Yahoo! exploit attack used in PUA install

Filed Under: Malware, SophosLabs

Earlier this month, reports of a vulnerability in an ActiveX component of the Yahoo! Webcam view utilities was reported (see previous blog post). The issue was swiftly fixed and an update made available for users.

The most obvious way to exploit the vulnerability is through the construction of a malicious web page. Specific details on how to construct such a page were released, and publicly available. The simple combination of a small JavaScript coupled with a HTML object tag is sufficient. (All such pages seen to date have been proactively detected as Mal/JSShell-A.) The ease with which demonstration code can be copied to construct a 'new' attack, made it highly likely that we would see this vulnerability being used by the bad guys. Sure enough, we have. In this post I describe one such attack uncovered by SophosLabs.

The domain for the site used in this attack was registered back in 2006. Despite its age, the domain exists purely for malicious usage. When the victim browses the site, the malicious script runs. If the buffer overflow is successful, the shellcode runs, downloading a win32 file ('load.exe') from the same site. This is another downloader Trojan, that downloads and executes another win32 file ('mbox.exe') from the same domain.

This last file reveals the guts of this attack. When executed, it:

1. runs silently in the background
2. sleeps
3. checks network connection
4. attempts to access A: drive (multiple times)

dc1

5. sleeps
6. opens explorer window browsing %WinDir% (multiple times)

dc2

7. sleeps
8. displays a message box

dc3

Ahah! So now we start to get an idea of the purpose of this whole attack - malicious installation of a PUA? Steps 4 and 6 above are performed to presumably convince the victim that something is wrong with their machine. When the user clicks 'OK' - a web page is retrieved and displayed (using the default browser):

dc41

The installation of 'DriveCleaner 2006' (detected as ErrorSafe PUA by Sophos) then proceeds:

dc5

There seems to be some bug in their installer (look at the download stats!):

dc6

So, another case of folks making money through using malware to install potentially unwanted applications (PUAs). The HTTP request used for the download of the DriveCleaner installer passes in an affiliate ID. We can assume this is used to enable payment to the relevant affiliates on a per-download basis.

Interestingly, the first downloader ('load.exe') delivers a second payload in addition to downloading 'mbox.exe'. It sets a Registry entry to change the default DNS server:

HKLM\System\CurrentControlSet\Services\Tcpip\Paramaters\
Interfaces\{uid}\NameServer = 194.54.90.238

This IP address is for a machine located in the Ukraine. The same IP has been used in this manner previously by several other pieces of malware.

We have seen several examples before of malware installing PUAs, the concept is nothing new. But this case does demonstrate the aggression the bad guys will go to make money, in this case using a very recent vulnerability in order to hit victims.

What can you do to protect yourself?

  • If you are a Yahoo! Messenger user, upgrade to the new version
  • If you are not, but it is installed (and likely running), upgrade or remove
  • If you have no idea of Yahoo! Messenger usage within your network, consider application control as way of managing this (and other) applications
  • Deploy web security to filter known-bad URLs, and scan all content for malware at the perimeter of your network

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.