Just a few users connected to popular instant messaging (IM) networks can cause the spread of worms, while choking off communications from "highly connected" users with many IM correspondents can slow the spread of worms, say computer researchers.
Traditional antivirus technology is too slow to be effective against worms spread by highly connected users, some with hundreds of IM correspondents, because the worms move with great speed, according to a study of IM worms. Halting communications from such users may be one strategy for slowing, or stopping the spread of IM worms, according to Matthew Williamson, who conducted the research while working for Hewlett-Packard.
Williamson, who now works for Sana Security, discussed his work on IM worm propagation at the Virus Bulletin 2004 International Conference in Chicago on Thursday.
IM networks are an example of a phenomenon known as "scale-free networks," a term used by epidemiologists to describe systems, including communities of animals or people, in which not all members are connected to each other, but that are highly susceptible to virus infections. In computers systems, the behavior of such networks is dominated by "highly connected" nodes, which have connections to large parts of the network population, he said. In IM networks, highly connected nodes translate into users with many correspondents, just as highly social people do in the real world.
"IM networks are just virtual manifestations of underlying physical relationships," Williamson said.
Worms infecting the computers of such users spread to their correspondents, and from those correspondents to other IM users, according to Williamson's study of 700 users at HP.
The result of highly connected users, means that traditional methods of virus protection, such as using antivirus software to "immunize" IM users, become ineffective because most IM users have only a few contacts and don't contribute greatly to the spread of viruses, Williamson said.
A better approach would be to immunize only highly connected users, but that can be difficult because of the speed with which IM worms spread across an entire network -- between 10 to 20 seconds in HP's tests, Williamson said.
Alternatively, network administrators can try to spot "worm-like" behavior on IM networks as it occurs and restrict the rate at which machines can communicate with other machines. The technique, which HP calls "virus throttling," is almost identical to a method the company has promoted and is trying to patent for stopping e-mail virus and worm outbreaks on corporate networks, Williamson said.
After unveiling plans for a virus throttling service in February, the company acknowledged in August that it is not practical for use in mixed networking environments and that it is looking for a way to use the technology in typical network environments.
The virus throttling technology works by limiting the number of IM messages infected IM users can send outside their "working set," the small number of regular correspondents each IM user has. The technology is effective because even highly connected IM users with 100 or more IM "buddies," still have a small working set of buddies they talk to each day -- typically around five, with two messages sent outside the working set each day, Williamson said.
With virus throttling, any messages sent to users outside of the IM user's working set will be placed in a queue and delayed slightly before they are delivered. If the delay queue reaches a certain length, indicating a high volume of message traffic to atypical correspondents, IM communications can be blocked or delayed for much longer periods of time, Williamson said.
Using throttling to take out the few, highly connected IM users can dramatically slow the spread of worms over IM networks. At the same time, it doesn't effect the vast majority of IM users, he said.
Williamson, who left HP after conducting the study of virus throttling on IM worms, is quick to say that the technology is untested on large IM networks such as the massive consumer IM networks of America Online and Microsoft's MSN service. The technology, which was tested on HP corporate IM users, is also untested on one important IM population -- teenagers.
"It may be that the habits of teenagers are quite different -- maybe they can sustain more simultaneous conversations," Williams said.
Still, the same principles that govern IM use on corporate networks like HP's should apply to teenagers, as well, allowing network administrators to detect worm-based versus legitimate IM activity, regardless of the profile of users on that network, he said.