Threatening Worm Hovers on Google Adsense

A new cyber worm called 'w32.Kmeth' is threatening Yahoo Messenger users, says FaceTime security Labs. The worm redirects users to a website hosting multiple 'Google Adsense advertisements' about ' mesothelioma', an uncommon cancer caused by contact to asbestos.

"Mesothelioma", having a relation to asbestos-linked lawsuits, makes the 'cost-per-click' for the keyword, one of the highest in the 'pay-per-click' market of online advertising. The rate ranges from $4 to $13 or higher on other keyword bidding networks. Thus the financially motivated criminals make it a prime target.
When Google displays Adsense ads, online publishers make money from content relevant to their sites. Since Google's payment process to the host publisher site is based on the number of clicks on their ads, there are chances of fraud clicks as well.

Google has fraud detection mechanisms to identify rogue sites. These sites generate high returns by using illicit tactics but that does not remove the other risks of security consumers counter from them.

'Kmeth' worm is able to exploit IE vulnerabilities, thereby infecting surfers visiting malware sites. The hackers control these sites by sending IM messages to the Yahoo Messenger addresses of infected users. The hackers also hijack "status message" in Yahoo Messenger with alluring messages such as "check out my blog" so as to trick the potential victims.

As Chris Boyd says, director of malware research for FaceTime security Labs, the malware attackers typically use 'botnets' to artificially increase traffic for specific online advertisements. In the present case, the hackers have used the trick to create a bot-less network of hacked PCs to deluge traffic to sites holding the specific Google Adsense advertisements. Since a human factor exists in the whole picture, it becomes very difficult to detect these 'bot-less nets'.

The malware that Kmeth worm carries can infect any system whose user surfs IE to visit the infected website, however, it specifically targets users of 'Yahoo Instant Messenger'. Users can remain safe by not opening links coming to them from other users or present in 'Yahoo Messenger status message' of those addresses in their contact list.

» SPAMfighter News - 10/12/2006