Virus throttling for instant messaging
Matthew Williamson Sana Security Inc.
Alan Parry Hewlett Packard Labs
At VB 2003, Neal Hindocha and Eric Chien [1] presented on the dangers of malware for instant
messaging (IM). Commenting on the high rate at which this malware could spread, they stated that
throttling approaches were unlikely to be successful.
Virus throttling [2] is a technique to slow the spread of worms and viruses that prevents
infected machines infecting others. It works well if the traffic generated by a spreading virus
(contacting many different machines at high rate) is significantly different from normal
traffic. Previous work has shown this technique to work well for most TCP/IP traffic and email
[2,3]. This paper applies the idea to instant messaging.
We have analysed data from the normal usage of a reasonable sized instant messaging server
(710 users) and show that throttling is not only possible, but would be effective at slowing and
stopping IM malware. We have also analysed the network over which this malware would spread,
by looking at the buddy lists of all the users. We show that given the actual network
connectivity, IM malware will not spread as quickly or as fully as Hindocha and Chien predict,
and that if throttling were used, the effects of malware are much reduced. The throttling
solution would be relatively easy to implement at the messaging server.
References
[1] Neal Hindocha, Eric Chien, "Malicious Threats and Vulnerabilities
in Instant Messaging", Proceedings VB 2003, p 114-124.
[2] Matthew M. Williamson, "Virus throttling: Restricting propagation
to defeat malicious mobile code", Proceedings ACSAC 2002, p 61-68.
[3] Matthew M. Williamson, "Design, implementation and test of an
email virus throttle", Proceedings ACSAC 2003, p 76-86.
This month VB's test team put 26 products to the test on
Windows Server 2008. John Hawes has the full results.