2 min read

Java Badware posing as YouTube

Loredana BOTEZATU

February 23, 2011

Java Badware posing as YouTube

 

Video sharing sites are the ultimate destination for the entertainment seeker, but they’re also the favorite place of cyber-criminals. Things can go really south when your favorite video sharing site turns to be a clone set to persistently ask you to install an additional application or codec. Today's scam relies on a spoofed YouTube page – a rather meticulous copy of the original – that hides some nasty surprises up its sleeve.

Once the victim-to-be lands in the “bluff” page, an unsigned Java applet pops-up asking the user to run it in order to be able to see the video. This is a trick and please do not fall for it. Last time we checked, most of the video sharing sites would rather require the Adobe® Flash® plugin to play the video, not Java.  

Fig.1. The bait a Java applet a.k.a malware or Trojan.Downloader.Java.C

Fig.1. The bait: a Java applet a.k.a malware or Trojan.Downloader.Java.C

Once the user is tricked into hitting the Run button, a piece of malicious code [identified by BitDefender® as Trojan.Generic.KDV.128306] will immediately be downloaded on the victim’s system and copied into the temporary folder as services.exe in order to access the Internet.

This Trojan.Generic.KDV.128306 instantly starts communicating  with its Command and Control center by logging into a certain IRC channel using a nickname composed after the following structure: [%Language%][%Operating System%]%nrRandom%, registering with the username Virus and the “real name”: My_Name_iS_PIG_and_Iam_A_GaY%randomNumber%.

Having thus its identity set, the Trojan will log into the channel with the command JOIN: ##Turb0-XXX##, where a bot-master will give it further instructions on what to do next on the infected PC. The supported instructions allow it to download particular files, save them under given names and, of course, execute them.

The files the Trojan brings on the compromised computer have various malicious “capabilities”:

  • micro1.exe can send messages  via the Facebook® chat box when the user is connected to the social network, but it is also able to  log the chat conversations from popular IM clients such as Pidgin, MSN®, Yahoo® and  ICQ®.
  • fsaf24.exe has DDoS capabilities; it also contains the necessary code to allow the piece of malware to spread through memory sticks.
  • afasfa4.exe  is able to redirect the search queries performed on Google™ and Bing™ carried through the most important browsers such as Firefox®, Internet Explorer®, and Chrome®.

And something that is particularly interesting is the fact that it uses the same Task Scheduler exploit, technically known as CVE-2010-3338. This is one of the stunts that have been pulled by the infamous Stuxnet worm to elevate its code and run as administrator on systems protected with UAC.

This article is based on the technical information provided courtesy of Răzvan Benchea, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read