eternal_spirit
14-06-2007, 07:04 PM
Malware writers have latched on to the exploit (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=exploit&x=&y=) code for the critical bugs in Yahoo Messenger, setting up 40 to 50 malicious Web sites to attack unsuspecting, and unpatched, users.
ADVERTISEMENT
if(window.yzq_d==null)window.yzq_d=new Object();window.yzq_d['9Fz4CUSOxIg-']='&U=13boa9dn1%2fN%3d9Fz4CUSOxIg-%2fC%3d570162.10463788.11421466.1414694%2fD%3dLREC %2fB%3d4576169';
"This threat is critical," said Stephan Chenette, manager of Websense Security Labs, in an interview. "The use of [the exploit] has been increasing since its public disclosure."
Chenette said malware (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=malware&x=&y=) writers have picked up the exploit code, which was first publicly posted last week, and have quickly gone to work with it. The malicious code takes advantage of buffer (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=buffer&x=&y=) overflow security issues in two ActiveX (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=ActiveX&x=&y=) controls used in the instant messenger's Webcam image upload (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=upload&x=&y=) and viewing. Chenette said virus (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=virus&x=&y=) writers have taken the initial exploit code and come up with a variety of different pieces of malware.
The code is embedded in 40 to 50 Web sites. When someone who uses Yahoo Messenger visits one of these sites, the exploit drops down into the machine and then downloads either a Trojan (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=Trojan&x=&y=) backdoor or a keylogger, according to Websense. Both the keyloggers and downloaders mainly are looking for passwords and banking information to send back to the hacker.
Many of the malicious sites are based in China, said Chenette, who added that 50% of the sites are simply malicious Web pages that have been used to spread malware before. The other 50%, though, are legitimate sites that hackers have compromised with the exploit code.
The original exploit code hit the Internet (http://www.informationweek.com/news/showArticle.jhtml?articleID=199903100) on June 6, the day after researchers at eEye Digital Security responsibly posted (http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856) information about the Yahoo Messenger vulnerabilities on its Web site. Yahoo was quick to release a fix for the vulnerabilities last Friday, just two days after the flaws were publicly disclosed. However, Terrell Karlsten, a spokeswoman for Yahoo, apparently disclosed too much information about the bugs in an interview with InformationWeek.
And that information helped lead a hacker, who identifies himself only as "Danny," right to the flawed code.
The Internet Storm Center is advising (http://isc.sans.org/diary.html?storyid=2952) users to upgrade to the latest (patched) version of Yahoo Messenger as soon as possible. The site also is giving "kudos" to Yahoo for getting the problem fixed so quickly.
ADVERTISEMENT
if(window.yzq_d==null)window.yzq_d=new Object();window.yzq_d['9Fz4CUSOxIg-']='&U=13boa9dn1%2fN%3d9Fz4CUSOxIg-%2fC%3d570162.10463788.11421466.1414694%2fD%3dLREC %2fB%3d4576169';
"This threat is critical," said Stephan Chenette, manager of Websense Security Labs, in an interview. "The use of [the exploit] has been increasing since its public disclosure."
Chenette said malware (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=malware&x=&y=) writers have picked up the exploit code, which was first publicly posted last week, and have quickly gone to work with it. The malicious code takes advantage of buffer (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=buffer&x=&y=) overflow security issues in two ActiveX (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=ActiveX&x=&y=) controls used in the instant messenger's Webcam image upload (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=upload&x=&y=) and viewing. Chenette said virus (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=virus&x=&y=) writers have taken the initial exploit code and come up with a variety of different pieces of malware.
The code is embedded in 40 to 50 Web sites. When someone who uses Yahoo Messenger visits one of these sites, the exploit drops down into the machine and then downloads either a Trojan (http://www.techweb.com/encyclopedia/defineterm.jhtml?term=Trojan&x=&y=) backdoor or a keylogger, according to Websense. Both the keyloggers and downloaders mainly are looking for passwords and banking information to send back to the hacker.
Many of the malicious sites are based in China, said Chenette, who added that 50% of the sites are simply malicious Web pages that have been used to spread malware before. The other 50%, though, are legitimate sites that hackers have compromised with the exploit code.
The original exploit code hit the Internet (http://www.informationweek.com/news/showArticle.jhtml?articleID=199903100) on June 6, the day after researchers at eEye Digital Security responsibly posted (http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856) information about the Yahoo Messenger vulnerabilities on its Web site. Yahoo was quick to release a fix for the vulnerabilities last Friday, just two days after the flaws were publicly disclosed. However, Terrell Karlsten, a spokeswoman for Yahoo, apparently disclosed too much information about the bugs in an interview with InformationWeek.
And that information helped lead a hacker, who identifies himself only as "Danny," right to the flawed code.
The Internet Storm Center is advising (http://isc.sans.org/diary.html?storyid=2952) users to upgrade to the latest (patched) version of Yahoo Messenger as soon as possible. The site also is giving "kudos" to Yahoo for getting the problem fixed so quickly.