Tuesday, July 26, 2011

Malware distribution using fake YouTube pages

Attackers often create fake YouTube pages in an effort to lure a victim into downloading malicious binaries. During our research, we recently found an example of such a site. When a victim visits the page, a security warning will pop up saying “The application’s digital signature cannot be verified. Do you want to run the application?”. Should a victim accept the prompts, they will download and run a malicious binary on their system. Here is a screenshot of the page:

The page is designed to mimic the YouTube service. If however you inspect the source code of this page, you can identify the malicious binary behind this attack. Here is what the source code looks like:

The webpage includes a Java applet that runs a “YouTube.jar” file, which will then download “ser.exe” from the server. If you visit the homepage of above site, you will also see a separate Java applet being combined with VBScript to download and run the same malicious binary with a slightly different name “serv.exe”, which will later saved as “update.exe”. Here is screenshot of that script:

While the malicious files are currently detected by some antivirus products, the malicious website is not blocked by Google Safe Browsing. It is never advisable to download or run any executable from an untrusted source unfortunately, this relatively simple social engineering technique clearly still works.

Umesh

No comments: