White PapersInstant messaging (IM) continues to be the fastest growing communications medium, with an estimated 390 million consumer and enterprise IM users by the end of 2006. Global services such as AOL® Instant Messenger, MSN® Messenger, and Yahoo!® Messenger each report over 1 billion messages sent per day, and IM traffic is expected to exceed email traffic by the end of 2006.1 As one of the most successful and widely deployed applications on the Internet, IM has increasingly become the target for attackers to propagate IM-borne viruses, worms, spam over IM (SPIM), malware, and phishing attacks. Though widely adopted, IM is generally unprotected and unmonitored in consumer and enterprise environments, leaving it vulnerable to attacks and exploits. These attacks have grown exponentially over the past three years, increasing the need for real-time threat response for IM and peer-to-peer (P2P) applications .
With the integration of the IMlogic Threat Center, Symantec Security Response includes the industry’s first global consortium to provide threat detection and protection for IM threats. The findings in this paper are based on research and analysis of reported incidents and events on the global IM networks. Incidents reported to Symantec Security Response included open forum submissions from the general public, Symantec enterprise customer events, and events from the Symantec Global Intelligence Network. The Symantec Global Intelligence Network consists of more than 40,000 sensors monitoring network activity in more than 180 countries and comprehensively tracks attack activity across the entire Internet. Symantec also gathers malicious code data along with spyware and adware reports from over 120 million client, server, and gateway systems that have deployed the Symantec antivirus products.
Symantec"Security ResponseTop Five Instant Messaging Security Risks for 2006Untitled Document2IntroductionInstant messaging (IM) continues to be the fastest growing communications medium, with anestimated 390 million consumer and enterprise IM users by the end of 2006. Global servicessuch as AOL Instant Messenger, MSN Messenger, and Yahoo! Messenger each report over 1 billion messages sent per day, and IM traffic is expected to exceed email traffic by the end of2006.1As one of the most successful and widely deployed applications on the Internet, IM hasincreasingly become the target for attackers to propagate IM-borne viruses, worms, spam overIM (SPIM), malware, and phishing attacks. Though widely adopted, IM is generally unprotectedand unmonitored in consumer and enterprise environments, leaving it vulnerable to attacks andexploits. These attacks have grown exponentially over the past three years, increasing the needfor real-time threat response for IM and peer-to-peer (P2P) applications . With the integration of the IMlogic Threat Center, Symantec Security Response includes theindustry s first global consortium to provide threat detection and protection for IM threats. Thefindings in this paper are based on research and analysis of reported incidents and events on theglobal IM networks. Incidents reported to Symantec Security Response included open forum sub-missions from the general public, Symantec enterprise customer events, and events from theSymantec Global Intelligence Network. The Symantec Global Intelligence Network consists ofmore than 40,000 sensors monitoring network activity in more than 180 countries and compre-hensively tracks attack activity across the entire Internet. Symantec also gathers malicious codedata along with spyware and adware reports from over 120 million client, server, and gatewaysystems that have deployed the Symantec antivirus products.Top Five Instant Messaging Security Risks1. Interoperability and continued IM adoption will accelerate the total volume of IM threats IM is the fastest growing communications medium in history, and the threat landscape willcontinue to mirror that growth. This past year demonstrated tremendous growth in the overallvolume of IM threats, and 2006 will continue this trend. IM threats grew by 1693 percent in2005 with more than 2,400 known IM-related threats. The growth of consumer IM within theenterprise will continue, spurred by new entrants Google Talk and Skype". Enterprise classIM servers most notably Microsoft Office Live Communications Server will also expandtheir footprint inside corporate networks. Additionally, the 2006 IM market will be character-ized by a greater variety of clients and services and by an increasingly connected network ofIM users. The Live Communications Server interoperability agreement with the three majorSymantec"Security ResponseTop Five Instant Messaging Security Risks for 20061 The Radicati Group, Instant Messaging Market 2005-2009.Untitled Documentpublic networks will drive increased connection between Microsoft s deployed IM servers andthe public IM networks. The recently announced Google AOL deal predicts direct interoper-ability between AOL Instant Messenger" and Google Talk and mirrors a partnership for inter-operability between MSN and Yahoo!. More interoperability deals are expected to come in2006. The forecasted growth of both consumer and enterprise IM, combined with the increas-ingly connected nature of the entire IM market, provides the groundwork for large-scale IMattacks that are able to reach across networks to every IM user. 2. Expanded IM functionality will increase the number of attack vectorsNew versions of IM clients in 2006 will drive the adoption of more valuable real-time communications services such as VoIP and virtual conferencing. These services will providenew opportunity for more sophisticated attacks. As voice and data converge, traditional security concerns such as denial-of-service attacks, spam, and identity spoofing will come tothe forefront, and at a minimum, the ability to manage and control the exploding functionalityof IM clients will be an urgent requirement this year. These threat vectors will increasingly blend together, delivering multiple forms of malwareand utilizing a variety of pathways to deliver their payload. According to Symantec SecurityResponse, during the second half of 2005 worms were the preferred type of malicious code onall three of the large, consumer IM networks. As both legitimate and unapproved use of IMclients and P2P networking increases, new worms and viruses are increasingly using thesemechanisms to spread. 3. More sophisticated and even intelligent worms will increase the infection rateThe creators of IM attacks are getting smarter about how to propagate their code and how todeliver their payload. IM threat authors are learning from the email threat world and innovatingfrom there. Recent innovations such as the talking worm, which imitates an IM user by engag-ing the end user in a dialogue, demonstrate the creativity of today s virus writer to utilize thesocial engineering aspects of IM to increase click rates. Many threats are even multilingual,speaking to end users in their native tongue. The social engineering aspect of an IM threat iscritical to its propagation and therefore will naturally become more sophisticated. Today s threats are also more agile than their early predecessors. Threats are able to crossfrom one network to another and cross from public IM networks to internal IM servers. Thismobility is especially relevant given the trend toward IM interoperability. Threats are increas-ingly able to avoid identification by antivirus products through rapid mutation of their payloadsignature. Attackers are also using rootkit software to hide the process, files, and registry keysfor the software used in their attacks. The impact of an attack is less likely to be immediatelydetected by an end user, which makes these types of attacks more dangerous. Symantec"Security ResponseTop Five Instant Messaging Security Risks for 20063Untitled Document4. Instant messaging will continue to attract cybercriminalsIn the first half of 2005, IT departments focused on the cost of repairing an infected machine,as this was often the extent of the damage done by an attack. From the second half of 2005and on into 2006, the damage done by IM attacks will have a far greater scope. Now that IMhas proven itself to be such an efficient delivery vehicle for malware, the payloads of IM wormsand viruses will be more sophisticated and designed more by cybercriminals than by mischie-vous hackers. Once a virus or worm deposits software on a computer, everything that an enduser stores on the computer or does with the computer can be compromised. Confidentialinformation, social security numbers, bank codes, and passwords are all vulnerable to theft.With this kind of incentive in place, real criminals are rushing to exploit this new opportunity. Although damage to endpoint computers is still the number one financial risk associatedwith cyberattacks, the overall financial impact of the theft of proprietary data is on the riseand has eclipsed denial-of-service attacks as the second most costly threat category, accord-ing to the FBI and the Computer Security Institute. Accordingly, this year will see a rise in phishing attacks and SPIM (spam over IM) as adelivery mechanism for malware. IM is especially vulnerable to these types of attacks since it isrelatively simple to impersonate or spoof an IM identity. Companies traditionally don t owntheir own domain name on the consumer networks and don t generally require authenticationor registration of IM accounts. Symantec Security Response identified only 1 percent of IMthreats as phishing attacks and only 5 10 percent of IM traffic as SPIM, but both of these numbers are likely to rise dramatically in 2006. 5. Intellectual property leaks from internal threats will drive major financial lossesWhile the bulk of attention in 2005 was correctly focused on protecting networks from external threats, more attention will be paid to the risks associated with employee use andmisuse of instant messaging. Symantec Security Response reports that greater than 30 percentof employees use IM file transfer with external parties. Among the major reasons sited for useof IM file transfer use included: " File size restrictions implemented on the email system" Content filters over email" Employee didn t want a record of the file transferredSymantec"Security ResponseTop Five Instant Messaging Security Risks for 20064Untitled DocumentWhile most of the file transfer activity over IM is for valuable and legal business use, as ITand security organizations begin to monitor file transfer usage, the scope and scale of the intel-lectual property loss is expected to be astounding. Symantec predicts that a scandal involvingsensitive customer or employee data will drive organizations to focus on controlling and stop-ping intellectual property loss over IM in 2006. ConclusionWhile many organizations have invested significant resources in protecting email and web com-munications, instant messaging often represents a new, unprotected means of communicationsfor organizations and their end-users. As IM continues its rapid level of adoption and increasesits pervasiveness in the enterprise, attackers are likely to further recognize the potential for IMto serve as a method for the effective and efficient propagation of malicious content and viruses.Symantec recommends organizations implement the appropriate security precautions and sup-porting technology solutions to securely manage and protect IM within the enterprise. For moreinformation about Symantec IM security solutions, please visit http://www.symantec.comSymantec"Security ResponseTop Five Instant Messaging Security Risks for 20065Untitled DocumentFor specific country offices andcontact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 800 745 6054.Symantec CorporationWorld Headquarters20330 Stevens Creek BoulevardCupertino, CA 95014 USA1 408 517 80001 800 721 3934www.symantec.comCopyright 2006 Symantec Corporation. All rightsreserved. Symantec and the Symantec logo are trade-marks or registered trademarks of Symantec Corporationor its affiliates in the U.S. and other countries. Microsoftand MSN are either registered trademarks or trademarksof Microsoft Corporation in the United States and/orother countries. Other names may be trademarks of theirrespective owners. Printed in the U.S.A. 05/06 10536289About SymantecSymantec is the world leader in providing solutions to help individuals and enterprisesassure the security, availability,and integrity of their information.Headquartered in Cupertino,Calif., Symantec has operationsin more than 40 countries. More information is available atwww.symantec.com.
