Caphaw Trojan Found in Youtube Ads

youtube-logoLast Friday – under the shadow of two critical zero day exploits on Internet Explorer and Adobe Flash – researchers at Bromium Labs discovered malware in an advertising network connected to Youtube.  Specific details are yet unknown and the threat has yet to be completely mitigated.  As of Friday, Google Security was made aware of the issue and is currently investigating the matter with Bromium.

What is Known

The malware being served is a Caphaw banking Trojan.  Emsisoft detects Trojans from this family as Trojan.Win32.Caphaw.

The attackers are infecting Youtube users through third-party Youtube ads, using the drive-by download technique.

Further investigation has revealed that the ad network serving the Caphaw malware is also hosting the Styx exploit kit.  An exploit kit is a toolkit hackers can purchase ready-made and then place on malicious websites to automatically target common vulnerabilities present on un-updated computers.  The Styx exploit kit targets Java vulnerabilities in particular.  Research indicates that in this attack Styx is being used to target CVE-2013-2460.

Research has also indicated that this attack connects users to a C&C server in Europe.  As yet, this server’s specific location remains unknown.

Am I at Risk?

Anyone running Emsisoft is automatically protected from Caphaw.  Users not running a comprehensive anti-virus software who have recently clicked on a Youtube ad may be infected.

The Caphaw Trojan allows attackers remote control of your PC.  With such control, attackers may directly access your files, monitor your Internet usage, or use your PC for any number of malicious activities.

If you recently clicked on a Youtube ad, Emsisoft recommends an immediate scan with Emsisoft Anti-Malware.  The software will detect and remove Caphaw, and protect your PC from future attacks.

More Details on this Threat

Bromium published an initial analysis of the attack in a blogpost on Friday.  The research firm is currently working with Google Security to investigate the attack in greater detail.  Updates are sure to follow.

Targeting a high profile website such as Youtube is a watering hole tactic.  Youtube receives thousands if not millions of visitors per day, so attacks like this one have a greater chance of infecting more users.  People often think that they are safest when visiting such websites, as security is generally much tighter and the odds of being targeted among so many other users seem slim, but this is somewhat of a misconception.  From an attacker’s perspective, poisoning just one giant waterhole can be much more profitable and can take much less time than poisoning one hundred smaller ones.

This recent attack acts as an important reminder.  No website is 100% secure.  And, whether malicious or not, Internet advertising exists to make money.  So be careful where you click.

Here’s to a Malware-Free Week Ahead!

  • LodeHere

    With AdMuncher installed I never even see any YouTube adds. Also running my browsers by default in the virtual space -sandbox- of Sandboxie helps. But the developer of Sandboxie strongly recommends to utilize a good AV anyway, as a few times a year someone manages to get through.. He always fixes it he says, but I’m glad to have Emsisoft Anti-Malware as a last solid defense. Just in case… ; )

  • Warren Gacsi

    Excellent. Thank you for the heads-up.

  • emsisoft_steve

    Glad we could help!

  • Pingback: Troyen Caphaw Trojan détecté dans les pubs sur YouTube()

  • danyelle

    i’m sure a dumb question if you’re computer savvy, but these types of viruses, they don’t affect iphones do they?

    • emsisoft_steve

      Hi Danyella,
      This particular malware does not affect the iPhone, and in general most malware does not target Apple products.

  • emsisoft_steve

    Hi Bobby,
    Emsisoft Anti-Malware is a complete antivirus solution and will protect your PC on its own. We have spent considerable time building it in a way that makes it compatible with
    almost all other antivirus programs, though. You could run Emsisoft and McAfee at the same time if you liked.

  • Pingback: firefox-addon VIS 1.01 - trojaner eingefangen ? - Trojaner-Board()

  • Pingback: Trackback()

  • Pingback: A New Scam To Steal Your Gmail Info + Caphaw Trojan Found in Youtube Ads | twyankeesfan / Yankeesphere()

  • Pingback: Trackback()

  • Pingback: Trackback()

  • Pingback: Trackback()

  • Pingback: autophony alkalosis arroba()