FOSTER CITY, CALIF. - September 18, 2006 -
Research experts at FaceTime Security Labs™, the threat research
division of IM and greynet security leader FaceTime Communications,
today identified and reported a new worm known as W32.pipeline that
is propagating over AOL Instant Messenger. The worm delivers an
executable file disguised as a JPEG, which in turn calls out to
various host computers that download a variety of infection files
including rootkits and Trojans that may further propagate the worm
through the user's AIM Buddy List. FaceTime researchers believe
that the ultimate goal of the W32.pipeline is to create a
sophisticated botnet that can be used for a range of malicious
purposes. Once the user's PC is infected, it becomes part of a
botnet and is under complete control of the hacker to use for a
variety of purposes that could include relaying SPAM, performing
distributed denial-of-service (DDoS) attacks on other computers or
committing financial fraud against online advertisers - commonly
called click-fraud. In addition, the potential is high for loss of
sensitive personal data stored on the user's PC. Like many IM
worms, W32.pipeline first appears as an instant message from a
familiar contact, luring users into clicking on a link with a
contextual phrase. The IM message "hey would it okay if i upload
this picture of you to my blog?" downloads a command file called
image18.com, which is disguised as a JPEG. Running the file results
in csts.exe being created in the user's system32 folder, part of
the Windows operating system. The infection has the potential to
call, via the Internet Relay Chat (IRC) channel, numerous other
files that are constantly being updated. Depending on the files
downloaded, the infection may create an unwanted service named
RPCDB, open up SMTP port 25 (used for email) and attempt to connect
to a file upload site. In addition, some files attempt to exploit
ADS (alternate data streams). Users may also potentially end up
with a rootkit installed on their PC as a result of this chain of
infections. Once the user's PC is infected and under control of the
botnet, it can be used to propagate the worm to other users using
the same highly refined contextual message, for example "hey is it
alright if i put this picture of you on my egallery album? " which
will download another command file, again disguised as a JPEG, on
additional computers. FaceTime researchers have noted that this
botnet demonstrates much more sophisticated characteristics than
any they have seen before, including the ability to authorize only
specific IRC clients to log in and manipulate the botnet. "The
emphasis for this latest worm is not so much on the files that are
delivered to the users' computers, but rather on the way these
files are deposited onto the system," said Chris Boyd, director of
malware research for FaceTime Security Labs. "Previous IM attacks
have tended to focus on the damage done by the files, with little
thought on the method of delivery, save for the quickest way to get
those files onto a PC. Here, the motivation for the bad guys seems
to be in lining up as many 'install chains' as possible to insure a
consistent pipeline that can be controlled by their rogue botnet."
Boyd and the FaceTime research team offer detailed descriptions of
various scenarios resulting from the W32.pipeline worm at http://blog.spywareguide.com. Who is
affected: Users of AOL instant messaging service
Threat Type: Worm / blended Risk
Level: High How to protect against this
threat
The initial file has the potential to infect AOL's 80 million
users, and users can protect themselves by not clicking on links
sent to them by other users, even if users appear on their contact
list. Currently, most commonly used anti-virus programs do not
provide protection from W32.pipelineworm. Companies that use
FaceTime Enterprise Edition and IMAuditor and have auto-update
features activated are automatically protected against this threat.
FaceTime also recommends activating the Day Zero Defense System
within IMAuditor. The system utilizes anomaly detection techniques
to analyze multiple characteristics of IM-borne worms and other
malicious code against normal behavior, and provides patent-pending
protection against many IM threats - in addition to traditional
security signatures. FaceTime RTGuardian customers are
automatically protected if they have auto update features enabled.
FaceTime's X-Cleaner customers (formerly XBlock) should download
the latest update and scan their PC for the worm.
About Actiance, Inc. (Formerly FaceTime Communications, Inc.)
FaceTime Communications became Actiance, Inc on January 11, 2011 following an agreement to
transfer the FaceTime trademark to Apple.
FaceTime Communications enables the safe and productive use of Unified Communications and Web 2.0,
including instant messaging, blogs and social networking. Ranked number one by IDC for five consecutive
years, FaceTime's award-winning solutions are used by more than 1,500 customers for the security,
management and compliance of real-time communications. FaceTime supports or has strategic partnerships
with all leading IM, unified communications providers and social networks including AOL, Google, Yahoo!,
Skype, Microsoft, IBM, Cisco, Facebook, LinkedIn and Twitter.
FaceTime is headquartered in Belmont, California. For more information visit
http://www.facetime.com or call 888-349-3223.
PR Contact Information: