IM Category Description
This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent Instant Messaging based network traffic. Instant Messaging is realtime chatting that users can participate in over the internet using a variety of messaging clients. These client include AOL Instant Messenger (AIM), Yahoo! Instant Messenger, MSN Messenger, and others. Most clients allow users to do more than send text messages to one another: they allow users to post links in profiles and messages, exchange voice and video content, and send trasfer files up to 10MB. While this type of communication can be useful, it can also damage productivity, increase network traffic, and open the network to a variety of threats that exploit client software vulnerabilities or socially engineer users to compromise network security.
While most of the negative impacts of IM traffic on a network have to do with degraded performance through increased traffic, there are several more serious threats. IM applications open ports on computers that make them vulnerable to threats like buffer overflow attacks where attackers can exploit vulnerabilities in the software to take control of client computers. An older version of AIM, for example, made computers vulnerable to an attack through the Buddy Icon feature. An attacker could send another user a buddy icon whose "source" parameter contained more than 3000 characters, overflowing the stack and causing the computer to run arbitrary code. Computers were vulnerable even when the the messenger was not even logged on to a network. In these instances, blocking traffic on the a client's default port is often not enough -- most clients are programmed to try a number of different ports to send messages if one is blocked. Some can even send their traffic over the default HTTP port 80, where packets are often less scrutinized by firewalls.
Other threats involve socially engineering users of IM clients. Several new worms and Trojans have taken advantage of IM networks to propagate. Some send links to malicious code to all users on a victim's buddy list, while others post a link in the victim's profile which is likely to be clicked by that user's buddies. Must like mass mailer worms, these threats can spread quickly over a network and contain a variety of malicious payloads, including opening a backdoor that listens for commands, allowing a remote user to take control of network computers.
Finally, the file transfer functionality of IM clients increase that chance that malicious, buggy, or pirated software will be installed on computers on the network. While users will be recieving files from buddies they trust, the origins of files and software passed around via IM are not verifiable. This can make a network especially vulnerable to Trojan horses which attempt to fool a user into thinking that a malicious program is actually desirable, for example by displaying a picture or playing a video while the malicious processes install.
SonicWALL IM signatures are mostly categorized as low or medium priority. When enabled, these signatures can block IM traffic by preventing login, blocking inbound and outbound messages, and stopping status notifications that IM clients often send to each other. When set to detect, these signatures can be a useful tool to monitor how prevalent IM usage is among users on a network.