Over the past several months, we’ve seen several alarming stories of trojans being loaded from YouTube videos, like this one that came out today:
Within the past week, cybercriminals have hidden Trojan horses in fake video postings on the wildly popular YouTube site, according to Paul Henry, vice president of technologies with Secure Computing. While YouTube techies were quick to pull down both postings, Henry said in an interview Wednesday that the two incidents could sound the bell for a new means of attack.
It’s worth noting that it is highly unlikely that these are actually YouTube videos.
Videos submitted to YouTube are converted to Adobe Flash Video (.flv), a format based on Flash. We have not seen any instances of this format being hacked in a manner to spawn the Zlob fake codec (which is the one mentioned in this article).
The Zlob codec, on the other hand, is typically installed using added functionality in Windows Media Player. You click the movie, and up comes a dialog that tells you that you need a “codec” to view the video. This codec, of course, is bad news.
So what likely happened here is that someone saw some advertisement or comment spam for a video on YouTube — not a YouTube video itself.
It’s worth noting that deception and social engineering around YouTube has been seen. But it’s not the YouTube videos themselves.