New Storm Leverages Youtube

This new tactic is leveraging Youtube links in an effort to get users to click and download malicious code. The link sent via email looks like a properly formatted Youtube URL, but is actually directed toward a compromised web server. To avoid DNS the link goes to a numerical IP address instead of a hostname which is also easier to take down.

This is another example of pull based malware that we have been talking about more and more where the user has to go visit a web site (either by clicking a link or following instructions to go to a particular web site) in order to get infected as opposed to having the malware "pushed" to them via an email attachment.

This method of infection also forced the AV vendors to start employing URL based blacklists into their products such that malicious web sites can be proactively identified by the AV engine based on the web site address and not necessarily based on the hosted content. This is a good move on their part especially considering the increase (and expected continued prevalence) in server side polymorphic viruses.