The (un)Safety Browser: Latest IM Hijack
Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.
Then let's begin...
The above is a screenshot of a domain that's being fired around IM - namely, Yahoo Instant Messaging. In turn, this domain leads to a URL that's been sighted in various social networking sites such as Myspace and across forum message boards. We'll get to that later; for now, note the data in the background - this is supposedly "locational technology" that serves up content appropriate to your region. In this case, the appropriate content looks like an infection file! Pity the poor end-user that agrees to this download, because if they run it...
...you see the above appear slap bang in the middle of your desktop. Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n' bass beats. This madness continues for some time, and for the victim there is another "surprise"...every single time they boot up their PC from that moment on, the music greets them as their desktop appears and loops for a random amount of time. Words cannot convey the awful feeling of nausea this induces...testing a hijacking application has never been so painful!
Some "good" news, however - SP2 seems to prevent this music from playing in the background. Hooray(!)
At this point, you're probably wondering exactly what has been placed onto your PC. Well, XP flashes up the "helpful" message that new programs have been installed. Clicking the Start button, you see this:
Didn't I already have one of those?
Oh well, the thing has installed so you might as well see what it does. And the Gods of Ironic Humour do not disappoint! For what we have is an example of a web-browser being installed on your PC without your permission via IM, and the oh-so-funny name for this thing is...
The Safety Browser!
I swear, I'm not making this up.
The "safety" of the Safety Browser could also be disputed - considering it arrives on your PC in the form of a hijack, it doesn't exactly fill me with a warm, cosy feeling. And look! It's so safe, it thoughtfully pre-enabled the "Allow pop-ups" option. "Make me your homepage"? Yep, that's ticked off too! As a final bonus, the telephone / globe icon shown above for Safety Browser randomly switches to a fake IE logo, for that added "let's try and fool the end-user" touch:
In fact, the browser just seems to be a "shell" for Internet Explorer, because mistype a domain and you get the following IE-based error page:
Want to take bets on whether or not it would stop the latest IE exploits?
...didn't think so.
Naturally, IE itself has also been hijacked and had the homepage set to the Safety Browser default - and something else takes place, too. You didn't think we were going to get away with it that easily, did you?
At last, we come to the payoff - it just so happens our poor, infected user has Yahoo Instant Messenger installed. When our hapless victim, chatting to their buddy, decides to have a look at their profile...Yahoo opens up IE and that's the trigger for this...
...the infection link pops up in the chat window, and another hapless victim falls prey to this hijack.
That's not all - a file is placed on the PC which contacts a URL firing off continually modified commands for the infection. They can change the infection message and the method of infection on the fly. Tailor made messages designed for Yahoo IM, Internet-based chat and IRC? You got it. It even randomly overtypes some of your IM messages as you hit the send button - a nifty feature, I'm sure you'll agree!
The final nail in the coffin is this - sometimes, the homepage hijack doesn't take you to the Demoplanet website. Sometimes, it takes you to a page offering "free gifts" in exchange for clicking some of the adverts. Of course, clicking the adverts takes you to some pretty nasty hijack sites which bombard you with adware, spyware and viruses. The payload pretty much killed one of our test machines - not something you'd want on your home PC.
As you can see, there are definite money trails behind this one, and Wayne Porter and I have spent long hours going over reams of information to see where those trails lead to. Looks like potentially rogue browsers is yet another attack vector to add to the ever growing pile of Internet-related insanity. The first warning shots were fired here, and this looks like an all-new area of hijacking that will (of course) be built upon and continue to grow. Can't wait.
And will someone please turn that music off!