Malware on The Tube

A good phisherman goes where the phish are —
and that’s massively popular Web sites such as YouTube. And that’s exactly where two have been found.

Two security companies have sighted malicious files masquerading as videos on Google’s video-sharing site. Secure Computing Corp. this week reported a new “zlob” disguised as a video file on YouTube. A zlob is a Trojan that opens a back door into
users’ computers.

When users clicked on this particular zlob, it bombarded them with ads. Secure Computing, which markets security software for enterprises and small businesses, said it’s likely that the ads would give way to malware.

The bogus video was titled “YouTube – Afterworld Episode 6 – Hibakusha.” The snippet of
description sounds compelling: “99% of the
population is missing. Technology is dead … ”

Afterworld
is a made-for-the-Web animated science fiction
series that takes place after a mysterious event
wipes out modern civilization.

Afterworld has huge potential. Electric Farm Entertainment created the 16 webisodes, which are hosted on YouTube and the
Afterworld site. In February, Sony Pictures
Television International acquired all
international rights to the series for platforms
including television, gaming and mobile.

The multimedia site will be fleshed out with
archived back episodes, daily journal entries,
community blogs, interactive content applications
and online games, Sony said.

Secure Computing’s warning said that the file
did not require users to download an .EXE file in
order to run, making it doubly dangerous.

A YouTube spokeswoman, noting that she
experienced nothing untoward by clicking the link
forwarded by Secure Computing, said security is a top concern at
YouTube.

“If we find a party is using our brand or
site to encourage the download of a virus from
another location, we will take action to investigate and prevent this.”

These malicious files may stay up for only a
short time, according to Paul Henry of Secure Computing. He said the bad
guys go after sites like YouTube because of their
high visitor counts.

“If they hit YouTube, maybe
it will only be up for a few hours, but in that
few hours they’ll get enough hits to make it
worth their while.”

Even with unasked-for pop-ups, he explained, a small percentage of
people do click through to porn sites and open
accounts. And, in the case of key-loggers, the
bank account information and passwords obtained are extremely valuable.

Secure Computing warned that most firewalls
aren’t capable of blocking code returned from
external Web servers, which is the trend for exploits.

David Perry, global
director of education at Trend Micro, said Web sites are now the preferred method of launching exploits.

“We’ve stopped trusting e-mail. You don’t
open that e-mail that comes from a bank; you’re
not falling for it any more.

But there’s the Web, so what they are doing is they are finding places
where they can put up something that looks like a
popular Web item but has a backdoor, Trojan,
rootkit or one of the various beasties we track.”

Last week, Trend Micro, a competitor to Secure
Computing, reported on another Trojan
masquerading as an Afterworld video. According to
the company, TROJ_BANLOAD.CZE downloads a variant
that’s known for stealing online banking information.

Perry said yesterday’s exploit,
in which more than 10,000 compromised computers
redirected visitors to sites hosting malicious
software payloads, is the shape of things to come.

The Afterworld exploits shouldn’t harm the
brands of Afterworld or Sony, both agreed, just
as banks aren’t blamed for the constant phishing
e-mails in their names. But Web publishers must
be diligent in keeping their sites clean, Perry said.

“We’re in the dawn of this era, with people
still waking up to the fact that it’s going to take
more policing of their Web sites.”

Secure Computing identifies an average of 45 Web sites per day that
are using JavaScript to install malware on PCs in
what’s termed “drive-by hacking,” where simply
visiting a site activates the bad stuff.

The security experts find an additional 18,000 sites
per day where users must click a link to get slammed.

While many
tools are available to combat the exploits, and many more are in
development, Perry said, security companies must
evolve tools more rapidly than the exploits evolve.

News Around the Web