Yesterday I was looking through the mid-day logs from one of the WebPulse modules, checking out the malware it had flagged. One of these caught my eye: a single log line referring to a setup.exe file coming from a site called youtube-vid.com. The thought occurred to me that we typically only take time to research and write up some of the larger attacks we see, since they tend to be more newsworthy. With all of our (justifiable) pride in how well WebPulse tracks and blocks large malnets dominating many of our recent posts, I thought it might be worthwhile to write about one of the many small attacks that we block each day, which don’t come from the big malnets.
So I did the background research on the attack, and it turned out to be interesting…
First of all, the target site looks like this; a nice mock-up of a real YouTube page:
Note that even though the fake video page says that it was posted back in August, this site only appeared in our logs last week. The date is as fake as the video clip, but a casual visitor would have no way to realize that. And the domain name hints that this site is some sort of “YouTube highlight site”, so that’s believable, too.
Still, before you actually go ahead and download software from some site just because it tells you too, it’s a good idea to do a little extra research first. A whois check shows that this domain was only created a couple of weeks ago (9/30), and not by anyone at YouTube or Google, so yes, that’s suspicious. Further, if a cautious user (or curious researcher!) attempted to visit the root of this site, to check out its home page, here’s what they’d see:
That’s right, there is no site, outside of the fake content in the attack subdirectory. This simple but very revealing test jibes nicely with a more high-powered approach, namely running the setup.exe file though a service like VirusTotal: only 4 out of 43 AV engines there detected it as malicious yesterday (as of today, the hit-count was up to 8).
As I looked at the visitor traffic to this site over the past few days, I was encouraged that only two of the would-be victims were foolish enough to click on the link to request the setup.exe download. (WebPulse blocked both attempts as Suspicious, including the one I’d seen in yesterday’s log.) So this wasn’t a big attack — but I already knew that; it’s why I chose to investigate it and write about it in the first place.
The next step in writing about an attack like this is doing some research in our larger, more detailed logs, which include all traffic, not just the portions that we normally consider the most interesting, so they can usually help flesh out the story behind an attack. In this case, I turned to the logs from the datacenter where the suspicious EXE had been blocked, and dumped all of the traffic to youtube-vid.com yesterday.
There was enough data to see that the would-be victims were coming to youtube-vid.com from facebook.com. That information, coupled with the nature of the “teaser” content in the screenshot above, leads me to surmise that the attack’s bait was in the form of a post to a Facebook user’s wall, purporting to show a link to a vacation video involving girls in bikinis and a celebrity behaving badly. Who could resist clicking on something like that?
Unfortunately, the next phase of research (checking for similar sites) totally ruined my original premise of blogging about a small malware attack with only one event in our logs… As it turned out, this attack wasn’t so little after all. There were a total of 10 sibling sites (see below) used to host the fake YouTube page, with hundreds of requests in our logs over the past week. Further, the final count of users who had taken the bait and tried to download the setup.exe payload was 50, so I guess they came out not looking so good, either. (By contrast, WebPulse flagged all of those EXEs in real-time, so it came out looking very good.)
The moral of this story (besides “don’t click on salacious material on Facebook”) is that when your users go out to play in the Facebook haystack, you can’t rely on its internal protections to find all of the needles. You need another, smarter, layer to keep your users from finding those needles the hard way.
P.S. A few other notes:
Sibling sites used in the attack: youtube-vid.com, myvid-youtube.com, private-youtube.com, profile-youtube.com, vid-youtube.com, only-youtube.com, travel-youtube.com, view-youtube.com, myvideo-youtube.com, link-youtube.com.
The attack payload is polymorphic: I just retrieved a new sample from one of the sites, and VirusTotal only reported 5 hits (www.virustotal.com/file-scan/report.html?id=e7b43cf6506c9efe790f916ce1bd…).
Leave a reply