In a previous blog, you may have read about rogues using a fake YouTube page to entice users into downloading and installing a rogue security trojan. We are now showing you the ‘real deal’. We discovered a page (there are probably more) within the real YouTube.com (fig. 1) website trying to benefit from its user database by redirecting them, by means of social engineering (i.e. viewing an episode of a popular cartoon series) to another page (fig. 2). The malicious page pushes a fake video codec to install a copy of the trojan “Win32/Winwebsec”.
Figure 1 - Malicious YouTube post
Figure 2 - Fake video codec install request
Below, you can see a dialogue window that suggest that your computer is vulnerable, unstable and infected, and instructs you to buy the fake (rogue) security trojan to correct the ‘found’ (yet non-existent) malware. The UI displays a ‘credible’ interface with ‘controls’ commonly found in security applications such as “System Scan”, “Update” and “Settings”. After a ‘scan’, the rogue will commonly display a list of ‘discovered’ malware as in the example shown below.
Figure 3 - Winwebsec Fake Detections
To compliment the simulated scan, the rogue creates fake error messages as well to provide more convincing ‘evidence’ that your computer is compromised as in the examples shown below. Note the typo in the error message window title bar.
Figures 4 & 5 - WinWebsec generated error messages
Of course, after you realize you’ve been fooled by the rogue, you will want to uninstall it. When you attempt to remove Winwebsec, you’ll discover that it doesn’t allow you to easily accomplish this and a <sarcasm> helpful FAQ </sarcasm> provides some insight that you can download another piece of software (fig. 6), which could represent another way for attackers to compromise your machine:
Figure 6 - ‘FAQ’
This file is also detected by our products as “Win32/Winwebsec”.
Marian Radu, MMPC Dublin
PS: There is no security issue or vulnerability in YouTube.com. This is just a case of a user abusing a free service.