Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.
Sitting comfortably?
Then let's begin...
The above is a screenshot of a domain that's being fired around IM - namely, Yahoo Instant Messaging. In turn, this domain leads to a URL that's been sighted in various social networking sites such as Myspace and across forum message boards. We'll get to that later; for now, note the data in the background - this is supposedly "locational technology" that serves up content appropriate to your region. In this case, the appropriate content looks like an infection file! Pity the poor end-user that agrees to this download, because if they run it...
...you see the above appear slap bang in the middle of your desktop. Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n' bass beats. This madness continues for some time, and for the victim there is another "surprise"...every single time they boot up their PC from that moment on, the music greets them as their desktop appears and loops for a random amount of time. Words cannot convey the awful feeling of nausea this induces...testing a hijacking application has never been so painful!
Some "good" news, however - SP2 seems to prevent this music from playing in the background. Hooray(!)
At this point, you're probably wondering exactly what has been placed onto your PC. Well, XP flashes up the "helpful" message that new programs have been installed. Clicking the Start button, you see this:
....Internet....Browser?
Didn't I already have one of those?
Oh well, the thing has installed so you might as well see what it does. And the Gods of Ironic Humour do not disappoint! For what we have is an example of a web-browser being installed on your PC without your permission via IM, and the oh-so-funny name for this thing is...
The Safety Browser!
I swear, I'm not making this up.
The "safety" of the Safety Browser could also be disputed - considering it arrives on your PC in the form of a hijack, it doesn't exactly fill me with a warm, cosy feeling. And look! It's so safe, it thoughtfully pre-enabled the "Allow pop-ups" option. "Make me your homepage"? Yep, that's ticked off too! As a final bonus, the telephone / globe icon shown above for Safety Browser randomly switches to a fake IE logo, for that added "let's try and fool the end-user" touch:
In fact, the browser just seems to be a "shell" for Internet Explorer, because mistype a domain and you get the following IE-based error page:
Want to take bets on whether or not it would stop the latest IE exploits?
...didn't think so.
Naturally, IE itself has also been hijacked and had the homepage set to the Safety Browser default - and something else takes place, too. You didn't think we were going to get away with it that easily, did you?
At last, we come to the payoff - it just so happens our poor, infected user has Yahoo Instant Messenger installed. When our hapless victim, chatting to their buddy, decides to have a look at their profile...Yahoo opens up IE and that's the trigger for this...
...the infection link pops up in the chat window, and another hapless victim falls prey to this hijack.
That's not all - a file is placed on the PC which contacts a URL firing off continually modified commands for the infection. They can change the infection message and the method of infection on the fly. Tailor made messages designed for Yahoo IM, Internet-based chat and IRC? You got it. It even randomly overtypes some of your IM messages as you hit the send button - a nifty feature, I'm sure you'll agree!
The final nail in the coffin is this - sometimes, the homepage hijack doesn't take you to the Demoplanet website. Sometimes, it takes you to a page offering "free gifts" in exchange for clicking some of the adverts. Of course, clicking the adverts takes you to some pretty nasty hijack sites which bombard you with adware, spyware and viruses. The payload pretty much killed one of our test machines - not something you'd want on your home PC.
As you can see, there are definite money trails behind this one, and Wayne Porter and I have spent long hours going over reams of information to see where those trails lead to. Looks like potentially rogue browsers is yet another attack vector to add to the ever growing pile of Internet-related insanity. The first warning shots were fired here, and this looks like an all-new area of hijacking that will (of course) be built upon and continue to grow. Can't wait.
And will someone please turn that music off!
Comments
Goodness.
Remember kids- Be careful when clicking on links from instant messengers.
Posted by: Nathan | May 20, 2006 08:27 AM
Yea, this crap happened to me the other week. Trashed my whole computer, and had to do a full recovery. One thing tho is that I only use AIM...I don't know if it is on all im clients or not so yea. Hope these people get hit by semi trucks and die. L8R!
Posted by: Elementix | May 20, 2006 09:42 AM
Since the success of this hijack depends upon the presence of an instant messenger (as you say, Y!IM on this occasion) and IE, the solution is simple: No IM, and/or no IE.
Notice that I didn't say it was an easy solution; but like the man said, if you don't run it you're not exposed.
And I still say, IM clients should not auto-render text URLs as hyperlinks.
(BTW, PG, nice mix-and-match of movie franchises there :-)
Posted by: Mark Odell | May 20, 2006 10:34 AM
"(BTW, PG, nice mix-and-match of movie franchises there :-)"
Thanks. I really should throw a few more in to keep things busy ;)
Posted by: Paperghost | May 20, 2006 11:24 AM
Besides avoiding clicking links on IM URLs, it is important to ensure proper firewall and anti-virus programs are installed and set up in the computer systems.
Posted by: Keith | May 20, 2006 02:14 PM
Not to be a mac fanboy at all, but I'm damned glad that nothing like this exists for mac.
Posted by: Caius Durling | May 20, 2006 03:36 PM
Can we get a link to download this music file? I kinda want to hear it.
forgiste.
Posted by: forgiste | May 21, 2006 09:50 AM
HAHAH you stupid non-open source using fools.
Posted by: Ava | May 21, 2006 01:52 PM
REL Can we get a link to download this music file? I kinda want to hear it.
I want to hear the music too! Someone please make a mp3 file so we can all enjoy it.
Posted by: GMan (tm) | May 21, 2006 10:39 PM
FYI, that's not drum'n'bass... not even close, by any stretch of the genre, at any time in the last 10 years or so of it's evolution.
It's too slow, and not really a breakbeat if I remember correctly. Also the whole bass part is missing from the equation.
I was gonna flame, but you just don't know better... it's ok ;)
Posted by: Jungletek | May 21, 2006 11:53 PM
and all of this because Y! was too lazy to implement some kind of environment for its IM and uses IE ! IE=cr*p => Y!IM=cr*p !
Posted by: Haya | May 22, 2006 01:59 AM
"FYI, that's not drum'n'bass... not even close, by any stretch of the genre, at any time in the last 10 years or so of it's evolution.
It's too slow, and not really a breakbeat if I remember correctly. Also the whole bass part is missing from the equation.!"
I meant drum n' bass meaning drums with some bass playing, not the actual *type* of music known as drum n' bass. As for bass missing from the equation, you can clearly hear a bass guitar plunking away in the background near the end of the loop. I wouldn't really worry too much about the music definition much when your PC has just been jacked in spectacular fashion.
http://blog.spywareguide.com/2006/05/hijacking_your_browser_withano_1.htmlsource: