Secure & Enable the New Internet
Contact Us divider How to Buy dividerFaceForward Blog
Home | FaceTime and IBM | Press Release
Contact Sales

Press Release

KMeth Worm Strikes Yahoo! Messenger Users, Targeting Google AdSense Program in Money Making Scheme

Financially-motivated malware serves up expensive Google AdSense pages related to a rare cancer

FOSTER CITY, CALIF. - October 3, 2006 - Research experts at FaceTime Security Labs™, the threat research division of IM and greynet security leader FaceTime Communications, have discovered a new threat targeting Yahoo! Messenger users, known as the w32.KMeth worm. The new threat sends users to a Web site serving a barrage of Google AdSense advertisements related to mesothelioma, a rare cancer caused by exposure to asbestos. Because of its relation to toxic tort litigation, the cost-per-click for the keyword "mesothelioma" is one of the highest in the online advertising pay-per-click market, making it a prime target for financially-motivated malware writers. Systems are set up by these cyber-rogues to funnel traffic through illicit means, generating clicks on high-paying keywords to produce higher returns on established advertising commissions.

Unlike the typical worm that propagates when a user clicks on a link to an executable file contained in an instant message, w32.Kmeth downloads malicious files into the user's Windows temporary file directory when a user simply visits an infection site using Internet Explorer. When the user visits the infected Web page, the malware uses the PC as a launch pad, immediately sending infection messages to the user's Yahoo! Messenger contacts. The "status message" in Yahoo! Messenger can also be also hijacked, presenting enticing messages to their contacts, such as "check out my blog." The use of this additional social-engineering technique is designed to encourage more visits to the rogue Web pages. At the same time, the user's control panel is disabled, and the home page is hijacked to a Web page that contains text designed to generate maximum revenue through click fraud.

"Typically, financially-driven malware attacks use botnets to fraudulently increase traffic to specific online advertisements," said Chris Boyd, director of malware research for FaceTime Security Labs. "In this case, the hackers have cleverly borrowed tactics from botnet-creators to create a bot-less network of hijacked PC users to drive traffic to sites populated with these specific Google AdSense advertisements. Introducing the human factor into the scenario makes these ‘bot-less nets' much more difficult to detect."

Google AdSense is a convenient way for Web site publishers to earn money by displaying Google ads relevant to their Web site. Because Google pays the host Web site based on the number of clicks on their ads, the process can be susceptible to what is commonly called "click-fraud," or an inflated number of clicks on a given ad.

The cost-per-click for the term "mesothelioma" is among the highest in the online advertising industry, because searchers using the term are very likely to be seeking legal services. The cost-per-click ranges from $4 to $13 and higher on various keyword bidding networks.

The FaceTime research team offers a detailed accounting of the worm and the possible financial motives at http://blog.spywareguide.com.

Who is affected: Users of both Yahoo! Messenger and Internet Explorer

Threat Type: Worm

Risk Level: Medium

How to protect against this threat
This malware has the potential to infect any user of Internet Explorer who visits the infected Web site, but is specifically targeted at users of Yahoo! Instant Messenger. Users can protect themselves by not clicking on links sent to them by other users or contained in Yahoo! Messenger status messages of those contacts on their contact list. Currently, most commonly used anti-virus programs do not provide protection from w32.KMeth.

Companies that use FaceTime Enterprise Edition and IMAuditor and have auto-update features activated are automatically protected against this threat. FaceTime also recommends activating the Day Zero Defense System within IMAuditor. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against many IM threats - in addition to traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime's X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC for the worm.

About FaceTime Communications
FaceTime enables the safe and productive use of greynets like instant messaging, VoIP, web conferencing and P2P file sharing. FaceTime Security Labs delivers the industry's first IMPact Index, which assesses "point-in-time" risks posed by viruses, worms and other malware propagating through greynet applications. FaceTime's award-winning solutions are used by more than 800 customers, among them nine of the ten largest U.S. banks. FaceTime supports or has strategic partnerships with all leading public and private IM network providers, including AOL, Google, Microsoft, Yahoo!, IBM, Bloomberg, and Jabber.

FaceTime is headquartered in Foster City, California. For more information visit http://www.facetime.com or call 888-349-FACE.

PR Contact:

Joshua Barnes
A&R Edelman
650-762-2865
joshua.barnes@ar-edelman.com


Current Press Releases

Press Release Archives
2009 | 2008 | 2007 | 2006
2005 | 2004 | 2003 | 2002
2001

In the News Archives
2009 | 2008 | 2007 | 2006
2005 | 2004 | 2003 | 2002
2001

Customers

Awards & Certifications

Sign up for FaceTime's eNewsletter: The FaceTimes

The FaceTimes Archives
 
 
Home  | Company  | Solutions  | Products  | Partners  | Support  | News & Events  | Security Labs  | Site Map  | RSS Feeds  | Contact Us
© Copyright 2003-2010, FaceTime Communications, Inc. All rights reserved.   Privacy Policy