Instant messaging vulnerable to viruses

Companies are warned that instant messaging programs could increase susceptibility to virus attacks. Security experts advise against opening attachments sent through IM programs.

Security experts have warned companies that increased use of corporate instant messaging services could increase vulnerability to virus attacks and the interception of messages.

Yahoo! and Sun Microsystems have both announced that they will release instant messaging (IM) software for corporate use, and Microsoft has said that IM will play a large role in its .Net strategy for accessing applications online. Yahoo! said its IM service will let employees send messages behind the corporate firewall, but will also integrate with other systems and the Internet to allow real-time communication across global locations. Sun's messaging service will also work behind the firewall, the company said.

Though at present there are only a few instant messaging worms, Denis Zenkin, the head of corporate communications at antivirus specialist Kaspersky Labs, warned, "It is only a matter of time for virus writers to get interested in this application. If this technology becomes as popular as e-mail we will certainly see numerous worms, using social engineering methods and exploiting vulnerabilities in instant messaging or similar programs."

Many companies have banned the use of IM software because of concerns that infected messages can bypass server-based antivirus security, and because they fear that IM could reduce productivity. Zenkin emphasized that firms should consider the threat from the inside. "Any new information technology being integrated in the enterprise-wide network makes the whole system more vulnerable to virus and hacker attacks."

Firms should be aware that the level of protection offered against viruses and message interception for IM is not as advanced as for e-mail, said Eric Chien, chief researcher at security giant Symantec.

Chien said no antivirus products protect against IM at e-mail server gateways. Antivirus technology for IM is under development but in the meantime firms should set usage guidelines.

"With the lack of tried and true security for instant messaging, policy plays an even larger role," Chien said. "Users should be reminded that they should not utilize any unexpected attachments that come via instant messaging. Administrators should consider disabling file transfers via instant messaging altogether."

Kaspersky's Zenkin added that companies using IM software should strongly encrypt any messages to ensure that if they are intercepted, they cannot be read, and also regularly update their antivirus software.