Last Friday – under the shadow of two critical zero day exploits on Internet Explorer and Adobe Flash – researchers at Bromium Labs discovered malware in an advertising network connected to Youtube. Specific details are yet unknown and the threat has yet to be completely mitigated. As of Friday, Google Security was made aware of the issue and is currently investigating the matter with Bromium.
What is Known
The malware being served is a Caphaw banking Trojan. Emsisoft detects Trojans from this family as Trojan.Win32.Caphaw.
The attackers are infecting Youtube users through third-party Youtube ads, using the drive-by download technique.
Further investigation has revealed that the ad network serving the Caphaw malware is also hosting the Styx exploit kit. An exploit kit is a toolkit hackers can purchase ready-made and then place on malicious websites to automatically target common vulnerabilities present on un-updated computers. The Styx exploit kit targets Java vulnerabilities in particular. Research indicates that in this attack Styx is being used to target CVE-2013-2460.
Research has also indicated that this attack connects users to a C&C server in Europe. As yet, this server’s specific location remains unknown.
Am I at Risk?
Anyone running Emsisoft is automatically protected from Caphaw. Users not running a comprehensive anti-virus software who have recently clicked on a Youtube ad may be infected.
The Caphaw Trojan allows attackers remote control of your PC. With such control, attackers may directly access your files, monitor your Internet usage, or use your PC for any number of malicious activities.
If you recently clicked on a Youtube ad, Emsisoft recommends an immediate scan with Emsisoft Anti-Malware. The software will detect and remove Caphaw, and protect your PC from future attacks.
More Details on this Threat
Bromium published an initial analysis of the attack in a blogpost on Friday. The research firm is currently working with Google Security to investigate the attack in greater detail. Updates are sure to follow.
Targeting a high profile website such as Youtube is a watering hole tactic. Youtube receives thousands if not millions of visitors per day, so attacks like this one have a greater chance of infecting more users. People often think that they are safest when visiting such websites, as security is generally much tighter and the odds of being targeted among so many other users seem slim, but this is somewhat of a misconception. From an attacker’s perspective, poisoning just one giant waterhole can be much more profitable and can take much less time than poisoning one hundred smaller ones.
This recent attack acts as an important reminder. No website is 100% secure. And, whether malicious or not, Internet advertising exists to make money. So be careful where you click.
Here’s to a Malware-Free Week Ahead!