Video sharing sites like Youtube and Google Video have become second nature and trusted by all web 2.0 users. The last two weeks has broken this trust, however, as Google Video have been targeted by blackhat SEO campaign operators. The site has been put to use to spread malware using Google’s own search engine rank algorithms against themselves. Because this method of infiltration is a new development in malware distribution it is very import to understand what it is and how it happened.

The current exploit has targeted over 400,000 search queries. The hijacked videos direct site visitors to adult oriented websites which deliver malware through hidden downloads. The reason why the number of targets phrases is so high is because instead of targeting obvious keywords the scammers have piggybacked their content on legitimate videos. This is where the problem becomes severe; as with all content on video sharing websites the more visitors the higher the placement. The result is a self reinforcing problem; the more viewers, the more malware distributed, the higher the placement in Google.

Because it may not be possible to tell a legitimate video from malware infected clip it is important to understand how the malware gets onto your computer. When the video is clicked the user is redirected to a secondary domain. This website closely resembles Youtube in design so it is important to pay attention to the URL. From here the user is given a popup message that states, “Your Flash Version is too old. Your browser cannot play this file. Click “OK” to download and install update for Flash Video Player”. If the user accepts the malware (AutoTDSS.BNA!worm) is downloaded and must be removed manually.

At the time of writing this Google is aware of the problem and looks to create a solution but the exact timeframe is not known. The thing to keep in mind is that because content on video sharing websites is supplied by normal users there is no guarantee that content will be secure. Google and Youtube have always provided good moderation to their websites but it’s inevitable that things slip through the cracks. The best defense is to be aware of abnormal behavior when you visit such websites. If you do run into suspicious activity contact the site administrator as soon as possible.

– Richard Keene
IT Computer Support of New York
Design and Optimization Department