The lure of salacious videos is often used to trick people into downloading and running malware.
As you will see in this example, the bad guys went through enough trouble to make the page look real, from picking a similar URL to creating a convincing error message.
The bait
Note the URL which is bound to fool many people:
hzzzp://www15.youtube.com.silssl.com/watch.php?v=o8h2mD8b&c=SG&feature=youtu.be
Interestingly the so-called ‘Flash player update’ is hosted on Google Docs:
hzzzps://docs.google.com/uc?authuser=0&id=0B9klegmJ2mJdaHQ1ZVE5M2JpOUE&export=download
Malwarebytes detects the file as Trojan.Dropper.RVA.
The drive-by
In case you had second thoughts and decided not to download and run the file, you could still get infected, this time silently if your browser or one of its plugins are outdated.
This method, known as a drive-by download, leverages vulnerable pieces of software and can drop malware onto victims while they are simply viewing a webpage (no user interaction required).
At the very end of the page’s source code we can spot a suspicious iframe:
Those of you familiar with exploit kits will have recognized a landing page for the RIG EK. So as your browser loads the fake YouTube page another one is fetched in the background, triggering an exploitation and infection chain:
In this particular case you are hit with a Silverlight and Flash exploit before the final payload is dropped (VT link).
The bad guys even bothered using the Flash Player icon for the dropped binary, something they did not have to, but that keeps with the theme.
Perhaps in an attempt to play the ruse all the way, the crooks behind this even left the indeed salacious video playing, this time, from the real YouTube site:
It’s hard to say which one of the two methods (social engineering or drive-by download) would yield the greatest numbers in infections, if they were applied separately. But It’s a no-brainer for the bad guys to combine both and reap the benefits.
Users should be particularly cautious when coming across popular or dramatic content that requires something in order to be accessed.
Also, keeping your PC up-to-date with a real-time anti-malware/anti-exploit protection closes the remaining gaps.
I’m confused… I don’t understand the second part. So I am clever enough not to fall for the first trick. What is the second trick? How do I avoid the trick. For example, I see the advertised video and I want to see the obviously exciting video of a dad catching his daughter stripping on a webcam. I click on a link and am taken to a fake flash update page. This looks suspicious to me and I don’t click on the link.
Am I infected with the other one automatically? Or do I have to click something to get the virus? Is my only hope a real-time virus program?
I’m under the impression that Malwarebytes CHARGES for real-time protection, so I would have to pay you or get a different anti-virus app to protect me in real time.
Is that my only hope?
I’m sorry if I am being obtuse, I just don’t understand this blog completely. Thank you,
my computer is infected to the point that none of my anti virus or mal ware bytes will not update, or work at all
is there a way to remove this
Malwarebytes Anti-exploit should handle it. But I recommend paying for MBAM (Check NewEgg.com and Amazon.com for MBAM Pro Lifetime license. You pay more for it but its worth the lifetime license.)
Actually Michael, It’s best to just get a yearly license for MBAM through Malwarebytes.org. If you try to go after “Lifetime Licenses” through private sellers, you are likely to end up either with the wrong product or a inactive key.