Recently discovered vulnerabilities in the most popular instant messaging (IM) applications, as well as some targeted attacks via IM, are providing a glimpse of the threats to come.

Attacks on instant messaging systems still aren't as prevalent as those on email systems, and most IM attacks have been annoying worms aimed at recruiting bots or spewing spam. But newly found IM vulnerabilities indicate how lethal an IM attack could be: The AIM bug doesn't even require that the victim take any action at all to become infected.

And there are signs that the bad guys are gradually starting to use IM's rapid-fire transfer of messages as a more efficient way to spread bot infections, send spam, or conduct targeted attacks than store-and-forward email.

While IM attacks have increased only modestly this year, researchers at Akonix Systems, which sells IM security software, have seen about 300 IM attacks this year so far. It's the level of sophistication and criminal motivation behind these attacks over the past year and a half, as well as the new bug discoveries, that is especially significant, says Don Montgomery, vice president of marketing at Akonix. And last month, there was a 20 percent increase in these attacks versus the same period last year.

"There are stealthy, two-stage, worm and keylogger attacks. The keylogger waits on the desktop until the user logs onto a specific banking site, for example," he says. "It then grabs the password and login and uses email to send that out to a variety of always-moving [malicious] Websites."

And because the bad guys prefer the path of least resistance, IM makes an attractive target. Few companies actually secure their IM systems: A recent Akonix survey found that while 85 percent of organizations said they secured their email systems, only 10-15 percent had done the same for their IM systems. And IM infections are tougher to stem: "It's fast -- you can remediate an email server during the lag [in store-and-forward email]. But with instant messaging, you don't have that lag time."

One of Akonix's customers, which Montgomery describes as "one of the largest software companies in the world," suffered a targeted attack via its MSN Messenger IM system six months ago that infected around 10,000 desktops.

"It was a poisoned URL attack that downloaded malicious content into their network," says Montgomery, who could not disclose the name of the software vendor. "As it went from buddy list to buddy list, the whole company was infected rapidly, as well as external buddies."

The attack didn't take down the company's network, but each desktop took over an hour to remediate, he says.

Ivan Arce, founder and CTO of Core Security, which discovered the AIM bug, says although Core hasn't tracked attack trends per se in IM, he thinks many of these attacks today just may go unreported. "IM seems to be an obvious attack avenue."

The AIM bug is based on how AIM client uses Internet Explorer to run HTML. "It embeds an IE object within the AIM application... This is a documented feature of IE," Arce says. "It's not an implementation bug -- it's a bit more serious than that."

Most IM infections spread via a malicious URL in the message. The AIM bug doesn't require the user click on the link at all: Once the attacker has sent a message with the infected URL, he can direct the victim's IE browser to go wherever he wants, for instance, Arce says. "Now the app has full access to IE functionality," Arce says. "It can run JavaScript, ActiveX controls, and direct IE to a Website."

So if an attacker tucks a bad URL into an IM message, that message can direct the victim's AIM client to render the HTML code, which then runs on the victim's computer. Or it can send the victim's computer to a malicious Website without the user even knowing it. "It leads to a complete compromise of the system," Arce says.

Then the attacker can use the victim's screen name and buddy list to attack outside that organization as well, Arce says. AOL is currently working on a patch for the bug, which affects AIM V6.1, V6.2 beta, AIM Pro, and AIM Lite.

But AIM wasn't the first major IM client found with potentially game-over bugs: Security researchers also found serious bugs in the other two most popular IM systems, Windows Live Messenger (formerly called MSN Messenger) and Yahoo Messenger, which also would allow an attacker to take over the infected machine, notes Akonix's Montgomery.

"In all three, there were vulnerabilities in the application's executable code itself that could then open the door for an attacker to gain control of the machine," he says. "The fact that all three have had these bugs identified is a first... And the reason is that they are adding more functionality into each client, such as Webcams and voice," meaning more attack vectors, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.