Secure & Enable the New Internet
Contact Us divider How to Buy dividerFaceForward Blog
Home | Press Release
Contact Sales

Press Release

"Heartworm" Targets MSN Messenger Users Uses Hoax Cloaking Tactics as Elaborate Ruse to Steal Personal and Bank Data

FaceTime researchers uncover dangerous worm hosted on a Russian Web site using documented Internet hoax "a virtual card for you" for camouflage and pipeline to steal data.

FOSTER CITY, CALIF. - September 22, 2006 - Research experts at FaceTime Security Labs™, the threat research division of IM and greynet security leader FaceTime Communications, have discovered a new IM-borne threat targeting MSN Messenger users with a link that opens up a Web site that leads users to click on a "virtual card waiting for you." Users who click on this link see an image of a heart with a poem in Portuguese. The threat, known as W32.heartworm.a, installs files to steal a user's banking and personal data.

"The perpetrators have made a calculated move to tie this attack into numerous Web hoaxes, possibly to confuse infected users looking for help online,"said Chris Boyd, director of malware research for FaceTime Security Labs. "Not only do they open up an image of a heart from a site dedicated to tackling online hoaxes, they also apparently named the attack after another online hoax - a virtual card for you - that has been in circulation since 2000. In this case, you really do receive a virtual card, but with a nasty additional 'bonus.'"

The infection spreads by running a file in circulation on Russian Web hosting sites claiming to offer a "virtual card" - when the file is run, a picture of a heart containing a poem is launched, and the infected user will pass the infection link to their contacts on MSN Messenger with the phrase "olha o que eu fiz pra vc....curti ai...[url removed]"

The files are related to a certain strain of banking data Trojan particularly prevalent in Brazil, and are similar to those in the MW.Orc worm that plagued Google's Orkut social networking site earlier this year. (http://www.facetime.com/pr/pr060619.aspx)

Wayne Porter, senior director of special research at FaceTime Security Labs comments, "This is a form of cultural camouflage which we call 'hoax cloaking'. It is a defensive construct that adopts the very lore, memes, myth and culture of the Internet to serve as a self-preservation and cloaking mechanism. People using trusted search engines to verify the message will find most reputable security companies and hoax-debunking sites confirm it as a myth and disregard it as harmless."

Boyd, Porter and the FaceTime research team offer a detailed accounting of the W32.heartworm.a at http://blog.spywareguide.com.

Who is affected: Users of MSN Messenger instant messaging service, recently renamed Windows Live Messenger

Threat Type: Worm

Risk Level: Medium

How to protect against this threat
The initial file has the potential to infect MSN Messenger's more than 266 million users worldwide. (Instant Messaging Market Report, 2006-2010, The Radicati Group) Users can protect themselves by not clicking on links sent to them by other users, even if users appear on their contact list. Currently, most commonly used anti-virus programs do not provide protection from W32.heartworm.a.

Companies that use FaceTime Enterprise Edition and IMAuditor and have auto-update features activated are automatically protected against this threat. FaceTime also recommends activating the Day Zero Defense System within IMAuditor. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against many IM threats - in addition to traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime's X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC for the worm.

About FaceTime Communications
FaceTime enables the safe and productive use of greynets like instant messaging, VoIP, web conferencing and P2P file sharing. FaceTime Security Labs delivers the industry's first IMPact Index, which assesses "point-in-time" risks posed by viruses, worms and other malware propagating through greynet applications. FaceTime's award-winning solutions are used by more than 800 customers, among them nine of the ten largest U.S. banks. FaceTime supports or has strategic partnerships with all leading public and private IM network providers, including AOL, Google, Microsoft, Yahoo!, IBM, Bloomberg, and Jabber.

FaceTime is headquartered in Foster City, California. For more information visit http://www.facetime.com or call 888-349-FACE.

PR Contact:

Joshua Barnes
A&R Edelman
650-762-2865
joshua.barnes@ar-edelman.com


Current Press Releases

Press Release Archives
2009 | 2008 | 2007 | 2006
2005 | 2004 | 2003 | 2002
2001

In the News Archives
2009 | 2008 | 2007 | 2006
2005 | 2004 | 2003 | 2002
2001

Customers

Awards & Certifications

Sign up for FaceTime's eNewsletter: The FaceTimes

The FaceTimes Archives
 
 
Home  | Company  | Solutions  | Products  | Partners  | Support  | News & Events  | Security Labs  | Site Map  | RSS Feeds  | Contact Us
© Copyright 2003-2010, FaceTime Communications, Inc. All rights reserved.   Privacy Policy