CERT: Instant messaging is threat toyour corporate security

Tens of thousands of people have been tricked into downloading malicious software onto their computers from Internet Relay Chat...

Tens of thousands of people have been tricked into downloading malicious software onto their computers from Internet Relay Chat (IRC) and instant messaging (IM), according to an incident report released by the CERT Co-ordination Centre.

CERT, the authoritative US-based security research and information service, said the intruders then use the victims' computers "as attack platforms for launching distributed denial-of-service attacks".

With users often installing instant messaging on their PCs without the agreement of the IT department, the CERT warning highlights the need for corporate security policies to be updated to cover the threat.

The CERT advisory said the messages often warn users that they have already been infected with a virus and instruct them to go to a Web address and download a program to clean their machine or face being banned from the IRC or IM system they are using.

"This is purely a social engineering attack since the user's decision to download and run the software is the deciding factor in whether or not the attack is successful," said the report, by CERT Internet security analyst, Allen Householder.

"Although this activity is not novel, the technique is still effective, as evidenced by the reports of tens of thousands of systems being compromised in this manner," he warned.

CERT said that once a system has been compromised, attackers may be able to:

  • Exercise remote control

  • Expose confidential data

  • Install other malicious software

  • Change or delete files

America Online, which has more than 100 million registered users of IM sending 1.3 billion messages daily, said it was aware of the CERT warning and urged all of its members to use common sense and scepticism when chatting with others on the Web.

If a message ever "appears from out of the blue" warning a user of a threat, such as those cited in the CERT example, users should be sceptical, AOL said. Most people would question the credibility of a stranger calling on the phone asking for financial information, for instance, and they should carry that wariness to their online activities.

AOL advised users to never download files from strangers. "Online, know who you are dealing with. As for hyperlinks, the same also applies... don't click on an unknown or strange link," the spokesman said.

Read more on IT risk management