The (un)Safety Browser: Latest IM Hijack

| | Comments (22) | TrackBacks (11)

Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.

Sitting comfortably?

Then let's begin...


http://blog.spywareguide.com/upload/2006/05/ladownload-thumb.jpg

Click to enlarge

The above is a screenshot of a domain that's being fired around IM - namely, Yahoo Instant Messaging. In turn, this domain leads to a URL that's been sighted in various social networking sites such as Myspace and across forum message boards. We'll get to that later; for now, note the data in the background - this is supposedly "locational technology" that serves up content appropriate to your region. In this case, the appropriate content looks like an infection file! Pity the poor end-user that agrees to this download, because if they run it...

http://blog.spywareguide.com/upload/2006/05/lainstall-thumb.jpg
Click to enlarge

...you see the above appear slap bang in the middle of your desktop. Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n' bass beats. This madness continues for some time, and for the victim there is another "surprise"...every single time they boot up their PC from that moment on, the music greets them as their desktop appears and loops for a random amount of time. Words cannot convey the awful feeling of nausea this induces...testing a hijacking application has never been so painful!

Some "good" news, however - SP2 seems to prevent this music from playing in the background. Hooray(!)

At this point, you're probably wondering exactly what has been placed onto your PC. Well, XP flashes up the "helpful" message that new programs have been installed. Clicking the Start button, you see this:

lalogo.jpg

....Internet....Browser?

Didn't I already have one of those?

Oh well, the thing has installed so you might as well see what it does. And the Gods of Ironic Humour do not disappoint! For what we have is an example of a web-browser being installed on your PC without your permission via IM, and the oh-so-funny name for this thing is...

http://blog.spywareguide.com/upload/2006/05/lademo-thumb.jpg
Click to enlarge

The Safety Browser!

I swear, I'm not making this up.

The "safety" of the Safety Browser could also be disputed - considering it arrives on your PC in the form of a hijack, it doesn't exactly fill me with a warm, cosy feeling. And look! It's so safe, it thoughtfully pre-enabled the "Allow pop-ups" option. "Make me your homepage"? Yep, that's ticked off too! As a final bonus, the telephone / globe icon shown above for Safety Browser randomly switches to a fake IE logo, for that added "let's try and fool the end-user" touch:

http://blog.spywareguide.com/upload/2006/05/laiebrow-thumb.jpg
Click image to enlarge

In fact, the browser just seems to be a "shell" for Internet Explorer, because mistype a domain and you get the following IE-based error page:

http://blog.spywareguide.com/upload/2006/05/larandom-thumb.jpg
Click to enlarge

Want to take bets on whether or not it would stop the latest IE exploits?

...didn't think so.

Naturally, IE itself has also been hijacked and had the homepage set to the Safety Browser default - and something else takes place, too. You didn't think we were going to get away with it that easily, did you?

At last, we come to the payoff - it just so happens our poor, infected user has Yahoo Instant Messenger installed. When our hapless victim, chatting to their buddy, decides to have a look at their profile...Yahoo opens up IE and that's the trigger for this...

http://blog.spywareguide.com/upload/2006/05/lamessage-thumb.jpg

...the infection link pops up in the chat window, and another hapless victim falls prey to this hijack.

That's not all - a file is placed on the PC which contacts a URL firing off continually modified commands for the infection. They can change the infection message and the method of infection on the fly. Tailor made messages designed for Yahoo IM, Internet-based chat and IRC? You got it. It even randomly overtypes some of your IM messages as you hit the send button - a nifty feature, I'm sure you'll agree!

The final nail in the coffin is this - sometimes, the homepage hijack doesn't take you to the Demoplanet website. Sometimes, it takes you to a page offering "free gifts" in exchange for clicking some of the adverts. Of course, clicking the adverts takes you to some pretty nasty hijack sites which bombard you with adware, spyware and viruses. The payload pretty much killed one of our test machines - not something you'd want on your home PC.

As you can see, there are definite money trails behind this one, and Wayne Porter and I have spent long hours going over reams of information to see where those trails lead to. Looks like potentially rogue browsers is yet another attack vector to add to the ever growing pile of Internet-related insanity. The first warning shots were fired here, and this looks like an all-new area of hijacking that will (of course) be built upon and continue to grow. Can't wait.

And will someone please turn that music off!

11 TrackBacks

Listed below are links to blogs that reference this entry: The (un)Safety Browser: Latest IM Hijack.

TrackBack URL for this entry: http://blog.spywareguide.com/mt-tb.cgi/258

Yep, here we go again! Last time I saw something crazy installed on a PC without permission, it was BitTorrent being installed and used to pump pirated movie files on machines plugged into a Botnet. This time? Read More

Yep, here we go again! Last time I saw something crazy installed on a PC without permission, it was BitTorrent being installed and used to pump pirated movie files on machines plugged into a Botnet. This time? Read More

Last time I saw something this crazy installed on a PC without permission, it was BitTorrent being installed and used to pump pirated movie files on machines plugged into a Botnet... Read More

New Worm from Thoughts Of A Diseased Imagination on May 20, 2006 10:58 AM

If you use Yahoo Instant Messenger or any other IM program, be wary of links you click on. A new worm has started spreading via these IM programs, which changes your background, starts looping some aparently awful music in the background quite loudly, ... Read More

[IMGRIGHT=/karellen1975/homes/blog/safbrow.jpg]En el blog de SpywareGuide analizaron un malware que resulta bastante ir?... Read More

The (un)Safety Browser: Latest IM Hijack from BambisMusings - Musings from a little deer? on May 21, 2006 10:59 AM

The (un)Safety Browser: Latest IM Hijack Paperghost over at SpywareGuide Blog (The Greynets Blog) has the lowdown on this (un)Safety Browser that is the latest IM Worm HiJack. And of course, this one hits, the IM client that WAS the safest of the stand... Read More

New IM Worm Installs Own Web Browser. from Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography) on May 21, 2006 5:14 PM

TITLE: New IM Worm Installs Own Web Browser. URL: http://www.PrivacyDigest.com/2006/05/21.html#a6202 IP: 71.247.152.146 BLOG NAME: Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography) DATE: 05/21/2006 05:14:55 PM Read More

In one of the odder malware incidents ever, lately there’s been an IM (specifically, Yahoo! Instant Messenger) worm that installs its own browser. The name of this browser? Ironically, the Safety Browser. And apparently, it plays obnoxious music... Read More

Possibly The Strangest Piece of Malware- Ever. from ReveNews - Wayne Porter: Greynets, Malware, Adware & Spyware Research- E-commerce on May 24, 2006 5:51 PM

Just when I thought miscreants where getting smarter with their rip off tactics against advertisers (e.g. botnets and the like) they throw a curve ball with one that...well...quite frankly it is one of the most assanine pieces of malware I have ever an... Read More

A worm that installs a ‘Safety Browser’ and plays screeching music is circulating via IM. The annoyance starts with a link apparently sent by a friend in Yahoo’s IM program. IM security company FaceTime Communications described the ma... Read More

Skype continues to bring new firsts to everyone's Internet social and work experience- myself included. First there was a strange SPIM ambush [define SPIM] and now something more interesting. Before I get into the experience and in order to fully... Read More

22 Comments

Goodness.
Remember kids- Be careful when clicking on links from instant messengers.

Yea, this crap happened to me the other week. Trashed my whole computer, and had to do a full recovery. One thing tho is that I only use AIM...I don't know if it is on all im clients or not so yea. Hope these people get hit by semi trucks and die. L8R!

Since the success of this hijack depends upon the presence of an instant messenger (as you say, Y!IM on this occasion) and IE, the solution is simple: No IM, and/or no IE.

Notice that I didn't say it was an easy solution; but like the man said, if you don't run it you're not exposed.

And I still say, IM clients should not auto-render text URLs as hyperlinks.

(BTW, PG, nice mix-and-match of movie franchises there :-)

"(BTW, PG, nice mix-and-match of movie franchises there :-)"

Thanks. I really should throw a few more in to keep things busy ;)

Besides avoiding clicking links on IM URLs, it is important to ensure proper firewall and anti-virus programs are installed and set up in the computer systems.

Not to be a mac fanboy at all, but I'm damned glad that nothing like this exists for mac.

Can we get a link to download this music file? I kinda want to hear it.


forgiste.

HAHAH you stupid non-open source using fools.

REL Can we get a link to download this music file? I kinda want to hear it.

I want to hear the music too! Someone please make a mp3 file so we can all enjoy it.

FYI, that's not drum'n'bass... not even close, by any stretch of the genre, at any time in the last 10 years or so of it's evolution.

It's too slow, and not really a breakbeat if I remember correctly. Also the whole bass part is missing from the equation.

I was gonna flame, but you just don't know better... it's ok ;)

and all of this because Y! was too lazy to implement some kind of environment for its IM and uses IE ! IE=cr*p => Y!IM=cr*p !

"FYI, that's not drum'n'bass... not even close, by any stretch of the genre, at any time in the last 10 years or so of it's evolution.

It's too slow, and not really a breakbeat if I remember correctly. Also the whole bass part is missing from the equation.!"

I meant drum n' bass meaning drums with some bass playing, not the actual *type* of music known as drum n' bass. As for bass missing from the equation, you can clearly hear a bass guitar plunking away in the background near the end of the loop. I wouldn't really worry too much about the music definition much when your PC has just been jacked in spectacular fashion.

Hey, Just a real quick question. Does anyone know if this requires admin rights or any specific elevated rights.

What does the initial IM URL look like? Just want to know and avoid it... Thanks.

This is really funny!

Could someone email me the URL of this threat? I would like to download it and run it (in a VM). Yes, I know what I'm doing - or at least I fake it well.

It does not install a whole new web browser on the victims PC. It installs an Internet Explorer theme.

Does anyone have a copy of the music that gets played?

"It installs an Internet Explorer theme."

Generally, themes are basically a limited graphical splash across the panels of IE. This thing has enough in it to warrant it being labelled a browser. I'm a strong believer in the "if it walks like a duck.." school of thought. Its called the safety browser...the people behind it call it a browser...and it has a bunch of browsing options coded into it. In addition, it does other things such as display the amount of kb downloaded for each page and also seems to have some kind of (basic) "anti-phish" thing going on with regards to URLs you hover over. And of course, there's the interaction it displays with the various infection files downloaded onto the PC during the hijack. Quite a bit more advanced than your usual "theme". I do state it is effectively a shell for IE - however, they tip the "definition scale" and warrant it being called a browser. Yapbrowser did pretty much the same thing, and that was labelled the same way.

Thank you for a very well documented and interesting article. I will steer clear of any Messengers, and have disabled all in our PC.

"It installs an Internet Explorer theme."
From the geeks department:
Technically, it is "just" another standalone application that uses the IE control and bolted some "Extra functionality" onto it. So its not a "theme" per se. One could argue wheter it is a seperate browser, because of the code reuse. But this has same technique has been used before by large, legit companies to launch "their own browser". Eg. AOL/Compuserve. What percentage code reuse is allowed while still call something "another browser" is a discussion best left for the academics. The user sees a "new browser".

The virus has reached ireland... i am not happy. My little brother actually said "yes" to myspace pics... or something or other. My laptop is absolutely blanketted in adware and spyware. I think i cut off its head then a whole load of other crap spewed out. And to top it all off... i have no idea what i am doing. I dont deserve this! I use Firefox!!!

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 19, 2006 9:43 AM.

The Hidden Implications of the Blue Security Takedown. was the previous entry in this blog.

Understanding Enterprise IM- Free Seminar is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.