Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
Instant Messaging is Great…As Long as it’s Secure

From its beginnings as a simple buddy-to-buddy chatting service, instant messaging (IM) has blossomed to become a staple mode of communication for millions of Internet users. The most popular freeware IM systems include America Online’s Instant Messenger, Microsoft’s MSN Messenger, ICQ, and Yahoo! Messenger. These easily accessible, free systems have changed the way we communicate with friends, acquaintances, and business colleagues. Once limited to desktops, IM systems are finding their way onto handheld devices and cell phones, allowing users to chat from virtually anywhere. If you or your employees have installed and use any public IM services to enjoy the quick and easy communications it offers, you should realize that like any form of communication via the Internet, IM is accompanied by its own share of risks. Understanding what those risks are, and smart security procedures to take will help your small business continue to communicate safely via IM.

Not designed for security
Most of the free, public IM systems presently in use were designed with scalability rather than security in mind. From its inception, IM was primarily intended for a consumer audience, but has evolved into a communication tool widely used in business over time.
One Gartner Inc. analyst recently likened installing IM to punching a hole in the firewall – because it essentially opens a hole for a dangerous worm to enter the network. IM clients are continually adding new features to increase marketability, while rarely adding new security features. Virtually all freeware IM clients have features that bypass traditional network firewalls and lack encryption capabilities, meaning the data exchanged between users it is susceptible to eavesdropping with the simple use of a sniffer tool. And just like email, IM users can inadvertently download files containing malicious code.

IM systems meet all the criteria required to make them an ideal platform for rapidly spreading computer worms and blended threats: it is a widely used form of communication, it has integrated directories (buddy lists) that can be used to locate new targets; and it can, in many cases, be controlled by easily written scripts.

Threats to IM
Threats to IM are not limited to worms, but also include Trojan horses that export data and create back doors into the system. Furthermore, one of the greatest annoyances and potential threats to IM is spim.

  • Spim – As the war on spam heats up, those unsolicited messages have taken to the IM arena to spread. Spim is essentially the spam of the IM world. Spimmers pose as IM users and send messages to randomly generated screen names and to names illegally collected from the Internet via automated programs. These unsolicited commercial instant messages are expected to reach 1.2 billion in 2004, up from 400 million last year, according to a report by the Radicati Group, a technology market-research firm.

    Spim is not only annoying to deal with, but because of the instant nature of the unwanted message. There is a danger that spim messages could be used as the conduit for security breaches. The same social engineering tactics used in spam and virus-infected email messages can be sued with spim. Use of enticing and promotional content that plays on the user’s emotions will prompt the user to click on a link that could provide a doorway for viruses to enter a corporate network. This tactic was used with the recent case of “Adware.BuddyLinks” – spim that used a harmless Trojan program. In this case, an adware site, BuddyLinks, sent IM messages that masqueraded as a news Web site with a story on Osama bin-Laden’s capture in an attempt to fool users of AOL’s IM service into downloading software and receiving advertising. Even though BuddyLinks was a Trojan horse advertising program, luckily it was not of the malicious sort. The BuddyLinks spim had similar properties of an Internet worm, and Symantec classified it as adware, which doesn’t delete anything and can be easily uninstalled.

  • Trojan horses - There are a handful of Trojan horse programs that target IM. BuddyLinks is an example of that – sending IM with instructions to click on a link and download something that could potentially leave a pathway straight into your computer. Some Trojans modify configuration settings so file sharing is enabled for the entire hard drive. These types of Trojan horses pose a large threat, as they allow anyone full file access to the computer. There are also classic backdoor Trojan horses that utilize IM to send messages to the author of the Trojan horse, giving the hacker information about the infected computer. This information includes things such as the IP address of the infected computer and the number of the port that has been opened.

  • Worms – Just like email messages are used to spread worms, so too are instant messages. Awareness of this can go a long way; being informed enough to not click accept, click on or launch suspicious instant messages can sometimes be enough to save your system from falling victim to a worm. Virtually all IM systems allow for file transfers that bypass virus checking software. This exposes networks to serious threats, such as the Blaster worm, which took down more than one million computers in its first 24 hours in the wild.

What the IM services are doing on their end
All of the major IM services have added some antispim capabilities to their code that limits the amount of unwanted messages their users receive. AOL, Yahoo and Microsoft's MSN have closed off their buddy lists and databases to third-party consolidators. Yahoo Messenger requires senders to have a Yahoo ID; obtaining one includes a registration process and an image verification test that automated systems can't pass, Version 6.1 of MSN Messenger includes a reverse list that lets users see who has added them to their contact list and block incoming messages if they choose. For all the antispim measures, public IM software still lacks other basic security features. AOL, Microsoft, and Yahoo all offer encryption on their corporate-class IM software, but the vast majority of small businesses use the free public versions that are not accompanied with any security.

What you can do

  • Safe practices - First, it is important to understand the risks and best practices associated with IM. If you have employees, make sure they understand as well. When using IM, it is best to err on the side of caution. Here are some safe computing tips:
    • Do not accept messages from sources you do not recognize.
    • Even if you know who is sending you a file or a link, you should use caution in opening it. Some worms or Trojans can send harmful links that appear to be from a buddy you know.
    • If you can’t see the URL the hyperlink points to, move your mouse pointer over the link and it will show you the actual URL. This can give you a good idea of whether the link is safe to click. If you are not sure, ask the sender if they meant to send it to you
    • Do not accept file transfers. There are so many other ways to share files; it’s just not worth the risk.
      o Install all operating system patches and security updates as they are made available.

  • Security software – Even though the IM clients aren’t accompanied with security measures, you should take the following steps on your end to secure IM communications:
    • Employ virus protection like Norton AntiVirus 2004 that can detect and block viruses in IM attachments. Make sure to keep the antivirus software up to date.
    • Install desktop firewalls. Norton Personal Firewall 2004 prevents data from being sent out without your knowledge.
    • Use one of the free encryption tools that are available for IM traffic.

What’s on the horizon
IM is becoming more ubiquitous and more feature rich, and the IM clients are becoming interoperable, which provides an ideal environment in which malicious code can thrive and spread. That means we will likely see more and more attacks via IM than we have in the past. And just like spammers, spimmers are already looking for ways to evade filtering and get their messages through.

With all of the security concerns, instant messaging still has a valid place in today’s business environment. The safest IM communication is among educated users who adhere to the best practices and security software recommendations above. You can’t control what the other users are doing, but you can do your part to make sure you and your employees IM safely.


home find a solution library tech resources