Matthew Williamson Sana Security Inc.
Alan Parry Hewlett Packard Labs
At VB 2003, Neal Hindocha and Eric Chien [1] presented on the dangers of malware for instant messaging (IM). Commenting on the high rate at which this malware could spread, they stated that throttling approaches were unlikely to be successful.
Virus throttling [2] is a technique to slow the spread of worms and viruses that prevents infected machines infecting others. It works well if the traffic generated by a spreading virus (contacting many different machines at high rate) is significantly different from normal traffic. Previous work has shown this technique to work well for most TCP/IP traffic and email [2,3]. This paper applies the idea to instant messaging.
We have analysed data from the normal usage of a reasonable sized instant messaging server (710 users) and show that throttling is not only possible, but would be effective at slowing and stopping IM malware. We have also analysed the network over which this malware would spread, by looking at the buddy lists of all the users. We show that given the actual network connectivity, IM malware will not spread as quickly or as fully as Hindocha and Chien predict, and that if throttling were used, the effects of malware are much reduced. The throttling solution would be relatively easy to implement at the messaging server.
References
[1] Neal Hindocha, Eric Chien, "Malicious Threats and Vulnerabilities in Instant Messaging", Proceedings VB 2003, p 114-124.
[2] Matthew M. Williamson, "Virus throttling: Restricting propagation to defeat malicious mobile code", Proceedings ACSAC 2002, p 61-68.
[3] Matthew M. Williamson, "Design, implementation and test of an email virus throttle", Proceedings ACSAC 2003, p 76-86.