A new hacking tool circulating on the Internet allows malicious users to create fake YouTube pages designed to deliver malware.
The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a Spanish-language user-friendly console that a hacker could use to create a pair of Web pages that look eerily identical to legitimate YouTube pages.
Figure 1. The tool even allows hackers to create fake video titles, descriptions, and comments.
With a little crafty social engineering, unsuspecting users may be led to the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is handily provided, and clicking the link leads users to the hacker’s file of choice, which could very possibly be something malicious.
Figure 2. The index page displays an error message and asks users to download a plugin.
A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing has really happened, when in fact by downloading the plugin, malware may already be running on their systems.
Fake codecs remain popular masks for malware. The popularity of YouTube also makes it a preferred target for malware users who want to infect more users (see our related blog posts YouTube porn spam, the Nardoni video, and YouTube phishing pages).
HKTL_FAKEYOUT could be very dangerous because it is very accessible to script kiddies who could use it for their malware and hacking operations. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious.
Update as of 7 October 2008, 7:00 AM PST
This YouTube malware tool was recently updated by its author. The tool still has the same functions as the previous, the only change being the modifications in its graphic user interface (GUI):
Figure 1: The new version of the YouTube malware tool
Figure 2: A sample YouTube page generated by the tool
Figure 3: A sample error page, also generated by the tool
The new version, with the file name YouTube Fake Creator v1.2 Fixed.exe is also detected by Trend Micro as HKTL_FAKEYOUT.