RealTime IT News

Malware on The Tube

A good phisherman goes where the phish are -- and that's massively popular Web sites such as YouTube. And that's exactly where two have been found.

Two security companies have sighted malicious files masquerading as videos on Google's video-sharing site. Secure Computing Corp. this week reported a new "zlob" disguised as a video file on YouTube. A zlob is a Trojan that opens a back door into users' computers.

When users clicked on this particular zlob, it bombarded them with ads. Secure Computing, which markets security software for enterprises and small businesses, said it's likely that the ads would give way to malware.

The bogus video was titled "YouTube - Afterworld Episode 6 - Hibakusha." The snippet of description sounds compelling: "99% of the population is missing. Technology is dead … " Afterworld is a made-for-the-Web animated science fiction series that takes place after a mysterious event wipes out modern civilization.

Afterworld has huge potential. Electric Farm Entertainment created the 16 webisodes, which are hosted on YouTube and the Afterworld site. In February, Sony Pictures Television International acquired all international rights to the series for platforms including television, gaming and mobile.

The multimedia site will be fleshed out with archived back episodes, daily journal entries, community blogs, interactive content applications and online games, Sony said.

Secure Computing's warning said that the file did not require users to download an .EXE file in order to run, making it doubly dangerous.

A YouTube spokeswoman, noting that she experienced nothing untoward by clicking the link forwarded by Secure Computing, said security is a top concern at YouTube.

"If we find a party is using our brand or site to encourage the download of a virus from another location, we will take action to investigate and prevent this."

These malicious files may stay up for only a short time, according to Paul Henry of Secure Computing. He said the bad guys go after sites like YouTube because of their high visitor counts.

"If they hit YouTube, maybe it will only be up for a few hours, but in that few hours they'll get enough hits to make it worth their while."

Even with unasked-for pop-ups, he explained, a small percentage of people do click through to porn sites and open accounts. And, in the case of key-loggers, the bank account information and passwords obtained are extremely valuable.

Secure Computing warned that most firewalls aren't capable of blocking code returned from external Web servers, which is the trend for exploits.

David Perry, global director of education at Trend Micro, said Web sites are now the preferred method of launching exploits.

"We've stopped trusting e-mail. You don't open that e-mail that comes from a bank; you're not falling for it any more.

But there's the Web, so what they are doing is they are finding places where they can put up something that looks like a popular Web item but has a backdoor, Trojan, rootkit or one of the various beasties we track."

Last week, Trend Micro, a competitor to Secure Computing, reported on another Trojan masquerading as an Afterworld video. According to the company, TROJ_BANLOAD.CZE downloads a variant that's known for stealing online banking information.

Perry said yesterday's exploit, in which more than 10,000 compromised computers redirected visitors to sites hosting malicious software payloads, is the shape of things to come.

The Afterworld exploits shouldn't harm the brands of Afterworld or Sony, both agreed, just as banks aren't blamed for the constant phishing e-mails in their names. But Web publishers must be diligent in keeping their sites clean, Perry said.

"We're in the dawn of this era, with people still waking up to the fact that it's going to take more policing of their Web sites."

Secure Computing identifies an average of 45 Web sites per day that are using JavaScript to install malware on PCs in what's termed "drive-by hacking," where simply visiting a site activates the bad stuff.

The security experts find an additional 18,000 sites per day where users must click a link to get slammed.

While many tools are available to combat the exploits, and many more are in development, Perry said, security companies must evolve tools more rapidly than the exploits evolve.