Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Malware Distribution Using Fake YouTube Pages

July 26, 2011 - 2 min read
Attackers often create fake YouTube pages in an effort to lure a victim into downloading malicious binaries. During our research, we recently found an example of such a site. When a victim visits the page, a security warning will pop up saying “The application’s digital signature cannot be verified. Do you want to run the application?”. Should a victim accept the prompts, they will download and run a malicious binary on their system. Here is a screenshot of the page:



The page is designed to mimic the YouTube service. If however you inspect the source code of this page, you can identify the malicious binary behind this attack. Here is what the source code looks like:




The webpage includes a Java applet that runs a “YouTube.jar” file, which will then download “ser.exe” from the server. If you visit the homepage of above site, you will also see a separate Java applet being combined with VBScript to download and run the same malicious binary with a slightly different name “serv.exe”, which will later saved as “update.exe”. Here is screenshot of that script:




While the malicious files are currently detected by some antivirus products, the malicious website is not blocked by Google Safe Browsing. It is never advisable to download or run any executable from an untrusted source unfortunately, this relatively simple social engineering technique clearly still works.





form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.