Super-connected users could aid IM worms

Just a few users connected to popular instant messaging (IM) networks can cause the spread of worms, while choking off communications from "highly connected" users with many IM correspondents can slow the spread of worms, say computer researchers.

Traditional antivirus technology is too slow to be effective against worms spread by highly connected users, some with hundreds of IM correspondents, because the worms move with great speed, according to a study of IM worms. Halting communications from such users may be one strategy for slowing, or stopping the spread of IM worms, according to Matthew Williamson, who conducted the research while working for Hewlett-Packard.

Williamson, who now works for Sana Security, discussed his work on IM worm propagation at the Virus Bulletin 2004 International Conference in Chicago on Thursday.

IM networks are an example of a phenomenon known as "scale-free networks," a term used by epidemiologists to describe systems, including communities of animals or people, in which not all members are connected to each other, but that are highly susceptible to virus infections. In computers systems, the behavior of such networks is dominated by "highly connected" nodes, which have connections to large parts of the network population, he said. In IM networks, highly connected nodes translate into users with many correspondents, just as highly social people do in the real world.

"IM networks are just virtual manifestations of underlying physical relationships," Williamson said.

Worms infecting the computers of such users spread to their correspondents, and from those correspondents to other IM users, according to Williamson's study of 700 users at HP.

The result of highly connected users, means that traditional methods of virus protection, such as using antivirus software to "immunize" IM users, become ineffective because most IM users have only a few contacts and don't contribute greatly to the spread of viruses, Williamson said.

A better approach would be to immunize only highly connected users, but that can be difficult because of the speed with which IM worms spread across an entire network -- between 10 to 20 seconds in HP's tests, Williamson said.

Alternatively, network administrators can try to spot "worm-like" behavior on IM networks as it occurs and restrict the rate at which machines can communicate with other machines. The technique, which HP calls "virus throttling," is almost identical to a method the company has promoted and is trying to patent for stopping e-mail virus and worm outbreaks on corporate networks, Williamson said.

After unveiling plans for a virus throttling service in February, the company acknowledged in August that it is not practical for use in mixed networking environments and that it is looking for a way to use the technology in typical network environments.

The virus throttling technology works by limiting the number of IM messages infected IM users can send outside their "working set," the small number of regular correspondents each IM user has. The technology is effective because even highly connected IM users with 100 or more IM "buddies," still have a small working set of buddies they talk to each day -- typically around five, with two messages sent outside the working set each day, Williamson said.

With virus throttling, any messages sent to users outside of the IM user's working set will be placed in a queue and delayed slightly before they are delivered. If the delay queue reaches a certain length, indicating a high volume of message traffic to atypical correspondents, IM communications can be blocked or delayed for much longer periods of time, Williamson said.

Using throttling to take out the few, highly connected IM users can dramatically slow the spread of worms over IM networks. At the same time, it doesn't effect the vast majority of IM users, he said.

Williamson, who left HP after conducting the study of virus throttling on IM worms, is quick to say that the technology is untested on large IM networks such as the massive consumer IM networks of America Online and Microsoft's MSN service. The technology, which was tested on HP corporate IM users, is also untested on one important IM population -- teenagers.

"It may be that the habits of teenagers are quite different -- maybe they can sustain more simultaneous conversations," Williams said.

Still, the same principles that govern IM use on corporate networks like HP's should apply to teenagers, as well, allowing network administrators to detect worm-based versus legitimate IM activity, regardless of the profile of users on that network, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?