Internaut: Instant messengers bring new security risks
- By Shawn McCarthy
- Jun 11, 2003
Shawn P. McCarthy
Instant messaging programs that spread Trojan horse programs, viruses and spam are raising a powerful new threat to system security. It's different from hacking or site cracking, and fighting it takes different tactics.
Skilled crackers know how to cover their tracks by going through several gateway servers. Their goal usually isn't pestering other users, it's breaking and entering, and stealing or damaging files. But peer-to-peer harassment tends to be done by less-skilled, often juvenile individuals who aren't as good at covering their tracks.
To complicate matters, some of the troublemakers have started using IM to install remote administration tools'known picturesquely as RATs'and keystroke-capture programs on their victims' computers.
To read about one RAT, go to www.gcn.com
and enter GCN.com/122.
Because IM is fast becoming a workplace communication tool, administrators need ways to quickly chase down the bad guys. Here are some tips.
Start with an IP scanning tool and look for suspect connections. Angry IP Scanner is good for finding already established backdoor connections. Download it from www.angryziber.com
If you suspect harassment might originate within your own network, try scanning Port 139. Even though IP scanners look only for host machines, you can specifically scan for this NetBIOS session port. If it's open, some scanners will let you right-click on the shown IP address and view the NetBIOS information.
In some instances you can even see the name of the user who's currently logged in, depending on the networked host's configuration.
After that, your next step should be to try the Microsoft Windows netstat.exe utility to view all your active network connections. Some IM products communicate with others directly when you chat. For example, ICQ freeware by default tries to make direct connections first, so this shows you which ones are open.
If you believe the problem originates from a specific host, scan the other network and look for specifics such as certain open ports, NetBIOS information and so on. This might isolate the person who is causing the trouble.
A list of common IP address blocks by number, and who owns them, is useful to have as you track things down. See the list at www.iana.org/assignments/ipv4-address-space
Finally, pop-up messages disguised as admin alerts are beginning to display spam on Windows 2000, NT and XP systems. They come via Windows Messenger, a service that lets administrators quickly contact or alert networked users. (That's not to be confused with the MSN Messenger IM/chat client.)
Windows Messenger is enabled by default on most PCs, and spammers have learned how to exploit it. To turn the function off, you don't need any special software. Just take these steps:
Shawn P. McCarthy is president of an information services development company. You can e-mail him at
- From the Control Panel, select Administrative Tools, then Services.
- Double-click on Messenger. In the Properties window, select Stop and then Disable as the startup type.
- Click OK, and the Messenger-delivered spam should stop.
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.