FOSTER CITY, CALIF - November 17, 2005 -
Experts at FaceTime Security Labs™ , the threat research division
of FaceTime Communications, identified and reported a new threat
today related to the AOL Instant Messenger (AIM) "RootKit" worm
they first identified on October 28, 2005. New research completed
on the AOL rootkit worm confirms it acts as a back door for
additional malware to be downloaded. The additional malware is
capable of stealing usernames, passwords, and other personal
information, and can be managed and controlled by a hacker through
IRC communication sessions. FaceTime security researchers confirmed
that computers infected with the lockx.exe rootkit file are being
further compromised by a group in the Middle East. The attackers
have compromised multiple servers hosted by ISPs worldwide to
distribute the malware payload. The additional malware includes a
"ster.exe" file that contains six additional files to provide the
attacker with the capability to upload, download, and monitor the
infected host PC. It has also been found that the malware has the
potential to steal Microsoft Outlook Express email passwords and
log keystrokes. The infected computers can also be used as a
platform for launching attacks on Web sites or networks.
Who is affected: All users who have been infected
by the 'lockx.exe" rootkit or its variants are at most risk. Users
of other messaging applications may also be affected by the
ster.exe payload as it can be distributed by the lockx.exe infected
PCs. All PC users can initiate a free online scan which can detect
and disable the lockx.exe file by visiting: www.facetime.com.
Additional Information:
- The lockx.exe rootkit and its variants connect to an IRC
server, where it is capable of receiving instructions through
private, automated messages from an IRC operator. These messages
can open a browser session or install an unwanted application
- Over 17,000 users were found to be compromised on a single
server, and multiple servers exist worldwide
- Users may receive the instant message text consisting of:
- "evilday.us/pic####.com", or
- "how do I look[ipaddress]/~q8army/pic0023.com" which links them
to one of multiple worldwide servers to deliver additional
malware
- Additional malware includes self-extracting zip files including
a "Ster.exe" file which utilizes the compromised machine to deliver
multiple payloads that:
- Can steal your browser auto-complete data which may leak
confidential personal information
- Gain access to Microsoft Outlook Express
- Open browsers to launch a denial of service attack, and/or
- Download additional malicious applications
"We have delivered detailed research information to the U.S.
federal authorities and are fully cooperating with their efforts,"
said Kailash Ambwani, president and CEO of FaceTime Communications.
"This army of 'bots could be used for any number of malicious
purposes including a denial of service (DoS) attack against
targeted Web sites." FaceTime Customers Can Prevent This
Threat
FaceTime Enterprise Edition and IMAuditor customers can
proactively block these malicious threats and prevent infections
before they happen by blocking downloads of the specific executable
files associated with the threat. FaceTime also recommends
activating the Day Zero Defense System within IMAuditor 6.5. The
system utilizes anomaly detection techniques to analyze multiple
characteristics of IM-borne worms and other malicious code against
normal behavior, and provides patent-pending protection against
these threats without the need for traditional security signatures.
FaceTime RTGuardian customers are automatically protected if they
have auto update features enabled. FaceTime's X-Cleaner customers
(formerly XBlock) should download the latest update and scan their
PC to detect and remove lockx.exe files.
About Actiance, Inc. (Formerly FaceTime Communications, Inc.)
FaceTime Communications became Actiance, Inc on January 11, 2011 following an agreement to
transfer the FaceTime trademark to Apple.
FaceTime Communications enables the safe and productive use of Unified Communications and Web 2.0,
including instant messaging, blogs and social networking. Ranked number one by IDC for five consecutive
years, FaceTime's award-winning solutions are used by more than 1,500 customers for the security,
management and compliance of real-time communications. FaceTime supports or has strategic partnerships
with all leading IM, unified communications providers and social networks including AOL, Google, Yahoo!,
Skype, Microsoft, IBM, Cisco, Facebook, LinkedIn and Twitter.
FaceTime is headquartered in Belmont, California. For more information visit
http://www.facetime.com or call 888-349-3223.
PR Contact Information: