It's immediate, it's fun, and there are even some corporate uses. But instant messaging is also causing headaches in Australian IT departments.

The recent worm_mylife.b worm, still propogating in Australia, was found to be able to pull e-mail addresses from a user's instant messenger contact list.

"I would be warning people to be very careful running these types of programs--it's another back door into the system," Andrew Gordon, managed services architect at anti-virus software vendor Trend Micro, told ZDNet Australia

-It's following a trend with a number of viruses of late that use e-mail propagation to get into the organisation, but then access those address books in instant messaging programs and then spam out itself," he said.

Gordon believes that instant messaging poses a very real security risk for corporations. However, he added that organisations with more stringent controls were looking at ways of dealing with the issue.

-Quite often we're seeing they're blocking this at the firewall...or, more importantly, you can actually route the traffic through the corporate proxy and if you're scanning on that proxy that's another way to manage it as well."

Robert Mead, coordination centre manager at AusCERT (Australian Computer Emergency Response Team), also thinks that if there are vulnerabilites in the software companies may be leaving themselves open to attack.

-I think the first thing to decide is whether there's a business reason to use IRC (Internet Relay Chat) in the organisation," Mead said. -I would say in the majority of cases the answer is 'no'."

-It can be just as invasive as the phone going off all the time," he argued.

But he cautions IT managers against just blocking the major clients. Mead said that this may just encourage staff to use others which haven't been blocked, yet are even less secure.

The whole topic is also something Ross Dembecki, lead product manager at Microsoft Australia, finds interesting.

He differentiates between the Internet-based instant messaging which people can sign up to, and IM found within commercially available packages.

Dembecki said the problem with Internet-based messaging is that these systems send clear text, so it is possible to intercept the message as it travels between you and the recipient. -They [hackers] might be monitoring that protocol so they might be able to tap into those text messages," he said.

Dembecki cites the example of a person in a US company who was forced to resign from their job because of corporate information they'd mentioned in Internet-based instant messaging.

He said this raises the issue of using IM in a corporate environment. -A lot of employees who are familiar with the technology are using it to talk to each other," he said.

The alternative he suggests is for companies to deploy business-grade IM, which stays within their network, providing the ability to have secure private conversations.

-Hackers are constantly scanning different ports to try and bust into it--IM uses one of those port numbers," Dembecki said. -If it's instant messaging it's going to be clear text so they can see everything."

Dembecki doesn't believe there's enough awareness amongst corporates about the security risks. He points, in particular, to new generations of employees who are coming out of tertiary institutions having had exposure to the techonology and expecting to use it in a corporate environment.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.