Instant-messaging field a playground for hackers

And with it, IM is bringing a dark new legion of computer-security problems that could eventually be worse than the worms, viruses and other Internet maladies that already haunt e-mail.

Last month, the number of instant messages containing computer "malware" soared by 500 percent from the previous month, according to one Internet security company. In the first quarter of 2006, the number was up more than 160 percent from a year earlier.

Last year, security experts found 2,400 different viruses, worms and other threats that hackers attached to instant messages, an increase of nearly 1,600 percent from the previous year. The programs were designed to take over computers, steal online passwords or break into computer files.

Usually, the IM threats required recipients to click to a Web site that downloaded the malware onto their machines.

"What we're seeing is that the bad guys are in the process of retooling to add IM to their arsenals," said Andrew Lochart, spokesman for e-mail and IM security company Postini Inc. "And (while) the usage of IM continues to explode in both the consumer and business markets … there's virtually no defenses in place right now."

Currently, about 103 million people actively use instant messaging programs such as AOL's AIM, Microsoft's MSN Messenger and others.

Only a fraction of them, however, use antivirus software designed specifically for instant messaging. Relatively few even realize that instant messages can carry the same virus threats as e-mail.

IM proliferating at corporations

The specter of IM security problems is biggest at corporations, where employees are increasingly using IM for both interoffice communications and to keep in touch with buddies about yesterday's ballgame or the evening's social events.

At least 70 percent of IM users currently have the programs at their offices, and by 2008, research firm Gartner Inc. predicts that IM will be ubiquitous at corporations.

While an IM virus from a home computer might infect a few friends' machines, an IM virus in a corporate network can be devastating.

In April 2005, a quickly mutating computer worm infiltrated the Reuters Group PLC instant messaging service widely used by stock traders and others in the financial industry. Reuters had to temporarily shut down the system to flush it out and protect its customers' computers.

Reuters is a relatively small player in the IM world. AOL, Microsoft, ICQ, Yahoo and Google, which all have free, public IM services, are the biggest players.

"This is the next big thing coming," said Lisa Watts, computer network manager at the Nashville, Tenn., law firm Boult, Cummings, Conners & Berry.

Watts is so concerned about IM security issues that she said she never uses IM herself. When she recently noticed some of the 300 lawyers in her firm did, she hired Postini to start filtering the messages for malware — at a cost of $3,600 a month.

Other companies take more drastic steps.

Advanced Micro Devices Inc., the semiconductor company that does much of its manufacturing in Austin, Texas, prohibits employees from using public IM services because of potential security problems, said spokesman Drew Prairie. Like other corporations, AMD uses a proprietary, in-house IM system instead, Prairie said.

"Critical" issue

In a recent survey of executives by technology research company Nemertes Research, 62 percent of respondents characterized IM security as a "critical" problem.

Even so, many corporations cast a blind eye on IM, doing little to control employees' use or taking the time and the money to install an antivirus software designed specifically for IM programs, said Nemertes senior vice president Melanie Turek.

"This is still a relatively small problem compared to e-mail … but it's not going to take too long to really get out of hand," Turek said.

What makes IM so attractive to users is also what makes it attractive to hackers.

Instant messaging is instantaneous and seemingly more trustworthy than e-mail, letting users form on-the-spot online chat groups with designated "buddies" — spouses, co-workers, colleagues and friends.

Unlike e-mail, IM doesn't require you to send a message and then wait until the intended recipient goes online, checks his or her e-mail and sends a response. With IM, users can always see in a computer window which of their designated buddies are online. IM notes can be fired off nonstop — complete with attachments and links to Web sites that may or may not be legitimate.

In typical IM attacks, hackers send out e-mail or IM programs designed to find and steal computer users' "buddy lists."

The hackers then will send unsolicited instant messages to everybody on that person's list, masquerading as the person and luring recipients to check out a fake Web site.

If unsuspecting users click on the link, they might download malware that could turn their computers into automated spam-spewing "bots" or secretly install "spyware" that logs their keystrokes to determine passwords.

Simultaneously, the hackers' program searches the newly infected computer for its own buddy list and uses it to spread the infection.

VirusBuddy: Click on this link and infect your computer with one of 2,400 different viruses, worms and other threats.

● Some tips to avoid viruses and worms attached to instant messages:

l Be skeptical. Even if a message comes from someone on your "buddy" list, be suspicious if it seems unusual or prompts you to go to a Web site, open a photo file or download software. Check with your buddy to make sure he or she sent it.

l Beware of unfamiliar Web sites. Even if a message seems legitimate, be cautious if it prompts you to visit an unknown site. That's how most IM "worms" work.

l Use antivirus software. Antivirus software designed just for e-mails isn't good enough anymore. A host of Internet security companies now also sell software that can protect corporate and consumer IM users.

l Do the software updates. Many IM vendors regularly update their software to add security features. Use them.