7.8 Protecting Yourself from IM Attacks

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 7.  Instant Messaging Attacks

If you or your network needs IM services, here are the steps you can take to minimize the risk from malicious hackers:

1. Don't accept files from untrusted sources.

   No matter what you are doing, don't accept files or scripts from untrusted sources. Don't run programs or load scripts from untrusted sites that claim to boost IM performance or help with defense. Oftentimes there are Trojan files that will compromise your machine. Make sure all file security and warning mechanisms are enabled on IM clients and set to their highest setting.

2. Use an antivirus scanner.

   A good antivirus scanner, that scans Internet file downloads will catch most known malicious mobile code, including IRC worms and other malicious IM programs.

3. Run the latest versions of IM clients.

   Every new version of an IM client tries to fix exploits used by hackers to exploit security holes. By utilizing the latest version of the IM client, you not only get new functionality, but less exposure to malicious mobile code.

4. Hide your IP address.

   If allowed in your client software, disable the publication of your IP address. This will decrease the opportunities for malicious hackers to exploit your machine.

5. Change default directories.

   Many IM exploits are hard coded to work by looking for the default install and download directories of your IM client program. Simply install to a slightly different directory and you've taken a significant step against malicious IM code. For example, you might change your default program directory from C:\MIRC to C:\FROGTEST . Your program will still work, but it will be harder for hackers to mess with your system. Early versions of some IRC clients allowed files to be downloaded directly into the program directory. This allowed script exploits to automatically be started the next time the IRC client was started. Make sure your version has a separate download directory, and change that to something other than \DOWNLOAD .

The next two recommendations (6 and 7) are specifically for IRC clients.

6. Join IRC networks with security bots and authentication services.

   Some IRC networks, like Dalnet, which go out of their way to prevent mischief, should be considered safer than those who do not. Also, entering known hacker channels, like #hackers and #warez, is pretty much an invitation to IRC mischief.

7. Consider using your own security scripts or bots.

   Hard- core IRC users implement security bots that protect their systems and channels against hack attacks. To find out where to locate security bots, check out any of the channels dedicated to new IRC users. But before you download someone else's script, make sure it comes from a trusted source. Furthermore, you may want to take the time to make sure the script doesn't contain malicious code. Scripts with CTCP, DCC, and /RUN commands should be scrutinized carefully or avoided. You can also ask your channel operator for suggestions.

8. Disable IM with a firewall.

   If you have no valid reason for allowing IM traffic, consider disabling typical IM port numbers with a firewall.

9. Consider a secure alternative.

   If Instant Messaging is taking over your network and users and managers refuse to part with its functionality, recommend a less-hacked alternative. I personally do not allow ICQ or IRC traffic in network environments I manage. I would block AIM if it was acceptable to management. If users require an Instant Messaging solution, give them a better alternative. Several vendors offer secure corporate versions, many of which work perfectly fine over the Internet. For example, Novell's Instantme offers a secure IM client, thereby allowing encrypted conversations with digital certificate support. Microsoft has several IM products, including one delivered with Exchange Server 2000, which can be considered for the corporate environment.