Research experts at FaceTime Security Labs, the threat research division of IM and greynet security leader FaceTime Communications, have discovered a new threat targeting Yahoo! Messenger users, known as the w32.KMeth worm. The new threat sends users to a Web site serving a barrage of Google AdSense advertisements related to mesothelioma, a rare cancer caused by exposure to asbestos. Because of its relation to toxic tort litigation, the cost-per-click for the keyword "mesothelioma" is one of the highest in the online advertising pay-per-click market, making it a prime target for financially-motivated malware writers. Systems are set up by these cyber-rogues to funnel traffic through illicit means, generating clicks on high-paying keywords to produce higher returns on established advertising commissions.

Unlike the typical worm that propagates when a user clicks on a link to an executable file contained in an instant message, w32.KMeth downloads malicious files into the user's Windows temporary file directory when a user simply visits an infection site using Internet Explorer. When the user visits the infected Web page, the malware uses the PC as a launch pad, immediately sending infection messages to the user's Yahoo! Messenger contacts. The "status message" in Yahoo! Messenger can also be also hijacked, presenting enticing messages to their contacts, such as "check out my blog." The use of this additional social-engineering technique is designed to encourage more visits to the rogue Web pages. At the same time, the user's control panel is disabled, and the home page is hijacked to a Web page that contains text designed to generate maximum revenue through click fraud.

"Typically, financially-driven malware attacks use botnets to fraudulently increase traffic to specific online advertisements," said Chris Boyd, director of malware research for FaceTime Security Labs. "In this case, the hackers have cleverly borrowed tactics from botnet-creators to create a bot-less network of hijacked PC users to drive traffic to sites populated with these specific Google AdSense advertisements. Introducing the human factor into the scenario makes these 'bot-less nets' much more difficult to detect."

Google AdSense is a convenient way for Web site publishers to earn money by displaying Google ads relevant to their Web site. Because Google pays the host Web site based on the number of clicks on their ads, the process can be susceptible to what is commonly called "click-fraud," or an inflated number of clicks on a given ad.

The cost-per-click for the term "mesothelioma" is among the highest in the online advertising industry, because searchers using the term are very likely to be seeking legal services. The cost-per-click ranges from $4 to $13 and higher on various keyword bidding networks.

The FaceTime research team offers a detailed accounting of the worm and the possible financial motives at http://blog.spywareguide.com.

Who is affected: Users of both Yahoo! Messenger and Internet Explorer

Threat Type: Worm

Risk Level: Medium

How to protect against this threat

This malware has the potential to infect any user of Internet Explorer who visits the infected Web site, but is specifically targeted at users of Yahoo! Instant Messenger. Users can protect themselves by not clicking on links sent to them by other users or contained in Yahoo! Messenger status messages of those contacts on their contact list. Currently, most commonly used anti-virus programs do not provide protection from w32.KMeth.

Companies that use FaceTime Enterprise Edition and IMAuditor and have auto-update features activated are automatically protected against this threat. FaceTime also recommends activating the Day Zero Defense System within IMAuditor. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against many IM threats -- in addition to traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime's X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC for the worm.