CYBERSPACE — Once upon a time the worst thing the average computer user who logged onto a BBS or the internet needed to watch out for was a virus. But, according to computer security experts, the times, they are a’changin’. Enter the dawn of a new era in which malicious malware dresses up in innocent electronic sheep clothing and pretends to offer users a helping hand.The latest example of the growing trend toward “helpful” malware with ill intent is the so-called “Safety Browser” gleefully installing itself primarily via Yahoo’s Instant Messenger.
According to research from both Sophos and Fortinet, the majority of viruses circulating online today are internet elders, whereas Trojans and spyware are rapidly surging to the forefront as the new and energetic youngsters causing trouble wherever they go.
“While email worms occupy the top spots,” Carole Theriault, senior security consultant at Sophos clarifies, “it’s clear that Trojans represent by far the most prominent threat to IT security.”
The success of the new generation of compu-pests comes in large part because many computer users will still click on unsolicited email attachments, web links, and clever pop ups. This works beautifully for the wily hacker, whose creations are both increasingly fine-tuned to appeal to their victims and difficult to identify. Infecting systems has been less successful via Instant Messenger, primarily because users self-select their contacts and thus limit their chance of exposure. However, because IM users trust their contracts, once a phisher or malware host connects to the system, the chances of transmission improve.
Security firm FaceTime say that the “Safety Browser” is the first recorded example of malware installing its own web browser on a PC without authorization. Yhoo32.explr is a self-replicating worm that installs an application, then promptly hijacks the Internet Explorer homepage, re-assigns the homepage to be one of two others — each teeming with malware. It enables pop-ups and then encourages users to either click an advertising link allegedly for “free gifts” or to allow installation of what ultimately proves to be spyware.
Once in the new system, the infection sets about spreading to all contacts in the victim’s Yahoo Messenger by sending a link that uses constantly modified commands to the recipient’s PC, eventually causing the system to install the “Safety Browser.” The use of the IE icon by the “Safety Browser” complicates the process of identifying the menace immediately. The inability to visit any site other than those associated with the spyware and what is being called “bad looped music” which plays during each post-infection reboot are clues, although Service Pack 2 is said to keep the music from playing in the background. Additionally, some infected users have observed that the program sometimes overtypes IM messages once the Send button is hit; an example of its adaptive distribution abilities.
The malware site link is reported to have been seen on Myspace and other message boards.
Tyler Wells, senior director of research at FaceTime Security Labs says that “This is the oddest and most insidious pieces of malware we have encountered in years, and the first instance of a complete web browser hijack without the user’s awareness.” More ominous yet is his opinion that “’Rogue’ browsers seem to be the hot new thing among hackers.”
