Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Fake YouTube URLs Downloading Suspicious Executable

Created: 28 Nov 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:13 GMT
Jitender Sarda's picture
0 0 Votes
Login to vote

Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.

The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:

From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [REMOVED]
Subject: Your friend sent you a video!
Date: Thu, 15 Nov 2007 08:58:31 +1000

JS_utubespam_lrg.jpeg

Note: The domains that are used to impersonate theYouTube Web site are giower.li, fineir.ch, and be4koy.com.es. TheseTLDs are not the usual .com or .net domains. The links will force thedownload of a malicious executable “install_flash_player.exe,” which infact is a threat already detected by Symantec.

There were a number of spoofed URLs included in the spam emailsduring the campaign. Fortunately the Web sites associated with the URLshave since been taken down. Below are a few examples of the spoofedURLs:


(Click for larger image)