YouTube riddled with comments leading to Malware

A few months ago, we talked about YouTube's Annotations feature being used as a tool for Cyber Criminals to help spread their malicious Rogueware campaigns. Today, we have a similar case, but this time its automated comment Malspam (Malware spam). My initial search turned up about 30,000 malspam comments all pointing to a fake pornography website called "PornTube 2.0".

Like the last time, Cyber Criminals are targeting people who are searching YouTube for pornography. In the comments each malicious link is accompanied by a few search terms. Some common keywords we have seen are Adalt (sic), Tit s, Latina, Kinky, Girl, Porn, Sex, and the names of various pornography stars.

By targeting these keywords the Cyber Criminals are able to optimize and improve their success rates by infecting those who are truly looking for pornographic material.

Note: It appears that all of the malicious links have brackets in between the " .com" portion of the comment. It's unclear if this is a temporary action done by the YouTube abuse team or if the criminals are just trying to evade detection.

Upon arriving at the website, we see a page that looks like a legitimate video website labeled "PornTube 2.0", but it is actually the malware site.

Malware Site:

Click for the original uncensored image (Warning: NSFW)

If you click anything on the website it will prompt you to download a fake Adobe Flash plugin, which is the malware installer for Adware/Privacy Center

Click for the original uncensored image (Warning: NSFW)

Adware/PrivacyCenter Rogue (fake) Antivirus

Rogue Antivirus is one of the most prolific Malware in the threat landscape today. PandaLabs has received more Rogue Antivirus samples in Q1 of 2009 than in all of 2008 as demonstrated by the following illustration.

In this case, Cyber Criminals aim to profit from human vulnerabilities and inherent curiosities.

MS08-066 in the wild

We always recommend not to use a Windows user with admin privileges as our default Windows user. Actually, most of the malware relies in the fact that people use high privileges users on their system so when a malware is executed it can control the entire system.

It’s very recommendable to use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware.

 

Let me show you an example.

Several months ago I was analyzing a new malware. The malware code had several features (creation of files in system directories, service/driver installation, code injection, creation of new autorun registry entries) that require administrative privileges to be accomplished. If the malware is executed as a regular user, it tries to exploit the MS08-066 vulnerability to elevate its privileges. By this way, if the system hasn’t been patched with MS08-066 it gets control of the entire system and the malware is executed with administrative rights.

Look at the following code:

 

UPX0:29A02A67                 push    offset aAdvpack_dll ; "advpack.dll"

UPX0:29A02A6C                 call    LoadLibraryA

UPX0:29A02A72                 test    eax, eax

UPX0:29A02A74                 jz      short loc_29A02A84

UPX0:29A02A76                 push    offset aIsntadmin ; "IsNTAdmin"

UPX0:29A02A7B                 push    eax             ; hModule

UPX0:29A02A7C                 call    GetProcAddress

UPX0:29A02A82                 jmp     short loc_29A02A88

 

First it checks whether the user has administrative privileges. If not, it tries to exploit the MS08-066 vulnerability to elevate its privileges:

UPX0:29A02A96 ms08_066_Exploit:            ; CODE XREF: MalwareActions+5Aj

UPX0:29A02A96                 call    sub_29A013E0

UPX0:29A02A9B                 test    eax, eax

UPX0:29A02A9D                 jnz     short loc_29A02AAD

UPX0:29A02A9F                 call    sub_29A01520

UPX0:29A02AA4      &nb
sp;          test    eax, eax

UPX0:29A02AA6                 jnz     short loc_29A02AAD

[…]

UPX0:29A01471                 call    WSAStartup

UPX0:29A01476                 push    offset aHaldispatchtab ; "HalDispatchTable"

UPX0:29A0147B                 call    MyGetProcAddress ; Func_GetProcAddress

UPX0:29A01480                 push    offset aPslookupproces ; "PsLookupProcessByProcessId"

UPX0:29A01485                 mov     Handle_HalDispatchTable, eax

UPX0:29A0148A                 call    MyGetProcAddress ; Func_GetProcAddress

UPX0:29A0148F                 cmp     Handle_HalDispatchTable, 0

UPX0:29A01496                 mov     Handle_PsLookupProcessByProcessId, eax

UPX0:29A0149B                 jz      short loc_29A014BD

 

 

With this piece of code, if the system hasn’t been updated with the MS08-066 patch, the malware would be able to do whatever it want. So even if your Windows user hasn’t got admin privileges you should update your system every month. It’s really important if you don’t want to be owned.

Swine flu and the Blackhat SEO techniques

You should be careful when you’re looking for information on the web. Not everything is as it seems, and even more when the Blackhat SEO techniques are so frequently used, which enable malicious websites to be positioned in search engines.

And why not using these techniques with the swine flu subject? Cyber-crooks are aware of this and have started using them. Just look what we found in Google: a search engine which offers information about the swine flu.

 

 

When clicking on the results displayed by the search engine, we are redirected to porn sites where we can view videos. However, to view a video we are required to install the last version of a player.

 Actually, the file is not a player but an adware program which has been detected as Adware/WebMediaPlayer.

UPDATE:

We’ve tried other searches with this malicious engine.

On the one hand, we’ve tried with words related to antivirus solutions, like “Spyware remover” and different results have been displayed:

 

 

When accessing some of them, we’ve been redirected to a website that simulates a fake system scan and warns us that our computer is infected. The purpose of this is to offer us a solution (which is actually false). 

On the other hand, we’ve tried with other text strings, like celebrities (Paris Hilton, Angelina Jolie…), mortages, jobs and we’ve been redirected to porn websites as those we’ve previously mentioned when we talked about the swine flu.

We’ll continue researching this and keep you informed if we find anything new about this.