Jump to content
  • Who's Online   0 Members, 0 Anonymous, 33 Guests (See full list)

    There are no registered users currently online

The Highlander

Yahoo IM worm hijacks Internet Explorer homepage

Recommended Posts

 

Yahoo IM worm hijacks Internet Explorer homepage

Users of Yahoo Instant Messenger are under threat from a worm that hijacks their Internet Explorer homepage and leads them to a site that puts spyware on their PCs. Researchers at anti-malware firm FaceTime Security Labs, who identified the threat, say that the yhoo32.explr worm puts its own browser called Safety Browser on their PCs, the first recorded incidence of malware installing its own web browser on a PC without the user's permission.

 

According to FaceTime researchers, because Safety Browser uses the IE icon, users can easily mistake it for Internet Explorer.

 

A FaceTime alert says the self-propagating worm spreads the infection to Yahoo! Messenger contacts on the infected PC by sending a nefarious website link during a conversation. The link leads to a website that loads a command file onto the user’s PC and installs Safety Browser. This spam over instant messaging (IM) is called spim. IM applications and protocols are an increasingly popular vector to distribute malicious files and executables.

 

"This is one of oddest and more insidious pieces of malware we have encountered in years," said Tyler Wells, senior director of research at FaceTime Security Labs. "This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers."

 

The India research arm of FaceTime Security Labs discovered the threat in a 'honeypot', a trap they set to detect viruses, worms, spyware and other threats. Commentary on this threat by FaceTime Security Labs researcher Chris Boyd can be found on the Greynets Blog, at http://blog.spywareguide.com.

 

The malware infects the PC with two elements.

 

The first element is a web browser called "Safety Browser." This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser's homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser.

 

The second element is the self-propagating worm. The worm propagates by inserting a link into existing Messenger conversations on an infected PC. When an infected user initiates or joins a conversation, a link is inserted at random points in the conversation.

 

Link to artical here

Share this post


Link to post
Share on other sites
Instant Messenger

 

Of the worms related to IM services, 36 percent were tuned to more than one public network, and 13 percent had the capability to spread through all four major IM networks. This indicates that threats are getting more sophisticated and no longer target just one IM system. Popular IM networks are run by America Online, Microsoft and Yahoo.

 

When you leave the door open, don't be surprised who comes walking in!

 

cdanteek

Share this post


Link to post
Share on other sites
all four major IM networks.

<snip>

Popular IM networks are run by America Online, Microsoft and Yahoo.

Who runs the fourth major network, and why isn't it popular? :)

Share this post


Link to post
Share on other sites
Who runs the fourth major network, and why isn't it popular?

 

 

 

P2P IM networks, and they still seem to be popular. Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX, Xolox, eDonkey, Overnet, Grokster, LimeWire, Gnutella, and G2. Internet security sites posted these networks as targeted IM attacks.

 

cdanteek

Share this post


Link to post
Share on other sites
P2P IM networks, and they still seem to be popular. Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX, Xolox, eDonkey, Overnet, Grokster, LimeWire, Gnutella, and G2. Internet security sites posted these networks as targeted IM attacks.

 

cdanteek

 

What's the difference between Limewire and LimeWire? Competitors or finger error?

 

Lynn

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×