Malicious videos open dangerous attack vector

[Da_Fuzz]

Administrators should consider restricting access to sites such as YouTube and MySpace because they have the potential to deliver malware that has been embedded inside video files.

Over the past year, a number of serious vulnerabilities have been discovered in the most popular video players. This has coincided with sites such as YouTube, which was recently acquired by Google for US$1.65 billion, becoming increasingly popular. This is a lethal combination, according to security companies.

Both YouTube and MySpace allow their members to upload video files onto a personal homepage, which can then be shared with the general Internet population.

Patrick Peterson, vice president of technology at security firm IronPort Systems, said that unlike more traditional attacks -- where malicious files are attached, or linked to, from spam e-mail messages -- potentially dangerous media files are being passed around by friends and colleagues.

Because the files are from a trusted source, users are more likely to view them.

"[The bad guys] can rely on people going to YouTube and rely on people telling their friends to go to MySpace to get that infection.

"Thing that makes it so dangerous is that your browser is designed to do all sorts of things with active content -- your e-mail program doesn't open up an executable and run it but Internet Explorer will," Peterson told ZDNet Australia.

Last week, antivirus firm McAfee predicted that the increasing popularity of video on the Web will make it a future target for hackers. As people become more reluctant to open e-mail attachments from anonymous sources, hackers will target users who open media files instead, the company said.

The functionality of online video, which includes pop-up ads and URL redirects, will become "ideal tools of destruction for malware writers," claimed McAfee in a statement. "As video-sharing networks on the Web proliferate, the potential capture of a large audience will incite malware writers to exploit these channels for monetary gain."

"In combination, these issues make malicious coders likely to achieve a high degree of effectiveness with media malware," the statement said.

McAfee security analyst Greg Day anticipates that businesses will prefer users not to download video onto work PCs.

"A lot of companies currently have verbal policies [prohibiting video downloads] … we expect more formal enforcement to come into place," said Day.