Internaut: Instant messengers bring new security risks

Shawn P. McCarthy

Instant messaging programs that spread Trojan horse programs, viruses and spam are raising a powerful new threat to system security. It's different from hacking or site cracking, and fighting it takes different tactics.

Skilled crackers know how to cover their tracks by going through several gateway servers. Their goal usually isn't pestering other users, it's breaking and entering, and stealing or damaging files. But peer-to-peer harassment tends to be done by less-skilled, often juvenile individuals who aren't as good at covering their tracks.

To complicate matters, some of the troublemakers have started using IM to install remote administration tools'known picturesquely as RATs'and keystroke-capture programs on their victims' computers.

To read about one RAT, go to and enter

Because IM is fast becoming a workplace communication tool, administrators need ways to quickly chase down the bad guys. Here are some tips.

Start with an IP scanning tool and look for suspect connections. Angry IP Scanner is good for finding already established backdoor connections. Download it from

If you suspect harassment might originate within your own network, try scanning Port 139. Even though IP scanners look only for host machines, you can specifically scan for this NetBIOS session port. If it's open, some scanners will let you right-click on the shown IP address and view the NetBIOS information.

In some instances you can even see the name of the user who's currently logged in, depending on the networked host's configuration.

After that, your next step should be to try the Microsoft Windows netstat.exe utility to view all your active network connections. Some IM products communicate with others directly when you chat. For example, ICQ freeware by default tries to make direct connections first, so this shows you which ones are open.

If you believe the problem originates from a specific host, scan the other network and look for specifics such as certain open ports, NetBIOS information and so on. This might isolate the person who is causing the trouble.

A list of common IP address blocks by number, and who owns them, is useful to have as you track things down. See the list at

Finally, pop-up messages disguised as admin alerts are beginning to display spam on Windows 2000, NT and XP systems. They come via Windows Messenger, a service that lets administrators quickly contact or alert networked users. (That's not to be confused with the MSN Messenger IM/chat client.)

Windows Messenger is enabled by default on most PCs, and spammers have learned how to exploit it. To turn the function off, you don't need any special software. Just take these steps:
  • From the Control Panel, select Administrative Tools, then Services.

  • Double-click on Messenger. In the Properties window, select Stop and then Disable as the startup type.

  • Click OK, and the Messenger-delivered spam should stop.

Shawn P. McCarthy is president of an information services development company. You can e-mail him at

About the Author

Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.