Yahoo Messenger exploit threatens new wave of malware

A security researcher has warned of a new exploit in Yahoo Instant Messenger (YIM), which could be used to infect enterprise users' machines with malware.

Bogdan Botezatu, a researcher at security firm BitDefender, wrote on the company's blog that even the latest patched version of YIM has the vulnerability that enables a remote attacker to change the victim's status message.

While this may sound harmless enough, Botezatu explains that a hacker could use this ability to encourage that user's friends and colleagues to click on a malicious link that will infect their machines.

"The victim's status message [could be] swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments, or even a PDF bug.

"Whenever a contact clicks on the victim's status message, chances are they will be infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked."

He added that enabling access to a status message is valuable to hackers, as it is more likely to be seen and clicked on by other people than other types of malicious spam more commonly sent via email.

"Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them."

However, the potential for financial gain for the criminal doesn't end there. Affiliate marketing is another way to monetise this form of attack.

"Another lucrative approach to changed status messages is affiliate marketing (ie, sites that pay affiliates for visits or purchases through a custom link)," wrote Botezatu.

"Someone can easily set up an affiliate account, generate custom links for products in a campaign, then massively target YIM victims to change their status with the affiliate link."

Any YIM user who is able to receive messages from outside their contact list is vulnerable to this attack, claimed Botezatu.

However, some security solutions are able to block it via an http scanner. It is also possible to block it via a YIM setting: "Ignore anyone who is not in your Yahoo! Contacts."

Botezatu concluded by stating that BitDefender has already provided Yahoo with the details of the vulnerability and provided proof-of-concept code to help close the exploit.