Incident Response, Network Security, TDR

Users increasingly falling victim to malware distributed on Digg, YouTube

Infection of the malware called "VideoPlay," which has been spreading through malicious posts and comments on Digg and YouTube, increased 400 percent from January to February, according to Panda Security.

Attackers have been posting comments on news stories and videos posted to the social networking sites and, claiming users will be able to see videos of celebrities – some of which claim to be pornographic – by clicking a link that is provided, Sean-Paul Correll, threat researcher and security evangelist for Panda Security, told in an email Tuesday. But, when a user follows the link, they will be re-directed to a page where they will be prompted to download a codec to view the video. The download is the VideoPlay malware – a worm that aims to steal email login credentials and other information stored in a user's browser and then further propagate itself through removable drives.

Panda Security has identified 2,500 infections this week alone, Correll said.

The file spreads by making copies of itself on removable drives and creates an autorun.inf that runs when the drives are accessed. Once a user is infected, the file collects data stored in browsers, including cookies, passwords, profiles and email accounts, and sends the information to a remote address.

Some of the fake story titles and comments include: “Jessica Simpson Hotel Sex Tape,” “Megan Fox naked,” and “Christian Bale freak out dubbed with video!”

Additionally, attackers have been using purposely registered fake accounts and compromised legitimate accounts to post fake stories on Digg with alluring titles, which when clicked on, lead to the malware-laden sites. These heavily post comments that contain malware-serving links on both legitimate and fake stories on Digg.

“We believe that the spreading through social media sites and the use of search engine optimization effectively lured victims to the infection,” Correll said.

Dancho Danchev, an independent security researcher who has been following this exploit, told on Tuesday that he has found over 500,000 malicious comments posted on Attackers are using automated scripts to spread the malicious links, which are hosting the malware, Correll said.

On YouTube, attackers have used the “Annotations” feature, which allows for interactive commentary, to post the malicious links with videos.

“Although the YouTube description malware is not as prevalent as the comment abuse, it does show that social media websites are increasingly being used to spread malware,” Correll wrote recently in a PandaLabs blog post. “We expect to see plenty of new examples similar to this throughout 2009.”

Danchev said that the cybercriminals behind the Digg campaign were involved in other exploits on the social networking site LinkedIn during January, which suggests that they are systematically targeting Web 2.0 sites.

Correll said that he took a look at one of the domains involved and the “whois” information comes from Russia, leading him to believe that is where the attack originates.

Spokespeople from Digg and YouTube did not respond to a request for comment Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.