QUOTE: There’s never a dull moment in the security industry, just as we heard about the latest IE 0day; one of our field security engineers in the Americas stumbled upon a YouTube link that was hosting malware. The vulnerability is not in YouTube as such, but the ad-network seems to be the culprit in this case. We’re working with Google security team to get to the bottom of this, in the meantime some quick details about the infection below.
– Classic drive-by download attack, infects the user by exploiting client software vulnerabilities.
– The ad network was discovered to be hosting the Styx exploit kit. This exploit kit was recently in the news for compromising at hasbro.com. Well, the attackers seem to have upped their target this time by somehow getting into YouTube ads.
– The exploit leveraged in this was a Java exploit.
– The Trojan appears to be a Banking Trojan belonging to the Caphaw family.
– The outbound CnC went out to Europe in this infection, where the server is likely to be hosted. It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged.