14 DAY TRIAL // Security researchers from Romanian antivirus vendor BitDefender warn of scams that make use of fake YouTube pages to install trojans via a malicious Java applet.
The scammers appear to have put significant effort into making the pages look as close as possible to the real YouTube website.
When visitors land on these rogue sites, a Java applet is launched automatically and they are prompted to run it.
The dialog appears because the applet is unsigned and since Java is rarely used for mainstream Web services, users unfamiliar with it might be tempted to hit Run in order to see the video they've been promised.
That would obviously be a very bad idea, because the applet makes use of the OpenConnection Java method to download and executes a trojan.
The malware has botnet capabilities and connects to an IRC server from where it receives commands. It is mainly used as a distribution platform for additional threats.
Among those seen by BitDefender is a trojan which can use the Facebook accounts of its victims to send spam and record conversations from the most popular IM clients.
There is also a worm with DDoS capabilities which can spread via removable USB drives and a click fraud trojan that hijacks searches performed in Firefox, Internet Explorer and Chrome on Google or Bing.
An interesting aspect of the main IRC trojan is that it leverages the same Windows Task Scheduler privilege escalation vulnerability (CVE-2010-3338) exploited by the Stuxnet worm to bypass UAC.
Last year was marked by an explosion of Java-related threats. Vulnerabilities in outdated versions of the software are regularly exploited in drive-by download attacks, while OpenConnection-based Java trojans are so common that in December they were the second most detected threat by antivirus vendor Kaspersky Lab.
While the Java Runtime Environment (JRE) is required by a significant number of desktop applications, with the widespread adoption of AJAX, the technology is not so commonly used on the Web anymore.
People who hardly ever use Java-based Web services should uninstall the Java plug-in from their browsers in order to remove this attack vector entirely.