Trojans Lurking In Fake Video Postings On YouTube

Malware authors have a new trick up their sleeves that targets the YouTube nation.

Within the past week, cybercriminals have hidden Trojan horses in fake video postings on the wildly popular YouTube site, according to Paul Henry, vice president of technologies with Secure Computing. While YouTube techies were quick to pull down both postings, Henry said in an interview Wednesday that the two incidents could sound the bell for a new means of attack.

"The user base for YouTube is absolutely huge," he said. "If I was going to do something malicious, I would choose YouTube, Google or Yahoo. The thing, though, is people at YouTube are very diligent about manually scanning through newly installed content. I think they do a fair job of weeding out the inappropriate or malicious stuff. The bad guy only has a small window of opportunity on YouTube to hit the world."

Henry said that when users tried to view the fake video posting, they were infected with the zlob Trojan, which then begin spitting out pop-ups ads for pornographic sites onto the infected computer. As bad as that may be for users, Henry said his concern is that it's simply a prelude to the Trojans downloading other pieces of malware, like keyloggers. It also would be an easy way to turn infected computers into bots and then have them join the growing wave of botnets that are plaguing the Internet with spam and denial-of-service attacks.

Another concern is that users don't expect to fend off malware attacks when they're cruising around YouTube, which is a user content driven online video site. And that's part of the cybercriminals' plan, noted Henry. In recent months, malware infected e-mail has been on the decline, while malicious Web sites have been on the rise.And, like YouTube, many, if not most, of these infected Web sites are not malicious by original intention. Either criminals hack in and embed the malicious code, or they're Web 2.0 sites that allow users to post their own content. This means that bad guys, as well as well-meaning users, can post to the sites, and sometimes that includes malware or links to other infected sites.

Researchers at security company Sophos noted that the percentage of infected e-mail has dropped from 1.3%, or one in 77 e-mails in the first three months of 2006, to one in 256, or just 0.4% in this year's first quarter. In the same time period, Sophos identified an average of 5,000 new infected Web pages every day. However, this month, Sophos has greatly upped that number to 9,500 new infected Web pages every day.

However, Henry said it should be fairly easy for IT managers to protect their corporate users from these malicious Web sites.

Companies normally only filter Web traffic destined for their internal Web filters. However, when a user visits a Web site, that site pushes html code back at the user's machine. IT managers need to configure filters to scan that return traffic.

"People have not been inspecting that traffic," said Henry. "It's been a blind spot within most enterprise architectures. It's crucial today to inspect traffic bi-directionally. It's not all that hard to do."For the consumer, it tends to be much more difficult. Individual users are advised to follow typical security rules. Run updated anti-virus, and make sure that systems and applications are updated. They also need to make sure they're running a firewall that blocks unauthorized outbound connections to the Internet, so if the machine is infected, the malware can't send information back to the hacker.