The eSoft Threat Prevention Team has uncovered thousands compromised web servers hosting fake YouTube pages. Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware.
The fake YouTube pages are well crafted and look almost identical to the real site. By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines.
Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs. Google search results show 135,000 of these infected pages at the time of writing.
By clicking ‘OK’ to install the codec the user is redirected through intermediary sites to a final destination where the malware is downloaded. After opening the file, the malware runs silently in the background giving unsuspecting users no sign that their computer is now infected and their data and computing resources are under the control of hackers.
Presently, this fake codec is actually a downloader Trojan with very low anti-virus detection. Virus Total shows that only 8 of 41 anti-virus scanners currently detect the threat. Without capable, secure web filtering to block access to these malicious sites these threats will have a high percentage chance of infecting users.
eSoft is flagging any sites hosting the fake YouTube pages as compromised until the pages are removed. Intermediary sites and distribution points will also be blocked as compromised or malicious distribution points, protecting SiteFilter customers from infection.