Security threats Toolkit

Storm worm spammers exploit Halo 3 buzz

Tags:
Numbers,
Messages,
Friends,
Accounts

Liam Tung ZDNet Asia

Published: 10 Oct 2007 08:44 BST

Spammers are exploiting YouTube's "invite your friends" facility to send spam containing a Storm Trojan from the video-sharing site.

Bradley Anstis, director of product management at security firm Marshal, said that YouTube users can invite their friends to view videos that they are looking at or have posted. Using the facility gives them the opportunity to email any address from their account — a feature the spammers are now exploiting.

The scam is using YouTube to target Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm Trojan.

To date, Marshal has tracked around 150,000 of the spam email messages thought to have originated from YouTube accounts.

The email messages are exploiting a vulnerability in the sign-up process, according to Marshal, which reported in August a Trojan designed to generate large numbers of Hotmail and Gmail accounts. A similar vulnerability is being exploited in the case of YouTube, said Anstis, adding that spammers have used intelligent character recognition (ICR) software to circumvent the verification system commonly known as Captcha. The Captcha system — where a user must read and re-enter a selection of blurred or unevenly spaced letters and numbers into a box before being issued a new account — is used to make it harder for software programs, rather than genuine users, to sign up for services.

"There are ways of subverting those sort of systems," Anstis said. "Service providers need to look at how to prevent that from happening."

The YouTube help centre also advises users to exclude the service@youtube.com email address from spam filtering lists — a fact Anstis said spammers are probably aware of.

Security vendor Sophos has also reported the YouTube spam problem. Senior technology consultant for the company, Graham Cluley, said this case differs to the technique commonly associated with the Storm worm, which typically targets PCs for the job of sending spam.

According to Cluley, the YouTube spamming marks a departure for the junk mailers — instead of using botnets to distribute spam, they can use a familiar website to pass on messages.

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Marshal's Anstis said this scam could herald the rise of outsourced bot-herding whereby the botnet controller pays a third party to acquire further bots.

"Now, you can rent time on a botnet network and have a tech support department. If I'm spammer, I would just rent time on a botnet which includes tech support from the botnet owner and a massive resource pool with huge amounts of bandwidth. This may be a third business — selling services to the Trojan operators to help expand their networks. For example, if I own a Trojan network, I pay you 20 cents per bot you get me," Anstis noted.