Super-connected users could aid IM worms

Just a few users connected to popular instant messaging (IM) networks can cause the spread of worms, while choking off communications from "highly connected" users with many IM correspondents can slow the spread of worms, say computer researchers.

Traditional antivirus technology is too slow to be effective against worms spread by highly connected users, some with hundreds of IM correspondents, because the worms move with great speed, according to a study of IM worms. Halting communications from such users may be one strategy for slowing, or stopping the spread of IM worms, according to Matthew Williamson, who conducted the research while working for Hewlett-Packard.

Williamson, who now works for Sana Security, discussed his work on IM worm propagation at the Virus Bulletin 2004 International Conference in Chicago on Thursday.

IM networks are an example of a phenomenon known as "scale-free networks," a term used by epidemiologists to describe systems, including communities of animals or people, in which not all members are connected to each other, but that are highly susceptible to virus infections. In computers systems, the behavior of such networks is dominated by "highly connected" nodes, which have connections to large parts of the network population, he said. In IM networks, highly connected nodes translate into users with many correspondents, just as highly social people do in the real world.

"IM networks are just virtual manifestations of underlying physical relationships," Williamson said.

Worms infecting the computers of such users spread to their correspondents, and from those correspondents to other IM users, according to Williamson's study of 700 users at HP.

The result of highly connected users, means that traditional methods of virus protection, such as using antivirus software to "immunize" IM users, become ineffective because most IM users have only a few contacts and don't contribute greatly to the spread of viruses, Williamson said.

A better approach would be to immunize only highly connected users, but that can be difficult because of the speed with which IM worms spread across an entire network -- between 10 to 20 seconds in HP's tests, Williamson said.

Alternatively, network administrators can try to spot "worm-like" behavior on IM networks as it occurs and restrict the rate at which machines can communicate with other machines. The technique, which HP calls "virus throttling," is almost identical to a method the company has promoted and is trying to patent for stopping e-mail virus and worm outbreaks on corporate networks, Williamson said.

After unveiling plans for a virus throttling service in February, the company acknowledged in August that it is not practical for use in mixed networking environments and that it is looking for a way to use the technology in typical network environments.

The virus throttling technology works by limiting the number of IM messages infected IM users can send outside their "working set," the small number of regular correspondents each IM user has. The technology is effective because even highly connected IM users with 100 or more IM "buddies," still have a small working set of buddies they talk to each day -- typically around five, with two messages sent outside the working set each day, Williamson said.

With virus throttling, any messages sent to users outside of the IM user's working set will be placed in a queue and delayed slightly before they are delivered. If the delay queue reaches a certain length, indicating a high volume of message traffic to atypical correspondents, IM communications can be blocked or delayed for much longer periods of time, Williamson said.

Using throttling to take out the few, highly connected IM users can dramatically slow the spread of worms over IM networks. At the same time, it doesn't effect the vast majority of IM users, he said.

Williamson, who left HP after conducting the study of virus throttling on IM worms, is quick to say that the technology is untested on large IM networks such as the massive consumer IM networks of America Online and Microsoft's MSN service. The technology, which was tested on HP corporate IM users, is also untested on one important IM population -- teenagers.

"It may be that the habits of teenagers are quite different -- maybe they can sustain more simultaneous conversations," Williams said.

Still, the same principles that govern IM use on corporate networks like HP's should apply to teenagers, as well, allowing network administrators to detect worm-based versus legitimate IM activity, regardless of the profile of users on that network, he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?