Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database
Security Email Alerts & Updates

SpywareGuide's Greynets Blog is a destination where you can hear from the people who are part of the SpywareGuide and FaceTime Security Labs research teams, as well as developers, programmers and the occasional guest blogger. You never know what topics will be covered -- spyware, adware, rootkits, botnets, IM worms, the money side of malware, the underbelly of affiliate marketing, the world of greynets. Greynets are network-enabled applications that are installed on an end user's system without permission from IT and are highly evasive to existing security infrastructure. Greynet applications pose a security risk, but their risk must be managed in concert with the business benefits of the applications.

Search the Blog
Recent Posts
Monthly Blog Archives
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com
IM, P2P & Spyware Defense Analyze Your EULA Free Spyware Remover Free Spyware Scan

« The Hidden Implications of the Blue Security Takedown. | Main

The (un)Safety Browser: Latest IM Hijack

Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.

Sitting comfortably?

Then let's begin...

Click to enlarge

The above is a screenshot of a domain that's being fired around IM - namely, Yahoo Instant Messaging. In turn, this domain leads to a URL that's been sighted in various social networking sites such as Myspace and across forum message boards. We'll get to that later; for now, note the data in the background - this is supposedly "locational technology" that serves up content appropriate to your region. In this case, the appropriate content looks like an infection file! Pity the poor end-user that agrees to this download, because if they run it...

Click to enlarge

...you see the above appear slap bang in the middle of your desktop. Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n' bass beats. This madness continues for some time, and for the victim there is another "surprise"...every single time they boot up their PC from that moment on, the music greets them as their desktop appears and loops for a random amount of time. Words cannot convey the awful feeling of nausea this induces...testing a hijacking application has never been so painful!

Some "good" news, however - SP2 seems to prevent this music from playing in the background. Hooray(!)

At this point, you're probably wondering exactly what has been placed onto your PC. Well, XP flashes up the "helpful" message that new programs have been installed. Clicking the Start button, you see this:



Didn't I already have one of those?

Oh well, the thing has installed so you might as well see what it does. And the Gods of Ironic Humour do not disappoint! For what we have is an example of a web-browser being installed on your PC without your permission via IM, and the oh-so-funny name for this thing is...

Click to enlarge

The Safety Browser!

I swear, I'm not making this up.

The "safety" of the Safety Browser could also be disputed - considering it arrives on your PC in the form of a hijack, it doesn't exactly fill me with a warm, cosy feeling. And look! It's so safe, it thoughtfully pre-enabled the "Allow pop-ups" option. "Make me your homepage"? Yep, that's ticked off too! As a final bonus, the telephone / globe icon shown above for Safety Browser randomly switches to a fake IE logo, for that added "let's try and fool the end-user" touch:

Click image to enlarge

In fact, the browser just seems to be a "shell" for Internet Explorer, because mistype a domain and you get the following IE-based error page:

Click to enlarge

Want to take bets on whether or not it would stop the latest IE exploits?

...didn't think so.

Naturally, IE itself has also been hijacked and had the homepage set to the Safety Browser default - and something else takes place, too. You didn't think we were going to get away with it that easily, did you?

At last, we come to the payoff - it just so happens our poor, infected user has Yahoo Instant Messenger installed. When our hapless victim, chatting to their buddy, decides to have a look at their profile...Yahoo opens up IE and that's the trigger for this...


...the infection link pops up in the chat window, and another hapless victim falls prey to this hijack.

That's not all - a file is placed on the PC which contacts a URL firing off continually modified commands for the infection. They can change the infection message and the method of infection on the fly. Tailor made messages designed for Yahoo IM, Internet-based chat and IRC? You got it. It even randomly overtypes some of your IM messages as you hit the send button - a nifty feature, I'm sure you'll agree!

The final nail in the coffin is this - sometimes, the homepage hijack doesn't take you to the Demoplanet website. Sometimes, it takes you to a page offering "free gifts" in exchange for clicking some of the adverts. Of course, clicking the adverts takes you to some pretty nasty hijack sites which bombard you with adware, spyware and viruses. The payload pretty much killed one of our test machines - not something you'd want on your home PC.

As you can see, there are definite money trails behind this one, and Wayne Porter and I have spent long hours going over reams of information to see where those trails lead to. Looks like potentially rogue browsers is yet another attack vector to add to the ever growing pile of Internet-related insanity. The first warning shots were fired here, and this looks like an all-new area of hijacking that will (of course) be built upon and continue to grow. Can't wait.

And will someone please turn that music off!


TrackBack URL for this entry:

Listed below are links to weblogs that reference The (un)Safety Browser: Latest IM Hijack:

» New Worm from Thoughts Of A Diseased Imagination
If you use Yahoo Instant Messenger or any other IM program, be wary of links you click on. A new worm has started spreading via these IM programs, which changes your background, starts looping some aparently awful music in the background quite loudly, ... [Read More]

» Un Virus que te instala un "Navegador Seguro" from PsicoIT Support
[IMGRIGHT=/karellen1975/homes/blog/safbrow.jpg]En el blog de SpywareGuide analizaron un malware que resulta bastante irĂ... [Read More]

» The (un)Safety Browser: Latest IM Hijack from BambisMusings - Musings from a little deer?
The (un)Safety Browser: Latest IM Hijack Paperghost over at SpywareGuide Blog (The Greynets Blog) has the lowdown on this (un)Safety Browser that is the latest IM Worm HiJack. And of course, this one hits, the IM client that WAS the safest of the stand... [Read More]


Remember kids- Be careful when clicking on links from instant messengers.

Yea, this crap happened to me the other week. Trashed my whole computer, and had to do a full recovery. One thing tho is that I only use AIM...I don't know if it is on all im clients or not so yea. Hope these people get hit by semi trucks and die. L8R!

Since the success of this hijack depends upon the presence of an instant messenger (as you say, Y!IM on this occasion) and IE, the solution is simple: No IM, and/or no IE.

Notice that I didn't say it was an easy solution; but like the man said, if you don't run it you're not exposed.

And I still say, IM clients should not auto-render text URLs as hyperlinks.

(BTW, PG, nice mix-and-match of movie franchises there :-)

"(BTW, PG, nice mix-and-match of movie franchises there :-)"

Thanks. I really should throw a few more in to keep things busy ;)

Besides avoiding clicking links on IM URLs, it is important to ensure proper firewall and anti-virus programs are installed and set up in the computer systems.

Not to be a mac fanboy at all, but I'm damned glad that nothing like this exists for mac.

Can we get a link to download this music file? I kinda want to hear it.


HAHAH you stupid non-open source using fools.

REL Can we get a link to download this music file? I kinda want to hear it.

I want to hear the music too! Someone please make a mp3 file so we can all enjoy it.

FYI, that's not drum'n'bass... not even close, by any stretch of the genre, at any time in the last 10 years or so of it's evolution.

It's too slow, and not really a breakbeat if I remember correctly. Also the whole bass part is missing from the equation.

I was gonna flame, but you just don't know better... it's ok ;)

and all of this because Y! was too lazy to implement some kind of environment for its IM and uses IE ! IE=cr*p => Y!IM=cr*p !

"FYI, that's not drum'n'bass... not even close, by any stretch of the genre, at any time in the last 10 years or so of it's evolution.

It's too slow, and not really a breakbeat if I remember correctly. Also the whole bass part is missing from the equation.!"

I meant drum n' bass meaning drums with some bass playing, not the actual *type* of music known as drum n' bass. As for bass missing from the equation, you can clearly hear a bass guitar plunking away in the background near the end of the loop. I wouldn't really worry too much about the music definition much when your PC has just been jacked in spectacular fashion.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.