14 DAY TRIAL // Monitoring the underground hacking forums, the analysts at Panda Security have come across a malware spreading tool that can be used even by the less programming-aware individuals. The tool provides a simple interface for creating a YouTube look-alike website which can be used to spread any malicious file.
The program, which Panda Security named YTFakeCreator, is classified as a “virus constructor”. According to Panda's glossary, a virus constructor is a malicious application which can be used to create new viruses through an interface without requiring any programming skill.
The fake YouTube page that gets created displays a warning bar and a media plug-in is required in order to play the video files. If this bar is clicked, the malware is served for download instead of a real plug-in. After the malicious executable is downloaded, the website redirects to an error page which claims that the user has to be at least 18 years old in order to view the content. The error is similar to the real one YouTube uses when possibly offensive content is accessed. This is aimed at avoiding the users becoming suspicious and hopefully force them to give up on viewing the video.
YTFakeCreator's graphical interface is in Spanish and has several options to customize the fake YouTube page that is to be created. The first option allows the person using it to specify the location of the malware program they wish to trick the users into downloading. This can be a URL address. The second option makes it possible to change the text that appears on the warning bar which is used to push the malware application to the user. Right next to it, the interval after which the user is redirected to the error page can be modified.
In the next section, things like the page title, “YouTube – Page title”, can also be changed along with information about the video clip itself. This means the video title and description, as well as the username of the person who is supposed to have posted it. The tool tries to make it look as real as possible, since details like the registration date of the user and the total number of submitted videos can also be modified. Even more, it allows for a comment to be created, as well as specifying the username of the person who posted the comment.
Finally, “advanced options” allow editing of the source code itself for the generated Index.html and Error.html pages. When finished, the tool notifies that the two pages have been created and instructs the wannabe-hackers to upload them online and then serve the url to index.html to their victims.
The Panda Security analysis notes that “YTFakeCreator does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.”.
