Thursday, August 6, 2009

Myspace Toolbar Hijack

A little introduction:
I was cruising a regular forum when someone posted a new toolbar that's supposed to automatically deposit money for you, in an text-based RPG game. So, people were posting about how they thought it was some kind of "bot" and etc. I decided to take a look at it myself and see what I could find.
What it appeared to be was a simple toolbar. However, it did some very strange and interesting things. First, it set a couple cookies in my requests. Some were rather interesting, while one made me laugh as it made itself clear as day to anyone who can look at a cookie. This value was UNIQUELOGINHIJACK. Then it tried to use the Myspace email to send out spam messages. However, the most interesting part was how it tried to get me to download a fully hijacked browser. It identified itself as Firefox 3.0.7, as my current browser was 3.0.5. The unique part was that it tried to pull this new hijacked browser everytime FireFox checked for updates. Every time an update check was called, the request for the new "updated" browser was called. What's interesting about this is most browsers, when they start, will automatically check for updates and this link will also try and get you to download it. Think of those people who don't know about how FireFox does its updates and installs this piece of spamware.
Suffice to say, after I gave my analysis on the forum, the post was deleted a couple minutes later.

No comments: