the PC.

Deploy a current IM client. The latest IM clients usually close the known holes. For example, after vendors saw that IRC viruses and worms commonly spread by overwriting script.ini, they started renaming the default configuration file to other names. If your IM client has an automatic upgrade feature, select it.

Don't accept default directories when you install your IM client. Many crude attacks are successful only if the IM client software is installed in its default directories with default configuration names. Change the default installation directory name. In most cases, you won't need to refer to the file again, and you've just added some protection.

Hide personal identifying information. When you install IM software, the software often requests that you provide personal identifying information, such as name, email address, mail address, phone number, gender, and age. Whenever possible, offer false information. If someone needs your real information, you can send the data to that person only.

Remain invisible. Several IM networks (e.g., Yahoo! Messenger, IRC, ICQ) let users choose invisible mode. When you're invisible, other participants don't know when your client is active. Even if you're on other users' buddy lists, your nickname remains shaded. Some clients let you send and receive messages while in invisible mode. On IM networks with mostly public channels, make invisible mode your default.

Use caution when you accept file transfers. Never set your IM client to automatically accept file transfers, even from trusted sources. If a trusted friend that you're chatting with wants to send you a file, make sure he or she means to send it. IM worms and viruses will exploit a remote user's contact list and initiate conversations to send you infected files. The malicious program won't respond to your additional queries. Never accept files sent to the whole channel at once, even if the file is apparently a security patch or antivirus program.

I recommend that you load only those files you receive from commercial vendors and security-minded sources and that you always scan files with an antivirus scanner first.

Install a Personal Firewall
Intruders troll IM channels and collect participating machines' IP addresses. Intruders can place the IP addresses into a sweep list, then feed them into another program to automate attacks. Although intruders might not know where your computer's weaknesses are, they know it's online and will probe your machine. A personal firewall, such as Zone Labs' ZoneAlarm, Internet Security Systems' (ISS's) BlackICE PC Protection (http://www.iss.net), or Symantec's Norton Personal Firewall, will alert you to the attack. And if the attack is persistent, the firewall will automatically cut off all future traffic from the remote computer. Although a personal firewall might require a modest investment, many of the best are free to home users.

Safe IM
IM is a great communication tool, and people will use it increasingly in the future. If you follow the commonsense procedures I've outlined and you use a personal firewall, you can significantly reduce the risk of malicious attacks.