A New Crimeware Technique Uses YouTube Video
There is a warning for web users that hackers are employing a new technique that operates maliciously by tricking users into watching a video from YouTube. The video actually behaves like a Trojan horse.
The situation is, however, ironic in that while music and sports companies are suing YouTube claiming that the site distributes stolen material, users who unwittingly download the malicious file end up having their personal information stolen as well.
Security firm Websense said users who come across the YouTube video get to download a Trojan horse program. This Trojan then downloads a file entitled YouTube04567 onto the victim's computer, as per the new published by Siliconrepublic on June 11, 2007.
The malicious Trojan hides behind a YouTube video and operates a new technique that Websense has coined as 'tubing'. The security firm noted that this crimeware technique tried to fool the recipients into doing many things apart from viewing a YouTube video piece.
While the user enjoys the video, in the background the user is baited by YouTube while a Trojan horse named as YouTube04567 gets installed on the victim's PC. A web server registered with the .SU domain (Soviet Union) hosts the video file.
If the user opens the file, the application starts up the default browser and links to the YouTube video named "After World Episode 6". Behind all these activities the application links to yet another server with its hosting domain in Washington, D.C. This server then downloads two more files containing malicious code.
This code is a Trojan horse that steals data from the local computer and uploads it to a distant system via HTTP. All these actions are pre-determined. The process also tracks users' infections by keeping track of the number of viewers of the video.
Websense has captured the payload on the World Wide Web but it warns there could be high possibilities of e-mails and instant messages hanging out as baits in the wild for the particular URL.
To increase the knowledge of users, Websense has constructed a simplified film of the code in operation and posted it on the website of YouTube.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 22-06-2007