Two security companies have sighted malicious files masquerading as videos on Google's video-sharing site. Secure Computing Corp. this week reported a new "zlob" disguised as a video file on YouTube. A zlob is a Trojan that opens a back door into users' computers.
When users clicked on this particular zlob, it bombarded them with ads. Secure Computing, which markets security software for enterprises and small businesses, said it's likely that the ads would give way to malware.
The bogus video was titled "YouTube - Afterworld Episode 6 - Hibakusha." The snippet of description sounds compelling: "99% of the population is missing. Technology is dead " Afterworld is a made-for-the-Web animated science fiction series that takes place after a mysterious event wipes out modern civilization.
The multimedia site will be fleshed out with archived back episodes, daily journal entries, community blogs, interactive content applications and online games, Sony said.
Secure Computing's warning said that the file did not require users to download an .EXE file in order to run, making it doubly dangerous.
A YouTube spokeswoman, noting that she experienced nothing untoward by clicking the link forwarded by Secure Computing, said security is a top concern at YouTube.
"If we find a party is using our brand or site to encourage the download of a virus from another location, we will take action to investigate and prevent this."
These malicious files may stay up for only a short time, according to Paul Henry of Secure Computing. He said the bad guys go after sites like YouTube because of their high visitor counts.
"If they hit YouTube, maybe it will only be up for a few hours, but in that few hours they'll get enough hits to make it worth their while."
Even with unasked-for pop-ups, he explained, a small percentage of people do click through to porn sites and open accounts. And, in the case of key-loggers, the bank account information and passwords obtained are extremely valuable.
Secure Computing warned that most firewalls aren't capable of blocking code returned from external Web servers, which is the trend for exploits.
David Perry, global director of education at Trend Micro, said Web sites are now the preferred method of launching exploits.
"We've stopped trusting e-mail. You don't open that e-mail that comes from a bank; you're not falling for it any more.
But there's the Web, so what they are doing is they are finding places where they can put up something that looks like a popular Web item but has a backdoor, Trojan, rootkit or one of the various beasties we track."
Last week, Trend Micro, a competitor to Secure Computing, reported on another Trojan masquerading as an Afterworld video. According to the company, TROJ_BANLOAD.CZE downloads a variant that's known for stealing online banking information.
Perry said yesterday's exploit, in which more than 10,000 compromised computers redirected visitors to sites hosting malicious software payloads, is the shape of things to come.
The Afterworld exploits shouldn't harm the brands of Afterworld or Sony, both agreed, just as banks aren't blamed for the constant phishing e-mails in their names. But Web publishers must be diligent in keeping their sites clean, Perry said.
"We're in the dawn of this era, with people still waking up to the fact that it's going to take more policing of their Web sites."