Java Badware posing as YouTube

 

Video sharing sites are the ultimate destination for the entertainment seeker, but they’re also the favorite place of cyber-criminals. Things can go really south when your favorite video sharing site turns to be a clone set to persistently ask you to install an additional application or codec. Today's scam relies on a spoofed YouTube page – a rather meticulous copy of the original – that hides some nasty surprises up its sleeve.

Once the victim-to-be lands in the “bluff” page, an unsigned Java applet pops-up asking the user to run it in order to be able to see the video. This is a trick and please do not fall for it. Last time we checked, most of the video sharing sites would rather require the Adobe® Flash® plugin to play the video, not Java.  

Fig.1. The bait: a Java applet a.k.a malware or Trojan.Downloader.Java.C

Once the user is tricked into hitting the Run button, a piece of malicious code [identified by BitDefender® as Trojan.Generic.KDV.128306] will immediately be downloaded on the victim’s system and copied into the temporary folder as services.exe in order to access the Internet.

This Trojan.Generic.KDV.128306 instantly starts communicating  with its Command and Control center by logging into a certain IRC channel using a nickname composed after the following structure: [%Language%][%Operating System%]%nrRandom%, registering with the username Virus and the “real name”: My_Name_iS_PIG_and_Iam_A_GaY%randomNumber%.

Having thus its identity set, the Trojan will log into the channel with the command JOIN: ##Turb0-XXX##, where a bot-master will give it further instructions on what to do next on the infected PC. The supported instructions allow it to download particular files, save them under given names and, of course, execute them.

The files the Trojan brings on the compromised computer have various malicious “capabilities”:

• micro1.exe can send messages  via the Facebook® chat box when the user is connected to the social network, but it is also able to  log the chat conversations from popular IM clients such as Pidgin, MSN®, Yahoo® and  ICQ®.
• fsaf24.exe has DDoS capabilities; it also contains the necessary code to allow the piece of malware to spread through memory sticks.
• afasfa4.exe  is able to redirect the search queries performed on Google™ and Bing™ carried through the most important browsers such as Firefox®, Internet Explorer®, and Chrome®.

And something that is particularly interesting is the fact that it uses the same Task Scheduler exploit, technically known as CVE-2010-3338. This is one of the stunts that have been pulled by the infamous Stuxnet worm to elevate its code and run as administrator on systems protected with UAC.

This article is based on the technical information provided courtesy of Răzvan Benchea, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.