Websense Security Labs ThreatSeeker: has received reports of new malicious code that utilizes the YouTube
November 2007 by Websense
The attack begins with an email lure written in html that invites users to view a video from YouTube. Upon connecting to the site, users are directed to a page that resembles the real YouTube site. The page then reports that the video cannot load and attempts to dupe users into downloading and installing a flash player.
In what could be a disturbing sign of things to come, the site is hosted on a server that has hosted more than one hundred Phishing sites over the last 4 months. This server is managed by the infamous "Rock Phish" group, which is the largest phishing gang on the Internet and which is responsible for the majority of Phishing URL’s.
Additionally concerning is the potential for Rock Phish to add malicious code to its attack arsenal in conjunction with standard Web forms on bogus sites.
The file is called "install_flash_player.exe," is 1.2 Mb in size, and has an MD5 of "fb38066c348aaf5bf0d6513a2e635490."
The Web site URL (with part of the address stripped out for protection) is: "www5.youtube.com.site670221.X.X/watch/v/install_flash_player.exe"