FaceTime Security Labs is the threat research division of IM and Greynet security leader FaceTime Communications.

Acting on an anonymous tip, researchers have uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.

Instant messaging applications and protocols are an increasingly popular vector to distribute malicious files and executables. With this new threat, FaceTime has identified more than 40 unique files -- many designed to take advantage of social engineering techniques, stored passwords, auto-complete data and vulnerable payment systems. Relevant files and information on a large number of "at risk" credit card accounts have been provided to federal authorities.

Who is affected: Users of unsecured instant messaging IM clients or Internet Explorer browsers.

Threat Type: Trojan

Risk Level: High

Additional Information:

If an end user clicks on a malicious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a "beh.exe". The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely, at which point additional malware applications are installed on the desktop.

One application of note is "Carder," a perl script designed specifically to uncover exploits in several shopping cart applications including Comersus Cart, CactuShop, CCBill and others that are used by many popular ecommerce sites. If a vulnerability is identified by this file, the backend databtabase containing credit card and account information (e.g. credit card numbers, home addresses, usernames and passwords) may be stolen off the ecommerce site. Personal information may also be stolen from the infected PC itself through Protected Storage PassView from NirSoft, another application that may be remotely loaded onto infected PCs.

FaceTime Customers Can Protect Against This Threat

FaceTime Enterprise Edition and IMAuditor customers can proactively block these malicious threats and prevent infections before they happen by utilizing the auto-update features to block downloads of the specific file types associated with the threats. FaceTime also recommends activating the Day Zero Defense System within IMAuditor 6.5. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against many IM threats -- in addition to traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime's X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC.