But in the case of instant messaging, the security companies are right. IM does pose a clear and present security danger, both to private and corporate users. Malware propagated by instant messaging networks is appearing increasingly frequently, and it's getting nastier and nastier. Spyware, browser hijacks, click fraud, even a nice little rootkit hidden on your hard disk: there's seemingly no end to the fine messes that instant messaging can get you in to.

"Malware writers have realized that it's now much easier to infect people using IM than it is using email or other popular methods," says Chris Boyd, senior director of malware research at security company FaceTime. Boyd is also well known under the online moniker "paperghost," for tracking down and closing the operations of hackers and botnet operators all over the world.

How Do IM Worms Propagate?

Most IM worms propagate through instant messaging networks by sending messages with malicious links to names found on infected machines' buddy lists. Smart ones can switch instant messaging networks and even switch the language of the message accompanying the links. Clicking on the links usually leads ultimately to the downloading of malicious code that carries out a range of activities. Ones uncovered by Boyd include a fake Google toolbar which captures credit card details, the W32/Sdbot-ADD AIM worm which installs a rootkit on infected machines, and the yhoo32.explr worm which installs a browser on infected machine and even adds links to genuine instant messages before they are sent. Most also result in the infected machine being recruited to an IRC-controlled botnet.

"The trouble is that anyone can get the code to build a botnet," says Boyd. "Kids of 12 or 13 can easily build a mid-sized one using the instant messaging networks to make themselves a little money," he says. "Instant messaging cuts across all boundaries including homes, workplaces, schools, hospitals and so on. If there are no IM security measures in place then users are vulnerable."

In theory it should be fairly easy to stop corporate users from getting in to trouble. That's because the malicious links tend to take people to a web site where they are induced to download an .exe file, and many organizations block the download of .exes to their networks. However, given that many hacker sites use a degree of social engineering sophistication to persuade victims to download files in the first place, it is doesn't take a huge stretch of the imagination to believe that they could also persuade victims to download a file with a different extension and then rename it to .exe in order to run it.

A simpler way to infect victims might be to exploit known operating system vulnerabilities directly, but Boyd says hackers rarely do this as the code would have to be to specific to the intended victim's OS patch level and perhaps also his or her browser version. "It's really much easier and more efficient just to get someone to download a file and run it," he says.

Where Does It Come From?

An interesting question is how the malware is introduced on to instant messaging networks in the first place. Much of it follows the same pattern, according to Boyd: frequently using the same base code (but customised for individual hackers' own botnets), the malicious files are generally seeded in chatrooms, forums and on social networks like Facebook.

Huge botnets like Storm may be made up of half a million or so zombies, but for a small-time hacker who wants to stay under the radar, a botnet of 5,000 or 6,000 machines can be very handy. What could you do with such a small botnet? "You could build one up using IM very quickly, and use it to attack other hackers," says Boyd. "You could also make a little money doing click fraud or drive-by spyware installations," he says.

By choosing the right chatrooms, a hacker can actually be fairly specific about where the zombie machines that fall under their control are located, and the size that the botnet is likely to grow to. "I've seen stuff released in a Singapore chatroom, which only really ends up infecting people there," says Boyd. With a population of about 4.5 million, the city state provides enough potential victims, and by writing the IM message in a language other than English and Spanish, it's less likely to jump across the globe. By contrast, an Anglophone's buddy list, for example, could quite easily include contacts in the U.S., Canada, Britain, Australia, New Zealand and South Africa.

Sensible corporations use IM security software from companies like Boyd's FaceTime to protect their networks, but the simplest solution would be never to click on links in instant messages. Corporations could remove that ability from their IM systems, Boyd says, but that would defeat much of the purpose of IM. "If you removed the ability to send people links, it would take away one of the best features of IM," he says. "The emphasis has to be on the receiver asking the sender if they really sent the link."

Ultimately the risks posed by IM are likely to diminish – just as the risks from email have - as hackers move on to newer methods of malware propagation like using social networks such as Facebook and MySpace. But Boyd says that this is not a reason to be complacent. "I think that in all likelihood IM is going to be a security problem for most companies for some time to come," he warns.