IM photos could turn nasty

Security experts are warning users that hackers can use JPEG profile photos on instant messenger to attack networks.

According to security company WhiteHat UK, hackers can use an exploit in JPEGs, which enables them to embed malicious code into profile photos on instant messenger. When a recipient sees the photo on their instant messenger (IM) client, it can cause an exploit code, such as a Trojan or worm, to automatically execute.

"Potentially, the photos that are sent with instant messenger could be used with the Microsoft JPEG exploits already out there," said Jason Hart, security director for WhiteHat UK. "Essentially you can say it's the same as any JPEG using the IM protocol as a portal to come through."

IM travels on port 80, which is often regarded as a trusted channel because Internet traffic also uses it. Hart said that any company using IM that allows JPEGs was open to attck: "The majority of times, desktop computers are the last to be secured by big corporations. So a company with instant messenger enabled could be penetrated. A computer could be exploited, and that would bypass all controls within a corporation."

The JPEG exploit can work on a variety of image related files, such as .gif or .icon, said Mikko Hypponen of F-Secure. He added that it would be hard to detect viruses in JPEGs because antivirus software mainly searches for .exe files.

Hart advised companies should secure their IM environment: "The message is to disable instant messenger unless you have the added security controls."

Last week, Hart warned that hackers could also use an nmap bot over IM to carry out denial-of-service attacks on companies.

In September, two reports of a worm that downloaded from Web sites linked to AOL's Instant Messenger were reported to US security body SANS.