Friday, November 02, 2007

Yahoo Messenger Controlled Malware

IM me a command, master. In the spirit of a previoust post on DIY Exploit Embedding Tools - a Retrospective, here's a very good example of malicious innovation in action - a trojan whose client is an instant messaging application - Yahoo Messenger in this case. Released in the middle of 2006, this malware with a nearly 100% detection rate by anti virus vendors, doesn't need any other client to control the infected PC, but Yahoo Messenger, making it a good example of malicious innovation and "creativity" in action. Key points :


- it's released by an Iranian group
- it's localized in 11 languages, MPack and IcePack are thankfully lacking behind at least so far
- instead of trying to figure out how to connect to the infected host's IP behind a now standard NAT implementation, the trojan only needs a Yahoo ID to use as a robot ID
- it's a great example of how IM applications can be used for both propagation, infection, and apparently C&C purposes

And just when I thought I've seen everything in the sense of botnets obtaining their commands using ICQ whitelists, and storm worm malware waiting for the infected party to authenticate via CAPTCHA then embedd a link to itself at a forum/blog given it cannot bypass the CAPTCHA, malicious parties again innovate with an analogy of reCAPTCHA in the form of TROJ_CAPTCHAR.A, which is more or less a logical development I mentioned in previous posts discussing how are Spammers and Phishers Breaking CAPTCHAs and a specific DIY CAPTCHA Breaking Service in question.