Trojans on youtube

[Slickone]

I got a Trojan today while watching a video on youtube. I didn't think that was possible, but this article confirms it.

Zone Alarm popped up with:
18838979.exe is trying to access the trusted zone
127.0.0.1 port 2070
This is this programs first attempt.

And I then had 18838979.exe in my c:\ root with the date and time of exactly when i accessed youtube. Trendmicro says it's a TROJ_DLOADER.EMF

You can see it at the bottom of this pic of my cookies folder.
That IP address is in Alberta Canada. Wonder what ZAO is?
Whois of that IP showed:

Generated by www.DNSstuff.com
Location: Canada [City: Gwynne, Alberta]

NOTE: More information appears to be available at NET-206-22-29-0-1.

Automatic Data Processing ADP5 (NET-206-22-0-0-1)
206.22.0.0 - 206.22.255.255
SUPERIOR GARAGE C115248 (NET-206-22-29-0-1)
206.22.29.0 - 206.22.29.255


Will we always be safe if using a good software firewall like ZA?

 

[KeithP]

Actually, the article says:

Security firms are reporting increased instances of booby-trapped Windows codecs - file compressors - required to play some video formats.

Wouldn't this mean you would have to download and install the codec to be infected? Youtube doesn't automatically download codecs to your computer as far as I know.

-KeithP

 

[Slickone]

Originally posted by: KeithP
Actually, the article says:

Security firms are reporting increased instances of booby-trapped Windows codecs - file compressors - required to play some video formats.

Wouldn't this mean you would have to download and install the codec to be infected? Youtube doesn't automatically download codecs to your computer as far as I know.

-KeithP

Maybe not, but it did give me a trojan.

 

[mechBgon]

Would you mind PM'ing me the URL for that YouTube page so I can look into it?

Incidentally, yeah, there's a shiny new exploit afoot involving RealPlayer (ugh) videos. Read more about it at McAfee's blog. One more example of why j00 should be using a Limited account for Web, IM and email. Don't hand over your weapon to strangers with live ammo in it, soldier :evil:

Oh and

Will we always be safe if using a good software firewall like ZA?

No. Try F-Secure's online scanner to get a second opinion, I bet your TrendMicro is only detecting the second-stage part of it. And run your system through Windows Update and install the latest versions of all browsers and media players that you use. If you have Sun Java installed, uninstall all old versions and install Java Runtime Environment (JRE) 5.0 Update 9.

Fully enable DEP like in this pic too.

 

[Slick5150]

Originally posted by: Slickone

Originally posted by: KeithP
Actually, the article says:

Security firms are reporting increased instances of booby-trapped Windows codecs - file compressors - required to play some video formats.

Wouldn't this mean you would have to download and install the codec to be infected? Youtube doesn't automatically download codecs to your computer as far as I know.

-KeithP

Maybe not, but it did give me a trojan.

It's very unlikely Youtube gave you that trojan, it just activated the trojan that was already on your PC

 

[apoppin]

i dunno ... while i was installing my OS and updating my apps [and before i installed AntiVir] a visiting friend accessed 2 sites ... his email [without clicking any links] and YouTube ... my rig was infected within 2 minutes. :Q

a reinstall fixed that
:Q

 

[kamper]

Originally posted by: Slickone
Will we always be safe if using a good software firewall like ZA?

Well obviously not, as this experience would seem to confirm. 😉

There is nothing a firewall can do when a program like your browser requests a malicious file from the internet and then succumbs to its attacks.

 

[mechBgon]

Looking again at the OP's screenshot, we do see a RealMedia advertising banner among the items. So I'd venture a guess that this is a case of the Real video exploit I mentioned in my last post. If it is the same one, it will try to infect other Real media files on the system, so it would be smart to run an up-to-date virus scanner at least once a day (after updating virus signatures) for the next few days.

 

[Nothinman]

All of YouTube's stuff is flash based and all of the videos are flv (flash video) which requires no codecs, so unless someone found a way to upload a trojaned flash video to youtube or to insert an exploit into the user comments I can't believe this was YouTube's fault.

 

[mechBgon]

In the screenshot that Slickone posted, the RealMedia item appears to be a banner advertisement. Compromised ad partner, maybe? Like the Bofra incident at The Register some time ago: http://www.theregister.co.uk/2004/11/21/register_adserver_attack/

 

[IEC]

Oh for some vigilante justice to take these SOB leechers out of business... :|

 

[Slickone]

Originally posted by: kamper

Originally posted by: Slickone
Will we always be safe if using a good software firewall like ZA?

Well obviously not, as this experience would seem to confirm. 😉

There is nothing a firewall can do when a program like your browser requests a malicious file from the internet and then succumbs to its attacks.

Obviously. What I meant was because of ZA, the trojan didn't do it's job. And because of ZA, I knew it was there and had the chance to delete that exe.

 

[Slickone]

Originally posted by: Nothinman
All of YouTube's stuff is flash based and all of the videos are flv (flash video) which requires no codecs, so unless someone found a way to upload a trojaned flash video to youtube or to insert an exploit into the user comments I can't believe this was YouTube's fault.

Trust me. Something did, on youtube's page. As mentioned above, maybe an ad.

 

[Slickone]

Originally posted by: mechBgon
Would you mind PM'ing me the URL for that YouTube page so I can look into it?

Incidentally, yeah, there's a shiny new exploit afoot involving RealPlayer (ugh) videos. Read more about it at McAfee's blog. One more example of why j00 should be using a Limited account for Web, IM and email. Don't hand over your weapon to strangers with live ammo in it, soldier :evil:

Oh and

Will we always be safe if using a good software firewall like ZA?

No. Try F-Secure's online scanner to get a second opinion, I bet your TrendMicro is only detecting the second-stage part of it. And run your system through Windows Update and install the latest versions of all browsers and media players that you use. If you have Sun Java installed, uninstall all old versions and install Java Runtime Environment (JRE) 5.0 Update 9.

Fully enable DEP like in this pic too.

I'll run F-Sucure's when I get home. Already had that version of JRE since Trendmicro made me install it first (I had 4.x). I'll see if I can remember the URL.
Thanks.

 

[SunnyD]

Originally posted by: Slickone

Originally posted by: Nothinman
All of YouTube's stuff is flash based and all of the videos are flv (flash video) which requires no codecs, so unless someone found a way to upload a trojaned flash video to youtube or to insert an exploit into the user comments I can't believe this was YouTube's fault.

Trust me. Something did, on youtube's page. As mentioned above, maybe an ad.

Trust no-one. Seriously, the majority of virii out there require user intervention to contract. My guess is that your codec pack was infected when you installed it.

 

[Nothinman]

Trust me. Something did, on youtube's page. As mentioned above, maybe an ad.

Trust you? You have no idea how you got it but you're sure it was youtube although you don't know what part of youtube, right.

 

[Slickone]

Originally posted by: SunnyD

Originally posted by: Slickone

Originally posted by: Nothinman
All of YouTube's stuff is flash based and all of the videos are flv (flash video) which requires no codecs, so unless someone found a way to upload a trojaned flash video to youtube or to insert an exploit into the user comments I can't believe this was YouTube's fault.

Trust me. Something did, on youtube's page. As mentioned above, maybe an ad.

Trust no-one. Seriously, the majority of virii out there require user intervention to contract. My guess is that your codec pack was infected when you installed it.

I haven't installed a codec pack in probably a couple years. And I dont download anything except from trusted/known/popular places millions of other people do too.

 

[Slickone]

Originally posted by: Nothinman

Trust me. Something did, on youtube's page. As mentioned above, maybe an ad.

Trust you? You have no idea how you got it but you're sure it was youtube although you don't know what part of youtube, right.

Yes.

You don't believe I know what I'm talking about. I don't believe you know what you're talking about. It's all good.

 

[Nothinman]

You don't believe I know what I'm talking about. I don't believe you know what you're talking about. It's all good.

You're the one with the burden of proof since you're blaming youtube for infecting your machine.