Youtube malcode

["Hubbard, Dan" <dhubbard () websense com>]

For phun I posted a video of a piece of malcode using YouTube onto
Youtube...Lets see how many people that confuses. 

http://www.youtube.com/watch?v=pzKmzO_Xq3k

Our blog post...

http://www.websense.com/securitylabs/blog/blog.php?BlogID=129

Crimeware using "YouTube Evasion"

The other day we ran into a new technique that makes and attempt to
distract the user into viewing a new YouTube video. The application uses
the movie icon when it gets downloaded to the machine but strictly
relies on deception to get you to run it.The file is called
YouTube04567.exe and was hosted on a web server in the .SU domain
(Soviet Union). Although we captured this code through on the web, our
guess is that there are email and/or instant messaging lures for this
URL in the wild.

Assuming the user runs the file, the application then opens your default
browser and connects to a YouTube video called "After World Episode 6".
In the background it then connects to another web server which is hosted
in Washington, D.C. and downloads two additional files which contain the
payload.

The payload code are  information stealing Trojan Horses which are
designed to grab information from the local machine and upload it to a
remote location via HTTP upon pre-determined actions.

What is also interesting is that, although we don't believe this to be
the case in this example, you could use this also a means to track
infections of users by watching the number of people who have viewed the
video.

We created a very simple video of the code in action and, for ironic
value, posted it on YouTube for you to view.

Site: http://www.youtube.com/watch?v=pzKmzO_Xq3k

_______________________________
Dan Hubbard
Security & Technology Research
Websense Security Labs
http://www.WebsenseSecurityLabs.com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.