Adware Stalking User Content Sites

By Matthew Hines  |  Posted 2009-03-08 Print this article Print

Adware distributors have been tapping into the viral nature of Web 2.0 sites to fool users into downloading and even distributing their content for some time, but the activity has been ramping up in recent days, with one particular campaign taking off, according to researchers at PandaLabs.

According to the badware-tracking experts, infections of the "VideoPlay" adware program have leapt over the last month in particular, growing by 400 percent in Feb. alone, compared to Jan. '09.

The advertising program's primary delivery methods of late include the and YouTube user content portals, PandaLabs said, highlighting the success that attackers are enjoying in sucking-in visitors to such domains via the use of links to infected video files or drive-by sites.

PandaLabs researchers said that VideoPlay is designed to download a worm attack that attempts to steal email accounts and passwords for sale and subsequent use in committing cybercrimes.

"The main reason attributed to this dramatic increase is because of the use of popular Web 2.0 sites such as or YouTube to distribute this malware," the researchers maintain.

As with previous badware threats that attempt to dupe YouTube users into navigating their way to malware sites, the current VideoPlay campaign uses the comments sections on legitimate videos posted to the site to market itself to potential victims.

When users who click on the involved links reach the URLs advertised in the comments sections, they are asked to download a codec in order to watch additional video files, which of course delivers the adware attack.

PandaLabs experts noted the fact that many consumers retain a false sense of security regarding the user content sites they visit, based largely on the legitimate trust relationships that they've already develop with other users of these domains.

"This is another example of how cyber-crooks are using the most popular Web pages and social engineering to distribute malware massively," Luis Corrons, technical director of PandaLabs, said in an advisory. "Users should remember that even though they may be visiting trusted Web sites, they should always be on their guard, and in particular, watch out for sensationalist headlines, as these are typically used to trick users and infect the computers."

And importantly, just because you can largely trust videos posted on YouTube doesn't mean that you can trust other URLs linked to from the site.

On a related note, researchers recently gained a rare window into the mind of a successful adware creator, as a former employee of Direct Revenue, the notorious adware house targeted for its business practices in 2006 by Eliot Spitzer, talked about his salad days launching the unwanted programs in an interview with the Philosecurity blog.

In the interview, the reformed adware writer, Matt Knox, detailed a number of the tactics that he and his colleagues used for years to spread their programs as widely across the Web as possible.

Some of the highlights from the interview include the fact that Direct Revenue's team:

-Would frequently create programs that would erase its competitors' adware. -Used free screensavers infected with adware as a hugely successful model. -Primarily delivered its goods by exploiting Windows vulns. -Considered IE the biggest target for attacks. -Relied on innovation compared to rivals and filters as its most important asset. -Never targeted UNIX users with adware.

For the entire conversation, read here.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel