w w w. i s s .

n e t

Internet Security Systems White Paper

Control the Use of Instant Messaging and

Peer-to-Peer Applications with
Proventia® Network Multi-Function Security
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 1

Table of Contents

CONTROL THE USE OF INSTANT MESSAGING AND PEER-TO-PEER APPLICATIONS

WITH PROVENTIA® NETWORK MULTI-FUNCTION SECURITY . . . . . . . . . . . . 2

INSTANT MESSAGING EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

AOL Instant Messenger (AIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

MSN Messenger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Yahoo! Messenger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
ICQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

PEER-TO-PEER EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Gnutella. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Kazaa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
eDonkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
BitTorrent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
SoulSeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Direct Connect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

BLOCK PEER-TO-PEER AND INSTANT MESSAGING EVENTS WITH PROVENTIA®

NETWORK MULTI-FUNCTION SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . 7

APPENDIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 2

CONTROL THE USE OF INSTANT MESSAGING AND PEER-TO-PEER

APPLICATIONS WITH PROVENTIA® NETWORK MULTI-FUNCTION SECURITY

Instant messaging (IM) and peer-to-peer (P2P) applications-like AOL Instant Messenger, Yahoo! Messenger, MSN Messenger and ICQ-are widely used both inside
and outside the corporate sphere. Real-time communication boosts productivity in corporate environments, but instant messaging and peer-to-peer applications
also put enterprise security at risk. These applications provide new avenues for virus and worm attacks, and can lead to information theft and bandwidth
misuse. Hackers have even utilized instant messaging and peer-to-peer applications to take control of corporate machines. The Internet Security Systems (ISS)
whitepaper, Risk Exposure Through Instant Messaging and Peer-To-Peer (P2P) Networks, at http://documents.iss.net/whitepapers/X-Force_P2P.pdf, contains
detailed information about the risks involved with instant messaging and peer-to-peer applications.

Even though many corporate security teams recognize the risks associated with IM, the application's convenience and popularity make it difficult to
prohibit. Corporations can reduce the risk of an IM and/or P2P security breach using the Proventia Network Multi-Function Security (MFS) appliance from
Internet Security Systems (ISS). Proventia Network MFS blocks threats targeting these applications, and can be used to tailor employees' use of IM and
P2P to a comfortable level for the security-minded enterprise.

Known threats, or events, that target IM and P2P applications are listed below along with detailed instructions for blocking these events using Proventia
Network MFS. Four common steps should be taken to enable protection in the appliance:

1. From the issue list, identify the behavior you want to block by the appropriate signature/issue ID.
2. Create an advanced parameter enabling the value-pair for the applicable signature/issue ID.
3. Create an advanced parameter enabling the value-pair that assigns the appropriate blocking response (i.e., drop-connection).
4. Save and confirm changes.

Please note: Proventia Network MFS relies in part on event signatures that fire when the appliance recognizes a known threat. Signature-based protection
can sometimes generate false positives or false negatives. To avoid confusion, ISS continuously monitors real-world events and customer feedback to
determine if an event is generating a false positive or false negative. Proventia Network MFS includes descriptions of these instances in the 'Event Help'
window which is displayed when selecting an event to block. Events marked with an asterisk (*) throughout this document are known to have false
positive/negative instances and should be reviewed in your environment before implementing.

INSTANT MESSAGING EVENTS

The following events target IM applications. Protection for all of these events is available in the Proventia Network MFS appliance.

AOL Instant Messenger (AIM)

AOL Instant Messenger (AIM) has had several security-related issues, including a buffer overflow in the game request parsing engine, which was reported
on January 2, 2002 by ISS: http://xforce.iss.net/xforce/alerts/id/advise107. In this scenario, a certain type of specially-crafted game request is made to an
AIM user, which causes an area in memory to be overwritten with arbitrary data supplied by an attacker. The computer can then be coerced into executing
the data, enabling an attacker to take control. AOL has patched this bug, but this is not the first vulnerability to affect AIM. This type of security threat
is becoming more prevalent as the code for AIM becomes more complex.

The events in the section below allow administrators to tailor how AIM is used on the enterprise network. Administrators can completely block the use of
AIM or tailor a policy which would allow its use but not allow file transfers or encrypted dialogue. ISS recommends blocking all exploit events.
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 3

Events to Block AIM

Issue Id- 3106000 AOLIM_Login
– Login detected to OSCAR Instant Messaging server
Issue Id- 3106001 AOLIM_Password_Change
– AOL/ICQ2000 "instant messaging" client password change request
Issue Id- 3106003 AOLIM_Message
– OSCAR "instant message" detected

Events to Block AIM encrypted traffic

Issue Id- 3106014 AOLIM_Trillian_Encrypt_Handshake
– Trillian instant messaging startup activity

Events to Block AIM File Transfer

Issue Id- 3106002 AOLIM_File_Xfer
– AOL/ICQ2000 "instant messaging" network file transfer attempt

Events to Block AIM Exploits

Issue Id- 2003301 AOL_Instant_Messenger_Overflow
– AOL Instant Messenger add buddy
Issue Id- 2106059 AOLIM_GameRequest_Overflow *
– AOL/ICQ2000 "instant messaging" game buffer overflow
Issue Id- 2113007 AOLIM_AddExternalApp_Overflow
– AOL Instant Messenger external application request buffer overflow
Issue Id- 2001538 AolAdmin_Response
– AOL Admin backdoor for Windows and AOL

MSN Messenger
MSN Messenger (also known as .NET Messenger and Windows Messenger) is the fastest growing instant messaging service. Much of this growth is a
result of Microsoft automatically shipping MSN Messenger with Windows XP, as well as the integration of MSN Messenger with Microsoft Office and
Microsoft's Hotmail service.

Use the events in this section to block the use of MSN Messenger on the network. ISS will add more MSN Messenger events to the Proventia Network MFS
appliance as they become available.

Events to block MSN

Issue Id- 3106006 MsmsgrMessage
– MSN Messenger "instant messaging" service message
Issue Id- 3106007 MsmsgrLogin
– MSN Messenger "instant messaging" service login

Events to Block MSN File Transfer

Issue Id- 3104008 MSMessenger_FileXfer
– Reports the contents of Microsoft Messenger File Transfer Requests.

Events to Block MSN Exploits

Issue Id- 2116019 Image_GIF_MSNMessenger_Execute_Code
– Detects specially-crafted GIF files which may lead to a heap overflow and execution of arbitrary code in MSN Messenger.
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 4

Yahoo! Messenger
Yahoo! Messenger has the weakest security features of the major instant messaging platforms. Its protocol does not encrypt usernames and passwords,
making it risky to even log into the system. Also, the usernames and passwords are sent via HTTP, which allows this information to be stored in HTTP proxy logs.

Tailor the use of Yahoo! Messenger on the corporate network using the following events. Administrators can completely block the use of Yahoo! Messenger or
tailor a policy which would allow its use while not allowing file transfers. ISS recommends blocking all exploit events.

Events to block Yahoo!

Issue Id- 3113001 YahooMSG_Login
– Yahoo! Instant Messenger service user login
Issue Id- 3106004 YahooMSG_Message
– Yahoo! Instant Messenger service text message
Issue Id- 3110006 YahooMSG_PeertoPeer
– Yahoo! Messenger has entered a peer to peer communication mode
Issue Id- 3110007 YahooMSG_Message_Chat
– Yahoo! Instant Messenger service text message
Issue Id- 3113002 YahooMSG_AddView
– Yahoo! Messaging AddView, 'ymsgr:addview?'

Events to block Yahoo! File Transfer

Issue Id- 3106005 YahooMSG_File_Transfer
– Yahoo! Instant Messenger service file transfer request

Events to block Yahoo! Exploits

Issue Id- 2113012 YahooMSG_URL_Handler_Overflow
– Yahoo! Messenger ymsgr: protocol multiple function call buffer overflow
Issue Id- 2110036 YahooMSG_UserID_Overflow
– This signature detects an overflow attempt in a user ID
Issue Id- 2107002 YahooMSG_Filename_Overflow
– This signature detects an overflow attempt in a file transfer filename field

ICQ
Time Warner now owns ICQ. However, it still maintains a separate database of users from the AOL Instant Messenger service.

The events below allow administrators to block the use of the ICQ Application on the network. ISS will add new events specific to the ICQ Application as
they become available.

Events to block ICQ

Issue Id- 2009301 HTTP_ICQ_Pager
– Use an ICQ pager detected

Events to Block ICQ File Transfer

Issue Id- 3113025 ICQ_File_Transfer
– ICQ file transfer attempt
Events to block ICQ Exploits
Issue Id- 2113053 ICQ_PAM_Parser_Overflow
– NOTE: This is a High Priority event enabled by default with a protection response of “drop-packet”
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 5

Issue Id- 2113063 ICQ_Witty_Worm

– NOTE: This is a High Priority event enabled by default with a protection response of “drop-packet”

Issue Id- 2002572 HTTP_SubSeven_ICQ_Pager

– NOTE: This is a High Priority event enabled by default with a protection response of “block-connection”

PEER-TO-PEER EVENTS

Gnutella
The architecture for the Gnutella network is decentralized and is a true peer-to-peer network involving no central server for authentication, indexing, etc.
To connect to the Gnutella network, it is necessary to connect to several pre-determined IP addresses, which are able to relay information about other
systems' IP addresses to a newly-connected one. After the system identifies IP addresses of nearby systems, searching through the network of identified
systems and downloading shared files becomes possible.

Use the following events to block the Gnutella protocol on the network:

Events to block Gnutella

Issue Id- 3102007 Gnutella_Connect *
– Gnuttella connection attempt

Issue Id- 2104024 TCP_Probe_Gnutella

– TCP connection to default Gnutella port

Issue Id- 3102008 Gnutella Download *

– Gnuttella file download attempt

Issue Id- 2102015 Gnutella_Worm *

– Gnutella download containing a worm detected

Issue Id- 3113003 Gnutella_BearShare

– Connection made by the Gnutella client BearShare

Issue Id- 3113004 Gnutella_Limewire

– Connection made by the Gnutella client Limewire

Issue Id- 3113013 Gnutella_Shareaza

– Connection made by the Gnutella client Shareaza

Kazaa
Since it still relies on a central server for user information, Kazaa is not strictly a peer-to-peer network. The central server allows users to sign up for the
service, assigns the user a username and password, is responsible for authenticating users, and assists in locating peers necessary for available downloads.

Events used to block the Kazaa application on the network appear below:

Events to block Kazaa

Issue Id- 3113005 FastTrack_Download *
– FastTrack File transfer detected
Issue Id- 3106013 HTTP_Kazaa *
– Kazaa Initial startup HTTP request detected
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 6

eDonkey
eDonkey is a file searching and sharing application that is quite popular in Europe and has a growing user base in the United States. The architecture
for the eDonkey network is semi-centralized and relies on servers set up by users of the service.

The following events allow administrators to block the use of the eDonkey application on the network:

Events to block eDonkey

Issue Id- 3113006 HTTP_EDonkey
– eDonkey Initial startup HTTP request detected
Issue Id- 3104010 EDonkey_Connect
– eDonkey connection between a eDonkey client and a eDonkey server
Issue Id- 3104011 EDonkey_Download
– Detects a eDonkey file transfer

BitTorrent
BitTorrent is a protocol and peer-to-peer system for distributing files. It identifies files by URL and is designed to work well with Web browsers.

Administrators can block the use of the BitTorrent application with the following events:

Events to block Bit Torrent

Issue Id- 2120003 TCP_Probe_BitTorrent
– Attempts to connect to one of the default BitTorrent ports detected
Issue Id- 3120005 BitTorrent_Response
– TCP traffic indicative of BitTorrent peer is present
Issue Id- 3120002 BitTorrent_Get_Request
– Detection of a BiTorrent GET request from a peer detected

SoulSeek
SoulSeek claims to be an ad-free, spyware-free peer-to-peer application. The application generates a random listening port number when it first starts
to avoid detection by ISPs.

The following event allows administrators to block the use of the SoulSeek application on the network:

Events to block SoulSeek

Issue Id- 3120007 Soulseek_Login_Detected
– Detects a SoulSeek P2P client logging onto a SoulSeek server

DirectConnect
DirectConnect is an older file sharing community that has evolved into a peer-to-peer player. This centralized network supports the DirectConnect, dc++
and bcdc++ clients.

The event used to block DirectConnect on the network follows:

Events to block DirectConnect

Issue Id- 3104013 DirectConnect_Connect
– Detects a connection between a DirectConnect client and server
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 7

BLOCK PEER-TO-PEER AND INSTANT MESSAGING EVENTS WITH PROVENTIA NETWORK MULTI-FUNCTION SECURITY

By actively blocking peer-to-peer and instant messaging events, security administrators will not only increase network bandwidth, but the overall
enterprise security.

STEP 1: From the issue list, Identify the behavior you want to block by the appropriate signature/Issue ID.

It is necessary to navigate to the intrusion prevention settings page in the Proventia Network MFS to begin the process of creating advanced parameters
to block any peer-to-peer or instant messaging events (Figure 1).

1. Select Configuration – Intrusion Prevention – Issue List icon. (Figure1)

2. Click the Name column in to sort the column alphabetically.
3. Find and identify the signature in the name column of the Issue List. You can find out more information about the signature by clicking Display. You
will be using the signature's Issue ID to create the value pair for the advanced parameter.

Figure 1 - Intrusion Prevention Issue List

w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 8

STEP 2: Create an Advanced Parameter enabling the applicable signature.

Two advanced parameters will need to be created for each check you want to block. You will need to create one advanced parameter to enable a specific
check (if it is marked as disabled in the Issue List) and another advanced parameter to assign an appropriate protection response. The syntax for
creating advanced parameters can be found in Appendix A of the Proventia Network MFS User Guide:

http://documents.iss.net/literature/proventia/Proventia_MSeries_3.7_UserGuide.pdf

Syntax for this specific example is provided below:

a. Navigate back to the Advanced Parameters tab at Configuration – Intrusion Prevention – Settings – Advanced Parameters. (Figure 2).
b. Create two advanced parameters for each event you want to block by clicking Add on the Advanced Parameter tab of the Intrusion Prevention Settings.
c. Enable the signature by typing ipm.issue.<issueID> in the Name field (Figure 3).
d. Provide a relevant description in the Description field.
e. Check the Boolean radio button to enable the signature.

Figure 2 - Intrusion Prevention Advanced Parameters

w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 9

Figure 3- Adding Advanced Parameter to Enable Attack/Audit Event

STEP 3: Create an advanced parameter that assigns the appropriate blocking response (i.e. block-connection).

Figure 4- Add Advanced Parameter to Enable Attack/Audit Protection Response

w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 10

a. Click Add in the Advanced Parameter window (Figure 2) to create the second advanced parameter that will assign a blocking response to the
signature.
b. Type ipm.issue.response.<issueID> in the Name field.
c. Provide a relevant description in the Description field.
d. Activate the String radio button and type block-connection in the Value field.

STEP 4: Save and confirm changes. Note the red flags in the left-hand tree view of the user interface showing changed items.
Once you “Save Changes,” the red flags will go away.

a. Click Save Changes to restart the Intrusion Prevention module.

b. Verify the changes have been made by referring back to the Issue List tab, as shown below in Figure 6.

Figure 5- Advanced Parameters with Issue ID enabled and Protection Response configured
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 11

Intrusion Prevention – Issue List

The signature's status should be enabled and the protection response should be block-connection as shown below in Figure 6. If this is not the case, go
back and review steps 1 through 4.

Figure 6- Issue List showing Issue ID enabled and Protection Response configured
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 12

APPENDIX

The Threat Matrix table below identifies the applicable risks associated with peer-to-peer and instant messaging applications.

Threat Matrix
Misuse of
Known Buffer Remote Social Targeted by
Application Un-encrypted File Transfer Known Worms Spy-ware Bandwidth/
Overflows Control Engineering Known Viruses
Copyright Issues
AIM X X X X X X
MSN X X X X X X X X
Yahoo! X X X X X
ICQ X X X X X X X
Trillian X X X X
Kazaa X X X X X X X
gnutella X X X X
eDonkey X X X X X X
SoulSeek X X X X
DirectConnect X X X X

The Port Information matrix below shows ports associated with peer-to-peer and instant messaging applications.

Port Information

Images/ Direct
Application Messaging/ Connect Video Voice FileXfer App Sharing
Connect

AIM 5190 n/a 5190 Range 5190 4443 n/a

ICQ 5190 n/a 5190 Range 3574/7320 n/a n/a
MSN 1863 5004, Range 6901 6891-6900 n/a 1503
Yahoo! 5050, 80, Range 5100, Range 5000, Range 5010, Range n/a n/a
Kazaa 1214 n/a n/a 1214 n/a n/a
gnutella 6346 n/a n/a 80 n/a n/a
eDonkey 4661, 4665 n/a n/a 4662 n/a n/a
SoulSeek 2234,5534 n/a n/a 2234,5534 n/a n/a
DirectConnect 411 n/a n/a 1025-32000 n/a n/a
GLOBAL HEADQUARTERS

6303 Barfield Road

Atlanta, GA 30328
United States
Phone: (404) 236-2600
e-mail: sales@iss.net

REGIONAL HEADQUARTERS

Australia and New Zealand

Internet Security Systems Pty Ltd.
Level 6, 15 Astor Terrace
Spring Hill Queensland 4000
Australia
Phone: +61 (0)7 3838-1555
Fax: +61 (0)7 3832-4756
e-mail: aus-info@iss.net

Asia Pacific
Internet Security Systems K. K. ABOUT INTERNET SECURITY SYSTEMS (ISS)
JR Tokyu Meguro Bldg. 3-1-1
Kami-Osaki, Shinagawa-ku Internet Security Systems, Inc. (ISS) is the trusted expert to global enterprises and world governments, providing
Tokyo 141-0021 products and services that protect against Internet threats. An established world leader in security since 1994,
Japan ISS delivers proven cost efficiencies and reduces regulatory and business risk across the enterprise for more than
Phone: +81 (3) 5740-4050 11,000 customers worldwide. ISS products and services are based on the proactive security intelligence conducted
Fax: +81 (3) 5487-0711
e-mail: jp-sales@iss.net by ISS' X-Force® research and development team- the unequivocal world authority in vulnerability and threat
research. Headquartered in Atlanta, Internet Security Systems has additional operations throughout the Americas,
Europe, Middle East and Africa Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at
Ringlaan 39 bus 5
1853 Strombeek-Bever
http://www.iss.net or call 800-776-2362
Belgium
Phone: +32 (2) 479 67 97
Fax: +32 (2) 479 75 18
e-mail: isseur@iss.net

Latin America
6303 Barfield Road
Atlanta, GA 30328
United States
Phone: (404) 236-2709
Fax: (509) 756-5406
e-mail: isslatam@iss.net

Copyright© 2006 Internet Security Systems, Inc. All rights reserved worldwide
Internet Security Systems and Proventia are trademarks, and the Internet Security Systems logo is a registered
trademark, of Internet Security Systems, Inc. All other companies and products mentioned are trademarks and
property of their respective owners.
Distribution: General
PM-P2PWP-0806