Viruses wiggle into IM chats

Bates, an 18-year-old who will start his freshman year at Oklahoma University this month, knew it was uncharacteristic of Trey to flood him with winking faces--a popular "emoticon" used to color text-based IM conversations. His suspicions grew when the alias "george.w.bush@whitehouse.gov" suddenly flashed on his screen along with an invitation to accept an attached file called "choke.exe." Unlike his friend, who obviously had been bitten by a virus, Bates knew better than to accept it.

"I was like, 'What the heck? Something is wrong,'" Bates said in an IM exchange with CNET News.com on Monday.

Having long targeted e-mail with sometimes devastating effects, virus and worm creators are setting their sights on IM services. Infected files, for example, have been burrowing their way slowly through Microsoft's MSN Messenger network over the past few months.

Discovered by virus hunters in late June, the so-called Choke worm marked the second attack aimed at MSN Messenger in as many months. In May, the service was struck by the W32/Hello worm. Security experts said they are as yet unaware of any virus attacks that might have targeted AOL Time Warner's AOL Instant Messenger (AIM) and ICQ or Yahoo's Yahoo Messenger.

Virus writers in search of the biggest bang for their bugs have targeted various types of networks, including peer-to-peer file exchanges and wireless Web systems. None have proven as effective as e-mail, however, where some viruses have rapidly gained the force of an avalanche through large corporate e-mail systems. Once a virus is activated, it can shoot itself out to everybody in a victim's address book, leading to an exponential growth rate.

IM viruses discovered so far have been relatively innocuous compared with virulent e-mail-borne infections such as the Love Bug, Anna Kournikova and Melissa.

"E-mail is still the most effective way to get viruses around," said Richard Smith, chief technology officer of the Privacy Foundation.

Nevertheless, some computer security experts say it is only a matter of time before similar outbreaks plague IM services.

Already, millions of people on the Internet communicate through instant messengers, which let people exchange text messages in real time and have become some of the most popular features on the Internet.

Corporate acceptance?
Instant messaging has yet to gain an official foothold in many corporations, but that is likely to change. For example, Microsoft's upcoming Windows XP operating system will add new features to its instant messenger that may be attractive to corporations, such as document sharing and video conferencing.

"As more people migrate to XP, there is an increased risk because it becomes an attractive element for a virus writer," said Vincent Gullotto, the senior director of McAfee's Avert group.

In addition, computer security experts said they are particularly concerned because few defenses have been developed to protect IM networks from viruses.

"One of the interesting aspects of instant messaging viruses is most antivirus products don't necessarily stop them," said Elias Levy, chief technical officer of SecurityFocus.com. "There are antivirus products that attempt to detect e-mail messages, but I don't know of any that will support instant messaging protocols."

Microsoft urges defense
In response to the Choke worm and other potential viruses sent through its IM systems, Microsoft believes the user is the first line of defense.

Like other viruses propagated through e-mail, Choke is contained in an attachment. Once opened, Choke can send itself out to people on one's MSN Messenger buddy list, increasing the chances that someone else will open an infected file and repeat the cycle.

That means people can prevent its spread with a little common sense--for example, by treating attachments sent by strangers with caution.

"An MSN Messenger user needs to go through a few steps, which include warning messages, in order to receive and download the file," said Sarah Lefko, an MSN product manager. "Then, the user would have to actually double click and execute the file itself in order to propagate the virus."

Lefko said Microsoft has issued an alert on its MSN Messenger site.

MSN's service competes with the two largest IM services, AIM and ICQ, which are owned by AOL Time Warner. That company's America Online service, which runs the instant messengers, has been the target of hackers and scammers trying to steal passwords and credit card numbers.

A spokesman from the company's AOL division said security measures are used for the IM services but would not go into detail for fear of tipping off virus writers. Since e-mail and instant messaging run on separate systems, AOL must develop separate security measures.

"Both systems have security measures built into them," said Andrew Weinstein, an AOL spokesman. "But the systems are obviously designed for the needs of each product."

For now, security experts appear to be hedging their bets, warning of the danger without predicting the imminent arrival of an IM Love Bug.

"If history tells us anything, technologies used by many people can be used by other people on the fringes," said Steve Trilling, director of research at Symantec's antivirus research center. "From a security perspective, it's of immediate concern. But at this point it's difficult to say what sort of problem this will become down the road."