Contact Us divider Newsletter Signup divider How to Buy dividerFaceForward Blog
Home | Press Release
Contact Sales

Press Release

Self-Propagating Worm Installs Unsafe "Safety Browser"

FaceTime Security Labs Warns Against Homepage Hijack

FOSTER CITY, CALIF - May 22, 2006 - Research experts at FaceTime Security Labs™ identified and reported a new threat today affecting Yahoo! Messenger. FaceTime researchers confirmed that a self-propagating worm, named yhoo32.explr, installs 'Safety Browser' and hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs. Because Safety Browser uses the IE icon, users can easily mistake it for Internet Explorer. This is the first recorded incidence of malware installing its own web browser on a PC without the user's permission.

The self-propagating worm spreads the infection to Yahoo! Messenger contacts on the infected PC by sending a nefarious website link during a conversation. The link leads to a website that loads a command file onto the user's PC and installs Safety Browser. This spam over instant messaging (IM) is called spim. IM applications and protocols are an increasingly popular vector to distribute malicious files and executables.

"This is one of oddest and more insidious pieces of malware we have encountered in years," commented Tyler Wells, Senior Director of Research at FaceTime Security Labs. "This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers."

The India research arm of FaceTime Security Labs discovered the threat in a 'honeypot', a trap they set to detect viruses, worms, spyware and other threats. Commentary on this threat by FaceTime Security Labs researcher Chris Boyd can be found on the Greynets Blog, at http://blog.spywareguide.com. FaceTime Security Labs is the threat research division of IM and Greynet security leader FaceTime Communications.

Threat name:  yhoo32.explr
Threat type:  Browserware and worm
Who is affected:  Users of Yahoo! Messenger
Additional Information:  The malware infects the PC with two elements. The first element is a web browser called "Safety Browser." This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser's homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser. The second element is the self-propagating worm. The worm propagates by inserting a link into existing Messenger conversations on an infected PC. When an infected user initiates or joins a conversation, a link is inserted at random points in the conversation.

FaceTime Customers Are Protected Against This Threat
FaceTime's RTGuardian and GEM customers are protected from this exploit if they have auto-update features enabled. FaceTime's X-Cleaner customers should download the latest update and scan their PC.

FaceTime Enterprise Edition and IMAuditor customers can proactively block these malicious threats and prevent infections before they happen by utilizing the auto-update features to block downloads of the specific file types associated with the threats. FaceTime also recommends activating the Day Zero Defense System within IMAuditor 7.0. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against many IM threats - in addition to traditional security signatures.

About FaceTime Communications
FaceTime Communications enables the safe and productive use of instant messaging, Web usage and Unified Communications platforms. Ranked number one by IDC for four consecutive years, FaceTime's award-winning solutions are used by more than 900 customers – including nine of the 10 largest U.S. banks – for security, management and compliance of real-time communications. FaceTime supports or has strategic partnerships with all leading public and enterprise IM network providers, including AOL, Google, Microsoft, Yahoo!, Skype, IBM, Reuters and Jabber.

FaceTime is headquartered in Belmont, California. For more information visit http://www.facetime.com or call 888-349-FACE. The FaceForward blog, at http://blog.facetime.com, offers thoughts and opinions about the changing nature of Internet communications.

PR Contact:

Emily Chamberlin
650-762-2945
echamberlin@ar-edelman.com


Current Press Releases

Press Release Archives
2007 | 2006 | 2005 | 2004
2003 | 2002 | 2001

In the News Archives
2007 | 2006 | 2005 | 2004
2003 | 2002 | 2001

Customers

Awards & Certifications

Sign up for FaceTime's eNewsletter: The FaceTimes

The FaceTimes Archives

FaceTime Security Labs
Get information on the latest IM, P2P and spyware threats
 
 
Home  | Company  | Solutions  | Products  | Partners  | Support  | News & Events  | Security Labs  | Site Map  | RSS Feeds  | Contact Us
© Copyright 2003-2008, FaceTime Communications, Inc. All rights reserved.   Privacy Policy