Users of AOL Instant Messenger were perplexed yesterday when something that appeared to be a worm spread among the people on their buddy lists. But the program is actually a commercial product.
Dubbed "Osama Found" or "BuddyLinks" by some, the program is a game that secures permission from users to send ads to the people on their buddy lists. It is not malicious code, though. McAfee calls it "adware." IM management vendor FaceTime Communcations Inc. calls it "IM spam," or "spim." Others have declared it simply "scumware."
There is no explicit security threat associated with Osama Found, but security experts warn that the program's ability to spread shows that IM is fertile ground for attackers. Users who automatically click on links sent by acquaintances and install unfamiliar programs represent a weak link in the security chain.
"Look at it from the standpoint of the bad guys," said Dmitry Shapiro, CTO of Akonix Systems Inc., a developer of IM management products. "They are trying hard to get to the end users, as they have the best information and are the most susceptible."
From a technical standpoint, IM is dangerous because it bypasses a lot of the traditional security safeguards, such as antivirus scanners and firewalls, Shapiro said. The technology is still new, so often people use it at work without its being formally supported (and secured) by IT staff.
By contrast, virtually no company has e-mail without some form of antivirus protection. Better protection means it's harder for attackers to create malicious code that will be successful. Using IM as a means of attack holds growth opportunities. "We are going to see more and more of this, as virus and worm writers look for new avenues of attack," Shapiro said.
Yet technology wasn't the reason Osama Found was able to spread. Rather, it was the social nature of IM -- the game was able to spread rapidly just by relying on the interconnected web of people's buddy lists, said Rahul Abhyankar, director of product management at Foster City, Calif.-based FaceTime. "People always send URLs to their co-workers and friends and say, 'Take a look at this; it's cool,'" he said.
That is exactly what Osama Found did. The message says "check out this link" and provides a link to the game. Someone busy with work might be liable to blindly click on the link. A dialog box then prompts the user to install the game.
Users who do so agree to the licensing agreement, which allows PSD Tools, the purported supplier of the game, to "interoperate with your current instant messaging client, so as to permit the automatic sending of advertising messages originating from your computer to your contact or 'buddy' list regarding content offered by PSD Tools or its suppliers."
The agreement also allows the company to "periodically deliver additional content such as, but not limited to, advertisements and promotional messages to your computer."
Abhyankar sees it as only a matter of time before users develop the caution needed to use IM securely. Most e-mail users have learned to be a little suspicious when they receive an unexpected e-mail with an attachment. They know they should ping the sender, even if it's a friend or co-worker, to make sure the message is legit.
Users need to learn what it means when a dialog box comes up asking to install a program. In other words, they need to break the mentality that tells them to automatically click "OK." Many people think of URLs as pretty safe things -- and that the worst that can happen is a porn site may come up. But some Internet Explorer vulnerabilities can be exploited simply by getting users to visit a site, said Craig Schmugar, virus research manager at McAfee AVERT.
The Jitux-A worm, which traveled via MSN Messenger in December, did just that. And there have been other programs like Osama Found. In 2002, FriendGreetings spread in a similar fashion, but using e-mail. That program sent itself out to all users in a recipient's Outlook address book.