So I’m up late, coding away… and my default browser (Chrome) comes to the top and loads a new tab for voicefive.com asking me to take a survey. Immediately I hit my malware scanner, but it turns up nothing. I close the tab, review other tabs I have open that might have initiated the pop-up, and go back to work. In the span of 5 minutes, I had this annoying pop-up splash over my coding work a total of 9 times. By this time I’m furious… I crank up Process Explorer, adjust the highlight settings to maximum delay (so I can catch the culprit) and sit there staring daggers at my screen. It only took a couple seconds to see that it was msnmsgr.exe launching the offending process. Really? Microsoft Live Messenger?
In a mixture of shock and disbelief, I killed msnmsgr.exe and waited… nothing. No pop-ups. Feeling I was being harassed and outright abused by Microsoft Messenger, I filed an abuse report. I wonder if I’ll get a response.
It is highly unlikely that Microsoft has allowed this do be done intentionally. More likely, someone is exploiting Messenger Interesting to note: blocking access to voicefive.com from my router causes this to no longer appear my wife’s affected system. Of course, the CPU cycles, how few they are, are still likely consumed. I’ll have to take a jab at collecting data on this issue and passing it on to on of my past co-workers at Microsoft.
Hmm, but how? Though the MSN protocol? Is it possible to instantiate a call through the protocol to shell a process that opens a URL? I guess a more serious buffer exploit could exist, but then why use something as powerful as that to launch a voicefive survey? Also, if it is a protocol exploit and not a serious buffer exploit, then why not try to open a more nefarious URL… one with browser/java exploits built in?
The VoiceFive URL being launched is shown below. You will notice references to pcworld.com and other domains. They seem like pretty legit targets for a partner/sponsor… but who knows. After a couple days I re-launched Windows Live Messenger and no more pop-ups… so I dunno.