Pierluigi Paganini
February 26, 2014
What about using YouTube to spread malware? YouTube is a video-sharing website on which users can upload, view and share videos, it has great appeal to the users and represents one of the bastions of the Internet. The website was visited by more than one billion of unique visitors, one billion of potential victims in case of a malware-based attack.
Security experts at Bromium Labs discovered that YouTube advertising network has been abused by attackers to spread malicious code, in particular, they have discovered that YouTube In-Stream Ads were redirecting users to malicious websites. At time I’m writing it is still not clear the number of victims of the attack that abused of YouTube service.
Victims were hijacked to websites controlled by attackers that were hosting the Styx Exploit Kit and was exploiting Java client side vulnerabilities by drive-by-download attack. The experts revealed that the attack allowed the installation on victim’s PC of the Caphaw Banking Trojan. The attackers exploited the Java vulnerability (CVE-2013-2460) to infect victims, interesting to note that malware is able to detect the specific Java version installed on the user’s machine and based upon it is able to serve the suitable exploit.
“We noticed the malware tries to detect the version of Java installed and based on the version, it sends out different URLs to ensure that the exploit is compatible with the Java versions. This is a signature of the Styx Exploit kit.”
“We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks. Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures.” researchers said.
Once again lack of efficient patch management is cause of serious problem, Oracle in fact has already patched the exploited Java vulnerability last year, but infected users haven’t updated their software.
“It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged.” reports the official post from Bromium Labs.
Google, which owns YouTube, has already taken down the malvertisment campaign and it is investigating on the attach to prevent future offensives.
Let’s remind that a similar attack was detected last month, in that case the attackers abused for Yahoo adv network.
“Watering hole attacks are clearly getting popular by attackers. Recently, Yahoo mail users were attacked using similar vectors. Several high-profile websites have become victims of such attacks recently. From the attackers point of view, this is the easiest way to cause maximum damage – max ROI.”
(Security Affairs – YouTube, watering hole attack)
