('binary' encoding is not supported, stored as-is) Dear all, I believe I have found a security issue to do with Yahoo Messenger, specifically one of the programs that comes with it - YSERVER.EXE From a pc running Windows98, dialed into an ISP with PPP - no firewall - I noticed a slowdown on the machine. The task list revealed YSEVER.EXE, a program I had no knowledge of and had not invoked myself. A file-search of yser*.* returned YSERVER.EXE in the directory that Yahoo Messenger had been installed into and a log file, YSERVER.LOG I terminated the program, dropped the connection and looked at the log file. Within it were multiple ip addresses from which "GET... cmd.exe" commands, as per Nimda/CodeRed, were coming from. This led me to believe that YSERVER.EXE may be advertising itself as a webserver. To verify that the ip addresses were infected, after renaming the executable I went to the homepage of one of them and received a download message of a .EML file coupled with a warning from Norton Anti- Virus that the file being offered was infected with with Nimda. I decided to search the web for information about YSERVER.EXE and found only one pertinent piece of information in http://pluglist.mybutt.net/pipermail/plug-security/2001- November/000106.html posted by Craig Carey. Thus far I have found an extreme lack of information on the web, including on Yahoos site itself, about this executable and how it is called/why it advertises itself without the user being aware. Given the above occurrence I find myself wondering, especially after the AIM hole exposure, what the ramifications are for Yahoo Messenger? Obviously, with the YSERVER advertising itself it is making a a user a target for not only probes but also DOS attacks but, does it go further than that? Can YSERVER be buffer-overflowed and the machine exploited/wiped/have malicious code installed to partake in a DDOS? Unfortunately program analysis is not my field and I have no knowledge of using debuggers or how to apply methodologies to try to reproduce the invocation of programs like this so I am posting here, having been advised to by Elias Levy, for those of you with the expertise to analyse my findings and see if this is actually as issue. System on which behaviour happened: Pentium 233, 80MB RAM, Windows 98, IE5.5SP2 (OS & IE fully patched) Connected to internet via PPP Programs being run at time of discovery: ZMUD, Yahoo Messenger, Eudora, TheCleaner, NukeNabber (YSERVER found to be running but not invoked by user action) Version of Yahoo Messenger: 4,1,0,998 Date of occurrence: Dec 24th, 2001 (Yahoo notified via Customer feedback on website that evening) Note: YSERVER.EXE also found in current build 5,0,0,1052 thank you for your time, Eddie Chandler Sys-Admin NT4 MCSE, Win2K Pro MCP www.taos.com
This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 11:36:38 PST