The Latest in IT Security

Fake YouTube infects PCs with SpyEye Bot


The following site is a great YouTube replica that really tricks you as all video links are actually working properly.

But it has a dirty secret: The site pushes a malicious Java drive-by download from: (VirusTotal (7/42) report here).

The applet contains one class (YouTube.class) whose intent is fairly straightforward: To download and run an executable.

The file comes from (VirusTotal (3/42) report here).

The server’s IP for is, Romania.

I noticed this file is also being pushed from legitimate YouTube video pages (here, there, or here) as either a Bot for video games or to bypass “Sharecash” surveys:

Analysis of this binary is made complicated due to a different behaviour if the sample is run in a VM (at least in VirtualBox). In my tests with an XP VM, the machine slows to a crawl and loses Internet connection.

If you run this in a physical machine you will notice the creation of a service:

It does not appear to be a random name, but is invisible to the OS (you will need special tools to detect its presence, thus indicating a typical rootkit infection).

Quickly after, several remote connections are made to

This IP is  well known:

There are a couple of domains associated with it:

Registered to a certain Andrei Kudryavcev from Russia.

The hosting company is Offshore hosting LTD with the server being located somewhere in Europe.

Let’s get back to the ASN: 49806. We find a direct connection with SpyEye/Zeus:

Our friend over at has several pages of SpyEye related URLs belonging to AS49806:

The Zeus tracker has also logged this ASN:

That’s it for this case so far. I will keep an eye on this very active ASN to see what’s next to come from there.

Jerome Segura


Steven Burn added up a few more domains on

In fact, there are many more bad domains within the IP range.

  1. ryan May 25, 2011

    i have same problem PLZ IF U FIND THE WAY TO STOP IT TELL ME!!!! im 12 lol and if my dad finds out im permently stuffed

Leave a reply





Latest Comments

Social Networks