PandaLabs : Malicious links

YouTube riddled with comments leading to Malware

Sean-Paul Correll — Fri, 22 May 2009 06:10:00 GMT

A few months ago, we talked about YouTube's Annotations feature being used as a tool for Cyber Criminals to help spread their malicious Rogueware campaigns. Today, we have a similar case, but this time its automated comment Malspam (Malware spam). My initial search turned up about 30,000 malspam comments all pointing to a fake pornography website called "PornTube 2.0".

Like the last time, Cyber Criminals are targeting people who are searching YouTube for pornography. In the comments each malicious link is accompanied by a few search terms. Some common keywords we have seen are Adalt (sic), Tit s, Latina, Kinky, Girl, Porn, Sex, and the names of various pornography stars.

By targeting these keywords the Cyber Criminals are able to optimize and improve their success rates by infecting those who are truly looking for pornographic material.

Note: It appears that all of the malicious links have brackets in between the " .com" portion of the comment. It's unclear if this is a temporary action done by the YouTube abuse team or if the criminals are just trying to evade detection.

Upon arriving at the website, we see a page that looks like a legitimate video website labeled "PornTube 2.0", but it is actually the malware site.

Malware Site:

Click for the original uncensored image (Warning: NSFW)

If you click anything on the website it will prompt you to download a fake Adobe Flash plugin, which is the malware installer for Adware/Privacy Center

Click for the original uncensored image (Warning: NSFW)

Adware/PrivacyCenter Rogue (fake) Antivirus

Rogue Antivirus is one of the most prolific Malware in the threat landscape today. PandaLabs has received more Rogue Antivirus samples in Q1 of 2009 than in all of 2008 as demonstrated by the following illustration.

In this case, Cyber Criminals aim to profit from human vulnerabilities and inherent curiosities.

Malware in Social Media

Sean-Paul Correll — Thu, 26 Feb 2009 17:17:00 GMT

A few weeks ago we talked about cyber-criminals using Digg.com to spread malware. Today we see that the very same group responsible for the Digg.com incident was using the same tactic on YouTube through the use of YouTube's Annotations feature. Video Annotations is a way to add interactive commentary to videos on YouTube.

The following image displays a video using the annotations feature to guide users over to a malware ridden website:

Although the YouTube description malware is not as prevalent as the Digg.com comment abuse, it does show that Social Media websites are increasingly being used to spread Malware. We expect to see plenty of new examples similar to this throughout 2009.

Thanks to Dancho Danchev for the information.

Ever heard the term "Rickrolling"? Malware distributors have...

Sean-Paul Correll — Mon, 09 Feb 2009 10:21:00 GMT

Rickrolling is an Internet meme typically involving the music video for the 1987 Rick Astley song "Never Gonna Give You Up". The meme is a bait and switch: a person provides a web link that he or she claims is relevant to the topic at hand, but the link actually takes the user to the Astley video.

Over the past few months we have noticed attacker efforts to maximize blackhat SEO tactics and increase infection rates at the same time by abusing the popular social news aggregate site Digg.com. Digg allows users to create, vote, and comment on news stories.

Malware distributors have been creating false stories with catchy subject lines as an attempt to bait users into clicking links which lead to Malware. In some cases the attackers do not create the news story themselves, rather linking to others relevant content. Below is an example of the attacker (in red) taking advantage of a valid digg submission. The malicious comment reads, "Heath Ledger naked in the shower, playing with herself." and is posted to a relevant story about Heath Ledger. The "playing with herself" part is a bit confusing but my guess is that the attackers are using automation scripts to auto-generate content based on topic relevancy or that they are manually doing this and have no idea who Heath Ledger is.

My initial search identified 52 accounts posting news stories or comments with malicious URI's. The links all point to various fake codec sites, which lead to rogue anti-malware infections. We detect and block the malware as Adware/VideoPlay.

Update: Dancho Danchev reported that there has been over 500,000 malicious comments posted via Digg since last year.

Some of the titles include:

_{Christian Bale freak out dubbed with video!

Christian Bale Terminator Salvation Takes it Up the Ass

Hot and sexy model Mayuko Lwasa in bikini

Pregnant Ujwala Raut in Bikini

megan fox naked secret videos

Sexy Megan Fox having sex Sex Tape, rally nice and hot video

Megan Fox naked NEW SEX TAPE

Robert Pattinson: fotos, vídeos, história

Jessica Simpson Hotel Sex Tape

Batman is Naked aka Christian Bale

Watch Grey's Anatomy Season 5 online here

Breaks Season 4 Episode 9

Emma Watson Nude Video

Watch Emma Watson Sex Tape online here

Paris Hilton Sex Tape Update

VANESSA ANNE HUDGENS NUDE, NAKED GALLERY, EXCLUSIVE 2009

Naked Truth on Celebrity News and Edison Chen Sex Scandal

Paris Hilton sex tape! Paris Hilton nude, naked movie!

Celebrity and Angelina Jolie nude, naked, in bikini, gallery

Tila Tequila topless nude and naked sex-porn gallery

Alyssa Milano nude, naked, sex tape - free gallery!

BRITNEY SPEARS NUDE, BRITNEY SPEARS NAKED & SEX TAPE (CLICK HERE)

Lindsay Lohan's nude Marilyn shoot

Heath Ledger naked in shower, playing with herself!!}

Fake Codec Sites:

New Version of MS Antispyware 2009