Crimeware using YouTube deception
Jun 7 2007 2:24PM
Crimeware using "YouTube Evasion"
The other day we ran into a new technique that makes and attempt to distract the user into viewing a new YouTube video. The application uses the movie icon when it gets downloaded to the machine but strictly relies on deception to get you to run it.The file is called YouTube04567.exe and was hosted on a web server in the .SU domain (Soviet Union). Although we captured this code through on the web, our guess is that there are email and/or instant messaging lures for this URL in the wild.
Assuming the user runs the file, the application then opens your default browser and connects to a YouTube video called "After World Episode 6". In the background it then connects to another web server which is hosted in Washington, D.C. and downloads two additional files which contain the payload.
The payload code are information stealing Trojan Horses which are designed to grab information from the local machine and upload it to a remote location via HTTP upon pre-determined actions.
What is also interesting is that, although we don't believe this to be the case in this example, you could use this also a means to track infections of users by watching the number of people who have viewed the video.
We created a very simple video of the code in action and, for ironic value, posted it on YouTube for you to view.
This one tip will help you sleep better tonight
A few seconds are all you need to get a better night's rest.