A virulent new worm designed to carry out a sneaky form of click fraud has been causing problems on the Yahoo! instant messaging (IM) network.
The w32.KMeth worm, as it is known, has a simple purpose – to get as many Yahoo users to visit fake websites that display Google Adsense adverts related to a rare form of cancer caused by asbestos poisoning, mesothelioma.
Because this condition is highly valuable to lawyers hunting for easy custom – mesothelioma sufferers rarely if ever lose a case – it also has what is reckoned to be one of the highest highest cost-per-click rates of any adsense keyword, at somewhere between $4 and $13 per click.
Criminals directing traffic to websites dealing in the issue, even bogus ones, are now attempting to use this fact to exploit the Adsense system for easy profits.
The worm is rapacious in it search for PCs to hijack, using infected clients to send out messages to every Yahoo contact it can detect, inviting them in a number of varying ways to click on an embedded weblink. Doing so causes a number of files to be downloaded on to the new victim’s PC, starting to the infection cycle anew.
Not only does this weblink generate Adsense revenue, the worm even hijacks the homepage of any user of Internet Explorer (Mozilla is unaffected) to gain even more fraudulent traffic for its campaign.
Thus far, it’s clever enough, but a blog on the worm by security company FaceTime notes some highly sophisticated features that mark out KMeth in other ways. In order that the worm is not picked up by Google’s fraud filters, it detects and rejects traffic to the fake websites from certain countries using the TrafficCleaner IP filtering service. Too much traffic, from too many different parts of the world, might give it away.
“Typically, financially-driven malware tactics use botnets to fraudulently increase traffic to specific online advertisements. In this case, the hackers have very cleverly borrowed tactics from botnet-creators to create a bot-less network of hijacked PC users to drive traffic to sites populated with these specific Google AdSense advertisements,” notes the blog.
The easiest way for Yahoo users to protect themselves against this worm is not to click on links, regardless whether they appear to come from contacts. Anti-malware scanners did not protect against infection as of last week, though this will have changed over the weekend.
Yahoo has become a favoured target for worms this year. In June, JS.Yamanner@m caused problems for the network, while a month before that the spyware-installing yhoo32.explr attempted to ensnare users with the promise of a bogus “safety browser”.