Storm Worm Uses YouTube Ruse

Security pros are warning that distributors of the Storm Trojan are now using a YouTube video to lure users. Contained in e-mails with subject lines such as "sheesh man what are you thinking," the malicious link claims to go to YouTube.com, but actually goes to a URL harboring exploit code. "This is the first [YouTube] lure that the Storm folks are using but not the first that has used YouTube in the past," said Dan Hubbard, vice president of security research at San Diego-based Websense. "There are a variety of e-mail subjects and bodies but basically they request you to view a video."

Dave Marcus, security research and communications manager at McAfee, based in Santa Clara, Calif., advised people to use caution when clicking on links in e-mails. Clicking on the attachment associated with this particular attack will infect the victim's machine with the Nuwar worm, Marcus said. "Malware writers continue to use social engineering tactics to infect a user's machine with a copy of Nuwar, this time latching on to the popularity of YouTube to lure people into clicking on the URL," he said. "We expect these spammers to continue to use these types of tactics and it will be imperative that users get educated on how to avoid becoming a victim."

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Intel vPro Chipset Lures MSPs, System Builders

Next Story

IFA: Battle over high-def formats comes to Berlin

5 Comments

Commenting is disabled on this article.

From the article:

In the background, an embedded, obfuscated JavaScript routine launches several browser and application exploits to infect the user's machine with a copy of W32/Nuwar. In addition, if a machine is fully patched, the malware author has a backup plan—wording on the Web page meant to entice users into manually downloading the virus.

I suppose if you get a download box, it means you have a patched system :P

On a more serious note, it would be nice if they would specify what browser/application is vulnerable (if any) and what OS is targeted

They've stopped using YouTube, it's now


"Please give us a hand with our new software development Family Heritage
Tracer

This beta testing will enable us to fine tune the software for public
release. To say thanks, Beta testers will receive a free copy and 5
years of free updates.

Download the software, See What you think, and Email us your thoughts.
Ready to be a beta tester? Just follow the link to our easy download
center: http://<IP Address>/setup.exe "

wow I got one of these too.

Mine simply contained the following

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body>
What are you thinking...if pat sees this your divorced dude. :-{) this is the link to it. <a href="http://86.121.16.36/"><font color="red"><b>MailScanner has detected a possible fraud attempt from "86.121.16.36" claiming to be</b></font> http://www.youtube.com/watch?v=Jt1jplyeLcK</a>
</body>
</html>

Granted this has been modified by our mail-scanner, but it at least gives you a good example

Edit: the youtube video it points to, actually doesnt exist

funny I got a few of these emails today in my Gmail inbox (not the spam folder), I didn't think much of it and simply deleted/reported them as spam.