Malware spread via Yahoo Instant Messenger has been around for years. Infection, though, has been limited by the fact that it requires some interaction with the user.
A newly discovered exploit in version 11.x of the Messenger client (including the freshly-released 126.96.36.199-us) allows a remote attacker to arbitrarily change the status message of virtually any Yahoo Messenger user that runs the vulnerable version.
How does it work?
The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker’s custom text. This status may also include a dubious link. This iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list.
Here is a diagram for the tech-savvy readers:
A regular frame captured with a network sniffer looks like in the image below.
Image 2: Normal frame captured with a network sniffer.
A malformed frame, on the other side, looks like this:
Image 3: Malformed frame in which the token is replaced with payload
Now, when the YIM client receives the data in image 2, it tries to render it as it follows:
Image 4: Transfer action rendered in the YIM window
The HTML code behind this image looks like this:
However, when it receives malformed information, it tries to display it, but it actually executes the payload (code fragments that we substituted with id:265 in the image above). ID:265 is the contents of field 265 in image 3.
Now here is how the malformed HTML code looks like:
Why is this dangerous?
Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them.
One scenario: the victim’s status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim’s status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.
Another lucrative approach to changed status messages is affiliate marketing (ie: sites that pay affiliates for visits or purchases through a custom link). Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.
Am I vulnerable?
If you can receive messages from contacts outside of your list, you are 100% vulnerable.
You are not vulnerable if:
- You are running a Bitdefender security solution (Bitdefender Antivirus Plus, Bitdefender Internet Security or Bitdefender Total Security). We detect this threat via the HTTP scanner and block it before it reaches the Messenger application.
- You have Yahoo Messenger set to “ignore anyone who is not in your Yahoo! Contacts”(which is off by default).
Bitdefender has already identified this kind of attack. We recommend you prevent this kind of attack by adjusting your privacy settings as per the instructions above.
We have provided Yahoo! with the documentation and proof-of-concept code for fixing the issue.
Exploit analysis courtesy of malware researchers Doina Cosovan and RÄƒzvan Benchea.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.