YouTube hijacked for Storm worm spam

Spammers are exploiting YouTube's "Invite your Friends" facility to send spam containing a Storm Trojan from the video sharing site.

Bradley Anstis, director of product management at security firm Marshal, said that YouTube users can invite their friends to view videos that they are looking at or have posted. Using the facility gives them the opportunity to e-mail any address from their account -- a feature the spammers are now exploiting.

The YouTube scam is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm Trojan.

To date, Marshal has tracked around 150,000 of the spam e-mails thought to have originated from YouTube accounts.

The e-mails are exploiting a vulnerability in the sign-up process, according to Marshal, which reported in August a Trojan designed to generate large numbers of Hotmail and Gmail accounts. A similar vulnerability is being exploited in the case of YouTube, said Anstis, adding that spammers have used Intelligent Character Recognition (ICR) software to circumvent the verification system commonly known as Captcha. The Captcha system -- where a user must read and re-enter a selection of blurred or unevenly spaced text and numbers into a box before being issued a new account -- is used make it harder for software programs, rather than genuine users, to sign up for services

"There are ways of subverting those sort of systems," he said. "Service providers need to look at how to prevent that from happening."

The YouTube Help Centre also advises users to exclude the service@youtube.com e-mail address from spam filtering lists -- a fact Anstis said spammers are likely aware of.

Security vendor Sophos has also reported the YouTube spam problem. Senior technology consultant for the company, Graham Cluley, said this case differs to the technique commonly associated with the Storm worm, which typically targets personal PCs for the job of sending spam.

According to Cluley, the YouTube spamming marks a departure for the junk e-mailers -- instead of using botnets to distribute spam, they can use a familiar Web site to pass on messages.

Marshal's Anstis said this scam could herald the rise of outsourced bot-herding whereby the botnet controller pays a third party to acquire further bots.

"Now, you can rent time on a botnet network and have a tech support department. If I'm spammer, I would just rent time on a botnet which includes tech support from the botnet owner and a massive resource pool with huge amounts of bandwidth. This may be a third business -- selling services to the Trojan operators to help expand their networks. For example, if I own a Trojan network, I pay you 20 cents per bot you get me," he noted.