Instant messaging clients may be the next breeding ground for worms, computer researchers say.

Just a few users connected to popular instant messaging networks can cause the spread of worms, but curtailing the activity of IM user with high numbers of correspondents may hinder the spread of viruses, the researchers say.

Traditional antivirus technology is too slow to be effective against worms spread by highly connected users - some with hundreds of IM correspondents – because the worms can move with great speed in the IM system.

Halting communications from such users may be one strategy for slowing or stopping the spread of IM worms, according to Matthew Williamson, who conducted the research while working for HP.

IM networks are an example of a phenomenon known as "scale-free networks," a term used by epidemiologists to describe systems, including communities of animals or people, in which not all members are connected to each other, but that are highly susceptible to virus infections.

In computers systems, the behaviour of such networks is dominated by "highly connected" nodes, which have connections to large parts of the network population, he says. In IM networks, these highly connected nodes translate into users with many correspondents, just like highly sociable people in the real world.

"IM networks are just virtual manifestations of underlying physical relationships," Williamson says.

Worms infecting the computers of such users spread to their correspondents, and from those correspondents to other IM users, according to Williamson's study of 700 users at HP.

The result of highly connected users means that traditional methods of virus protection, such as using antivirus software to "immunise" IM users, become ineffective because most IM users have only a few contacts and don't contribute greatly to the spread of viruses, Williamson says.

A better approach would be to immunise only highly connected users, but that can be difficult because of the speed with which IM worms spread across an entire network – between 10 to 20 seconds in HP's tests, Williamson says.

Alternatively, network administrators can try to spot "worm-like" behaviour on IM networks as it occurs and restrict the rate at which machines can communicate with other machines. The technique, which HP calls "virus throttling”, is almost identical to a method the company has promoted and is trying to patent for stopping email virus and worm outbreaks on corporate networks, Williamson says.

The virus throttling technology works by limiting the number of IM messages infected IM users can send outside their "working set", the small number of regular correspondents each IM user has.

The technology is effective because even highly connected IM users with 100 or more IM "buddies", still have a small working set of buddies they talk to each day – typically around five, with two messages sent outside the working set each day, Williamson says.

With virus throttling, any messages sent to users outside of the IM user's working set will be placed in a queue and delayed slightly before they are delivered. If the delay queue reaches a certain length, indicating a high volume of message traffic to atypical correspondents, IM communications can be blocked or delayed for much longer periods of time, Williamson says.

Using throttling to take out the few, highly connected IM users can dramatically slow the spread of worms over IM networks. At the same time, it doesn't affect the vast majority of IM users, he says.

Williamson, who left HP after conducting the study of virus throttling on IM worms, is quick to say that the technology is untested on large IM networks such as the massive consumer IM networks of AOL and Microsoft's MSN service. The technology, which was tested on HP corporate IM users, is also untested on one important IM population: teenagers.

"It may be that the habits of teenagers are quite different. Maybe they tend to sustain more simultaneous conversations," Williams says.

Still, the same principles that govern IM use on corporate networks like HP's should apply to teenagers as well, allowing network administrators to detect worm-based versus legitimate IM activity, regardless of the profile of users on that network, he says.