An interesting spam message spreading a trojan horse was sent Friday (5th). It had “videos@youtube.com” in the From header and told the recipient that he/she was mentioned on one of YouTube’s most viewed videos. The message had a link to this supposed “video”, but was otherwise unimpressive and had lots of typos and spelling mistakes.
The interesting bit was in the link. It began with “www.youtube.com” and actually directed the user to YouTube’s “Forgot username” page. It was a really long link and had JavaScript code.
A cross-site scripting (XSS) flaw in the aforementioned YouTube page allowed the code to be executed on the context of the site. Very crafty, the attack’s scripts and styles created a fake window — that looked like a native “Luna”-themed window — using images. The message written on the window told the user that he/she needed to download an “ActiveX object” in order to be able to see the video. If the user decided to allow the download, he/she would be infected. If “Cancel” was clicked instead, the page would just repeat that the ActiveX download was needed.
Also of interest is that, although an entire frame was loaded on top of YouTube’s page, the attackers did not try to exploit any flaws on the user’s browser. Given how poorly-worded the e-mail was, it is possible that the XSS flaw was found by someone else and that the actual attackers aren’t really that competent; it is known that a lot of Brazilian trojans, for example, are not made by the people who actually use them, and instead are bought from a third party.
Before first publicizing the attack at Linha Defensiva earlier today, I contacted Google. They fixed the flaw in just 10 hours — a really fast and impressive response, much more so for a weekend.