PandaLabs : YouTube

Cyber Criminals Target Air France, YouTube, E3, Microsoft, Project Natal, and more…

Sean-Paul Correll — Wed, 03 Jun 2009 11:53:00 GMT

It seems like these days every other news breaking story is paralleled with a similar Blackhat SEO fueled Rogueware campaign. Today, Luis Corrons and I were talking about Microsoft’s recently announced Project Natal when his Google search for a video of the technology in action turned out to place a malicious link in the very top of the search results.

Connection: (Google to Rogue)

**UPDATE** 6/04/09 -

16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website. It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file.

Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:

Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
8,930 links targeting "Microsoft" (Project Natal)
3,380 links targeting "E3"
2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
2,850 links targeting “Sony”

The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.

Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories.

All of the links associated in this attack have already been blocked for Panda users.

YouTube riddled with comments leading to Malware

Sean-Paul Correll — Fri, 22 May 2009 06:10:00 GMT

A few months ago, we talked about YouTube's Annotations feature being used as a tool for Cyber Criminals to help spread their malicious Rogueware campaigns. Today, we have a similar case, but this time its automated comment Malspam (Malware spam). My initial search turned up about 30,000 malspam comments all pointing to a fake pornography website called "PornTube 2.0".

Like the last time, Cyber Criminals are targeting people who are searching YouTube for pornography. In the comments each malicious link is accompanied by a few search terms. Some common keywords we have seen are Adalt (sic), Tit s, Latina, Kinky, Girl, Porn, Sex, and the names of various pornography stars.

By targeting these keywords the Cyber Criminals are able to optimize and improve their success rates by infecting those who are truly looking for pornographic material.

Note: It appears that all of the malicious links have brackets in between the " .com" portion of the comment. It's unclear if this is a temporary action done by the YouTube abuse team or if the criminals are just trying to evade detection.

Upon arriving at the website, we see a page that looks like a legitimate video website labeled "PornTube 2.0", but it is actually the malware site.

Malware Site:

Click for the original uncensored image (Warning: NSFW)

If you click anything on the website it will prompt you to download a fake Adobe Flash plugin, which is the malware installer for Adware/Privacy Center

Click for the original uncensored image (Warning: NSFW)

Adware/PrivacyCenter Rogue (fake) Antivirus

Rogue Antivirus is one of the most prolific Malware in the threat landscape today. PandaLabs has received more Rogue Antivirus samples in Q1 of 2009 than in all of 2008 as demonstrated by the following illustration.

In this case, Cyber Criminals aim to profit from human vulnerabilities and inherent curiosities.

How To: Infect yourself with Malware

Sean-Paul Correll — Wed, 25 Mar 2009 22:20:00 GMT

Last time we talked about cyber criminals using YouTube's Video Annotations feature to guide victims to Malware ridden websites. Today we'll talk about yet another method being used within YouTube and other social media websites.

Malware distributors have been creating instructional "How to" videos to get victims to willingly visit malicious websites and infect their own computers.

Once on the site the victim is lured to install Adware/SystemSecurity rogue software.

The best way to avoid these types of scams is by researching the product prior to installing it on your computer. Sometimes a simple Google search can literally save you hundreds of dollars in repair costs.

Malware in Social Media

Sean-Paul Correll — Thu, 26 Feb 2009 17:17:00 GMT

A few weeks ago we talked about cyber-criminals using Digg.com to spread malware. Today we see that the very same group responsible for the Digg.com incident was using the same tactic on YouTube through the use of YouTube's Annotations feature. Video Annotations is a way to add interactive commentary to videos on YouTube.

The following image displays a video using the annotations feature to guide users over to a malware ridden website:

Although the YouTube description malware is not as prevalent as the Digg.com comment abuse, it does show that Social Media websites are increasingly being used to spread Malware. We expect to see plenty of new examples similar to this throughout 2009.

Thanks to Dancho Danchev for the information.