FOSTER CITY, CALIF. - October 3, 2006 -
Research experts at FaceTime Security Labs™, the threat research
division of IM and greynet security leader FaceTime Communications,
have discovered a new threat targeting Yahoo! Messenger users,
known as the w32.KMeth worm. The new threat sends users to a Web
site serving a barrage of Google AdSense advertisements related to
mesothelioma, a rare cancer caused by exposure to asbestos. Because
of its relation to toxic tort litigation, the cost-per-click for
the keyword "mesothelioma" is one of the highest in the online
advertising pay-per-click market, making it a prime target for
financially-motivated malware writers. Systems are set up by these
cyber-rogues to funnel traffic through illicit means, generating
clicks on high-paying keywords to produce higher returns on
established advertising commissions. Unlike the typical worm that
propagates when a user clicks on a link to an executable file
contained in an instant message, w32.Kmeth downloads malicious
files into the user's Windows temporary file directory when a user
simply visits an infection site using Internet Explorer. When the
user visits the infected Web page, the malware uses the PC as a
launch pad, immediately sending infection messages to the user's
Yahoo! Messenger contacts. The "status message" in Yahoo! Messenger
can also be also hijacked, presenting enticing messages to their
contacts, such as "check out my blog." The use of this additional
social-engineering technique is designed to encourage more visits
to the rogue Web pages. At the same time, the user's control panel
is disabled, and the home page is hijacked to a Web page that
contains text designed to generate maximum revenue through click
fraud. "Typically, financially-driven malware attacks use botnets
to fraudulently increase traffic to specific online
advertisements," said Chris Boyd, director of malware research for
FaceTime Security Labs. "In this case, the hackers have cleverly
borrowed tactics from botnet-creators to create a bot-less network
of hijacked PC users to drive traffic to sites populated with these
specific Google AdSense advertisements. Introducing the human
factor into the scenario makes these 'bot-less nets' much more
difficult to detect." Google AdSense is a convenient way for Web
site publishers to earn money by displaying Google ads relevant to
their Web site. Because Google pays the host Web site based on the
number of clicks on their ads, the process can be susceptible to
what is commonly called "click-fraud," or an inflated number of
clicks on a given ad. The cost-per-click for the term
"mesothelioma" is among the highest in the online advertising
industry, because searchers using the term are very likely to be
seeking legal services. The cost-per-click ranges from $4 to $13
and higher on various keyword bidding networks. The FaceTime
research team offers a detailed accounting of the worm and the
possible financial motives at http://blog.spywareguide.com. Who is
affected: Users of both Yahoo! Messenger and Internet
Explorer Threat Type: Worm Risk
Level: Medium How to protect against this
threat
This malware has the potential to infect any user of Internet
Explorer who visits the infected Web site, but is specifically
targeted at users of Yahoo! Instant Messenger. Users can protect
themselves by not clicking on links sent to them by other users or
contained in Yahoo! Messenger status messages of those contacts on
their contact list. Currently, most commonly used anti-virus
programs do not provide protection from w32.KMeth. Companies that
use FaceTime Enterprise Edition and IMAuditor and have auto-update
features activated are automatically protected against this threat.
FaceTime also recommends activating the Day Zero Defense System
within IMAuditor. The system utilizes anomaly detection techniques
to analyze multiple characteristics of IM-borne worms and other
malicious code against normal behavior, and provides patent-pending
protection against many IM threats - in addition to traditional
security signatures. FaceTime RTGuardian customers are
automatically protected if they have auto update features enabled.
FaceTime's X-Cleaner customers (formerly XBlock) should download
the latest update and scan their PC for the worm.
About Actiance, Inc. (Formerly FaceTime Communications, Inc.)
FaceTime Communications became Actiance, Inc on January 11, 2011 following an agreement to
transfer the FaceTime trademark to Apple.
FaceTime Communications enables the safe and productive use of Unified Communications and Web 2.0,
including instant messaging, blogs and social networking. Ranked number one by IDC for five consecutive
years, FaceTime's award-winning solutions are used by more than 1,500 customers for the security,
management and compliance of real-time communications. FaceTime supports or has strategic partnerships
with all leading IM, unified communications providers and social networks including AOL, Google, Yahoo!,
Skype, Microsoft, IBM, Cisco, Facebook, LinkedIn and Twitter.
FaceTime is headquartered in Belmont, California. For more information visit
http://www.facetime.com or call 888-349-3223.
PR Contact Information: