Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.
The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service"
From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [REMOVED]
Subject: Your friend sent you a video!
Date: Thu, 15 Nov 2007 08:58:31 +1000
Note: The domains that are used to impersonate theYouTube Web site are giower.li, fineir.ch, and be4koy.com.es. TheseTLDs are not the usual .com or .net domains. The links will force thedownload of a malicious executable “install_flash_player.exe,” which infact is a threat already detected by Symantec.
There were a number of spoofed URLs included in the spam emailsduring the campaign. Fortunately the Web sites associated with the URLshave since been taken down. Below are a few examples of the spoofedURLs:
(Click for larger image)