- Jan 24, 2011
- 9,378
Security researchers from Romanian antivirus vendor BitDefender warn of scams that make use of fake YouTube pages to install trojans via a malicious Java applet.
The scammers appear to have put significant effort into making the pages look as close as possible to the real YouTube website.
When visitors land on these rogue sites, a Java applet is launched automatically and they are prompted to run it.
The dialog appears because the applet is unsigned and since Java is rarely used for mainstream Web services, users unfamiliar with it might be tempted to hit Run in order to see the video they've been promised.
That would obviously be a very bad idea, because the applet makes use of the OpenConnection Java method to download and executes a trojan.
The malware has botnet capabilities and connects to an IRC server from where it receives commands. It is mainly used as a distribution platform for additional threats.
Among those seen by BitDefender is a trojan which can use the Facebook accounts of its victims to send spam and record conversations from the most popular IM clients.
There is also a worm with DDoS capabilities which can spread via removable USB drives and a click fraud trojan that hijacks searches performed in Firefox, Internet Explorer and Chrome on Google or Bing.
An interesting aspect of the main IRC trojan is that it leverages the same Windows Task Scheduler privilege escalation vulnerability (CVE-2010-3338) exploited by the Stuxnet worm to bypass UAC.
More details - link
The scammers appear to have put significant effort into making the pages look as close as possible to the real YouTube website.
When visitors land on these rogue sites, a Java applet is launched automatically and they are prompted to run it.
The dialog appears because the applet is unsigned and since Java is rarely used for mainstream Web services, users unfamiliar with it might be tempted to hit Run in order to see the video they've been promised.
That would obviously be a very bad idea, because the applet makes use of the OpenConnection Java method to download and executes a trojan.
The malware has botnet capabilities and connects to an IRC server from where it receives commands. It is mainly used as a distribution platform for additional threats.
Among those seen by BitDefender is a trojan which can use the Facebook accounts of its victims to send spam and record conversations from the most popular IM clients.
There is also a worm with DDoS capabilities which can spread via removable USB drives and a click fraud trojan that hijacks searches performed in Firefox, Internet Explorer and Chrome on Google or Bing.
An interesting aspect of the main IRC trojan is that it leverages the same Windows Task Scheduler privilege escalation vulnerability (CVE-2010-3338) exploited by the Stuxnet worm to bypass UAC.
More details - link
