FOSTER CITY, CALIF - May 22, 2006 - Research
experts at FaceTime Security Labs™ identified and reported a new
threat today affecting Yahoo! Messenger. FaceTime researchers
confirmed that a self-propagating worm, named yhoo32.explr,
installs 'Safety Browser' and hijacks the Internet Explorer
homepage, leading users to a site that puts spyware on their PCs.
Because Safety Browser uses the IE icon, users can easily mistake
it for Internet Explorer. This is the first recorded incidence of
malware installing its own web browser on a PC without the user's
permission. The self-propagating worm spreads the infection to
Yahoo! Messenger contacts on the infected PC by sending a nefarious
website link during a conversation. The link leads to a website
that loads a command file onto the user's PC and installs Safety
Browser. This spam over instant messaging (IM) is called spim. IM
applications and protocols are an increasingly popular vector to
distribute malicious files and executables. "This is one of oddest
and more insidious pieces of malware we have encountered in years,"
commented Tyler Wells, Senior Director of Research at FaceTime
Security Labs. "This is the first instance of a complete web
browser hijack without the user's awareness. Similar 'rogue'
browsers, such as 'Yapbrowser', have demonstrated the potential for
serious damage by directing end-users to potentially illegal or
illicit material. 'Rogue' browsers seem to be the hot new thing
among hackers." The India research arm of FaceTime Security Labs
discovered the threat in a 'honeypot', a trap they set to detect
viruses, worms, spyware and other threats. Commentary on this
threat by FaceTime Security Labs researcher Chris Boyd can be found
on the Greynets Blog, at http://blog.spywareguide.com. FaceTime Security
Labs is the threat research division of IM and Greynet security
leader FaceTime Communications.
Threat
name: yhoo32.explr
Threat type: Browserware and worm
Who is affected: Users of Yahoo! Messenger
Additional Information: The malware infects the
PC with two elements. The first element is a web browser called
"Safety Browser." This stand-alone application has no uninstaller
and disguises itself with an Internet Explorer logo in some
instances. The application also hijacks the personal homepage in
Internet Explorer and points users to Safety Browser's homepage
(demoplanet.tv). The hijack also plays looped music that cannot be
stopped when the user starts up the PC or Safety Browser. The
second element is the self-propagating worm. The worm propagates by
inserting a link into existing Messenger conversations on an
infected PC. When an infected user initiates or joins a
conversation, a link is inserted at random points in the
conversation. FaceTime Customers Are Protected Against This
Threat
FaceTime's RTGuardian and GEM customers are protected from this
exploit if they have auto-update features enabled. FaceTime's
X-Cleaner customers should download the latest update and scan
their PC. FaceTime Enterprise Edition and IMAuditor customers can
proactively block these malicious threats and prevent infections
before they happen by utilizing the auto-update features to block
downloads of the specific file types associated with the threats.
FaceTime also recommends activating the Day Zero Defense System
within IMAuditor 7.0. The system utilizes anomaly detection
techniques to analyze multiple characteristics of IM-borne worms
and other malicious code against normal behavior, and provides
patent-pending protection against many IM threats - in addition to
traditional security signatures.
About Actiance, Inc. (Formerly FaceTime Communications, Inc.)
FaceTime Communications became Actiance, Inc on January 11, 2011 following an agreement to
transfer the FaceTime trademark to Apple.
FaceTime Communications enables the safe and productive use of Unified Communications and Web 2.0,
including instant messaging, blogs and social networking. Ranked number one by IDC for five consecutive
years, FaceTime's award-winning solutions are used by more than 1,500 customers for the security,
management and compliance of real-time communications. FaceTime supports or has strategic partnerships
with all leading IM, unified communications providers and social networks including AOL, Google, Yahoo!,
Skype, Microsoft, IBM, Cisco, Facebook, LinkedIn and Twitter.
FaceTime is headquartered in Belmont, California. For more information visit
http://www.facetime.com or call 888-349-3223.
PR Contact Information: