YouTube ads spread banking malware

NikK Posts: 903 Forum Champion

"Security researchers at Bromium have discovered that hackers were spreading malware onto computers while unsuspecting users were watching YouTube videos.

The drive-by-download attack was distributed via adverts shown on the YouTube website, and used an exploit kit to infect Windows PCs with a version of the Caphaw banking Trojan.

According to a blog post by Bromium, the attack relied upon the exploitation of a Java vulnerability (CVE-2013-2460, patched by Oracle in mid-2013)."



You really can't be safe anywhere! But what you can do is get rid of Java. It's by far the most vulnerable software, or to quote Mikko Hypponen "The battle at hand right now is with Java and Oracle. It seems that Oracle hasn't gotten their act together yet. And maybe don't even have to: users are voting with their feets and Java is already disappearing from the web"


So regarding this I've questioned F-Secure why their free tool HEALTH CHECK is built with Java. Their answer:

"F-Secure is in the middle of a process of replacing Java-based HealthCheck with a new technology and improved functionality." Smiley Very Happy Great!


Note: Java is not the same as JavaScript


  • Ukko
    Ukko Posts: 3,619 Superuser

    It's not a surprise about "ADs" (Advertisements) / "Google" (youtube) / "Malware/Malicious things / Exploits / etc." in one case.


    Google already long time not care about advertisements-point in any services...totally. It's just surprise for me - that just now... someone create "result" of research about it. But did that just about youtube-part... and about exploit with Java.


    More worst - also have not so "hard" steps for virusmakers and another bad guys to use same case (google, advertisements, exploits).

    And of course... just because JavaScript and Java  - different; JavaScript have another background for malicious-actions; Just time...




    Also here can be next note:


    When some programm will be give alert about something wrong during surfing with Google/Youtube.......  it's practically will be understanding as "false positive" - and it's bad.

    and in community some weeks ago was some letters about blocking youtube, google and not just by F-Secure (also by MBAM); It's not mean.... that it's "one situation" - just because it was really false-positive probably, but it's not mean - that it's must be always and "strange". Just because.. probably during blocking Google/Youtube by F-Secure... it was false-positive about some kind of trojan-javascript....  and probably it was false positive description for jscript-trojan.


  • NikK
    NikK Posts: 903 Forum Champion

    I came across a VirusTotal analysis of a Caphaw Banking Trojan example. Earlier yesterday only 4 AVs detected it. A couple of hours later it was 11/50.

    F-Secure is NOT among those who detect it. (as of analysis 24 Feb)



    The above link is to the "latest" analysis, so the results may change at any time. 

  • Ukko
    Ukko Posts: 3,619 Superuser

    About that sample.....


    Currently that probably not detected by F-Secure in signature-based analysis yet.

    But also it's not matter... that F-Secure not checking situation about it.


    Also that kind of malware will be detected by F-Secure as "Trojan-GenericKD" or something like that.


    Just because it's not one file... it's a lot of.


    All of that "examples" not possible to detect in first time or ever.


    Certainly know.. that have examples (same detection name and etc.), which already two days or more without detection more than three companies by Virustotal;

    And also certainly know about same examples, which already known by most of companies (more than thirty) already after some weeks or more quickly - after some days.


    It's mean - that examples can be with a lot of detection... just if that sample start be popular with malicious actions.

    Before - it's hard.




    But of course here can be not good things too... such as - for example, with alternative browser (which not supported by F-Secure) you can to visit malicious webpage... where download one of same files.


    That file will be not detection by signature-traditional-base. Simply - nothing.


    Not try it it (yet), but probably most likely variant in that situation will be:


    I prefer use DeepGuard with "turn on - alerts about trying to network connection" - and probably during launch that sample... DeepGuard must be alert about that with detection name by Gemini or same behavior-descriptions;

    Maybe for that not need any settings about network connection and enough "default settings" - but not try it yet.


    It's mean - by signature-based hard to create descriptions for two thousands examples (for example) of same malware (it's will be, but not so fast - just because by hand; And probably it's will be generic-description for trojan-type; Such as Trojan.GenericKD);


    If "example/sample" is popular - it start be more fast in "database" and detected by signature-based (include virustotal information);


    If not - just pro-active must to help. During launch... during trying to network connection or another malicious actions. It's must be - but don't know how it in fact. Maybe I will try do check it...


    Also..... firstly it's must be blocked by IP/URL before any downloaded files. During try to visit malicios page with that samples - need to block that. It's can be not blocked too.


    If it's another way to "download" in system.... already playing points:

     - popular-status of malicious file;

     - good work of pro-active.



    Sorry about a lot of text. Just.... in casual situation.... maybe you do not meet "sample" from currently analisys in VirusTotal.... or meet that sample... already when F-Secure detect it. It's close to true.




This discussion has been closed.
Pricing & Product Info