The Study Of Instant Messaging Worms Propagation And Countermeasures

Instant Messaging (IM) has become one of the most popular online communication tools among consumer and enterprise IM users. It provides instant message delivery, as well as convenient file transfer services. The increasing popularity and functionalities of IM programs have made it increasingly attractive for attackers, especially for worm makers. IM contact list offers worm an easy way to find potential victims so that the worm could achieve a surprising spreading speed.In this paper, we mainly focused on analyzing the propagation features of IM worms, and then trying to design an effective algorithm for detecting and containing IM worms. The main contributions are as follows:1) Classic spreading techniques of IM worms and existing countermeasures. We first introduce the IM communication model, network architecure and the corresponding protocol features. Then the various threats to IM are explained in detail, and in paticular the common techniques used in IM worm propagation are presented. Finally, the exsiting solutions for IM security and IM worm detection and containment are analyzed.2) IM worm propagation simulation under a scale free network. According to the related reasearch results, the logical network of IM contact lists has the scale-free characteristics. By performing series of simulation experiments which take this fact into consideration, we investigate the effects of the initial number of worm instances, the level of public awareness and the IM network connectivity respectively, and how they affect IM worm propagation. The conclusions are:①The early detection and containment of IM worm epidemic is very important to prevent its spreading in large-scale.②The level of public awareness has direct impact on IM worm propagation.3) A lightweight algorithm for detecting and containing IM worms. We introduce a new algorithm for detecting and containing IM worms in early phase, which is based on the observation of the bi-directional nature of IM worm traffic, and its advantages and possible improvements in implementation are analyzed. The simulation results show that the proposed algorithm is of significant effect on restricting IM worm propagation.4) Implement the above lightweight algorithm as a Gaim plugin. We prototype the algorithm as an IM client plugin, so as to prove the simplicity and feasibility of our idea. This implementation also provides references for future work.