About Me

Vinoo Thomas

Vinoo Thomas

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Latest Nuwar Spamming Uses YouTube Lure

Monday, August 27, 2007 at 6:00am by Vinoo Thomas
Vinoo Thomas

McAfee Avert Labs has observed a new trend in W32/Nuwar spamming over the weekend. The authors of this malware have resorted to spamming HTML formatted emails that pretend to be from a friend sending a link to a video from YouTube. A copy of the spammed email is as follows:

Copy of spammed email

To the average computer user, the link in the email would seem perfectly legitimate as it points to youtube.com but if one were to hover the mouse over the URL, it would point to a numeric ip address. This is achieved by using special HTML anchor tags in order to obfuscate the malicious URL so that what the victim sees is usually not what they get. As if forecasting the Nuwar author’s next move, McAfee Avert Labs had recently blogged about the risks of using HTML formatted email.

For users who fall for this bait and click the link, they are directed to a site containing an image, tagging back to YouTube’s logo.

Fake Site

In the background an embedded obfuscated JavaScript routine that attempts a cocktail of browser and application exploits is executed. If successful, the user’s machine gets infected with a copy of W32/Nuwar. If the exploits fails to run on a fully patched machine, the malware author has used clever wordings on the webpage in order to entice users to manually download and launch the virus via good old social engineering.

With so much thought and creativity going into keeping the W32/Nuwar juggernaut rolling, it will be interesting to see how the field plays out. Remember for every counter measure, there is a counter-counter measure. We only lose if we stand still. And what would be the fun in that? ;-)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • Chris August 29, 2007 9:05AM

    It’s obvious why this is happening. They’re running OLD software. It’s not even IE 7 in the screenshot.

    Reply
  • A Smart Mac User August 28, 2007 2:26PM

    Hey, I just got virus via an spam-emailed link to download a test program (I knew this would happen, but have good anti-virus and use a mac, and my anti-virus caught the ‘trojan’). I then went to server’s ip address (it wasn’t an actual website), and this time it had the youtube thing (which I also clicked and my anti-virus also caught). both virus’s were trojans. here are the links, if anybody can do anything about it:

    http://{removed}/setup.exe for the first one

    http://{removed}/ for the second one

    Reply