Malware

Yahoo! Messenger (along with other networks such as Windows Live Messenger and AOL Instant Messenger) is often used as a conduit or "vector" for delivering malicious software such as spyware, viruses, worms, and trojans to unsuspecting computer users. The three methods used by hackers to deliver malware over the IM vector are (1) sending a file transfer with a virus-infected file, (2) delivering a message with socially engineered content containing a web address (URL) containing active malicious code and (3) sending specially crafted messages exploiting security vulnerabilities in the client software. Viruses and worms with colorful names such as W32.Yalove or W32/Spybot-MQ have been identified as targeting users of the Yahoo! Messenger network over the past few years.

The most common method of delivering a malicious payload is the use of social engineering to construct a message that appears to be coming from a contact on the recipient's contact list. A socially engineered message is one that is written in a friendly, informal manner, that could easily be mistaken as coming from a friend. The message usually will say something like "Click here to see pics of me from vacation!" or "Is this you?" with a web address—known as a "poison URL" -- for the recipient to click. Upon clicking the web address, the recipient is connected to a website containing active content, which is immediately downloaded to the recipient's computer. In most cases, the payload contains an installer, a number of hidden files containing text, and code which causes the same socially engineered message with poison URL to be sent to every contact on the contact list. When the message is sent to all contacts, the cycle starts again, as each contact believes they are receiving a message from a trusted friend. In this manner, IM-borne malware is capable of propagating very rapidly through company and external networks.

Worms and viruses are discovered on a regular basis by security companies, particularly by the three companies with IM-specific security products, Akonix Systems, FaceTime Communications, and Symantec. According to IM security researchers at Akonix, the number of new threats identified each month is 30 to 35, with a high of 88 in October, 2006.

More recent versions of Yahoo Messenger also behaves in a way similar to malware. The most recent version, upon install, will install Yahoo Toolbar in both Internet Explorer and FireFox. In addition, the default pages of the browsers are changed to point to Yahoo's main page. Yahoo Messenger also installs several files including something called 'Search Protection' that watches to see if the default searches are changed. All of this is done without warning or confirmation by the user. This has led a number of spyware tools such as HijackThis to specifically list Yahoo Messenger components in its scans.