Instant Messaging worms are nothing new. These first showed up on the scene back in the mid 2000’s as instant messaging applications started making inroads in the enterprise. Back in those days, people were starting to run AOL Instant Messenger, Windows Live Messenger, or Yahoo! Messenger on their work machines while logged into their personal accounts.
It was an early form of consumerization with people bringing the applications they used in their personal lives into the workplace. Call it a “BYOA” approach: Bring Your Own Application. Always being ready to adapt to emerging trends, attackers started crafting malware that would exploit the weaknesses these new applications introduced into the workplace. Attackers adapted methods that worked so well with email worms like the ILOVEYOU worm of 2000 to create a new kind of worm that could spread even faster over IM networks.
The makers of IM clients eventually moved to shut down IM worms by disabling links and other features that had enabled these worms to thrive. It’s been a few years since we’ve seen an IM worm outbreak.
At least that was the case until a few weeks ago. We saw a return of the IM-style worm, this time using Skype as its platform. Trend Micro’s researchers have written about the specifics of the attack (here and here), and detailed out the DORKBOT malware underlying threat.
It’s too early to say if Skype is going to become the hot new target that IM clients once were. But the return of this type of worm underscores a risk that IT managers face in an increasingly BYO world. BYOD policies mean not just employees bringing their own devices, it also means they’re bringing their own applications on those devices. This introduces new risks and attack vectors to your environment. Whether its Skype, or Facetime, or some other consumer application, your users are bringing applications with consumer-levels of security into your enterprise environment.
BYOD (and BYOA) can be great for users and for keeping costs down. But it’s a real challenge for IT security managers because it erodes control over the client endpoint. The recent Skype worm should be a wake up call for managers to insist that consumer devices and applications on their networks at least conform to certain basic standards around security software and anti-malware.