YouTube Malware: Sweet Orange Swallows YouTube


Watch YouTube much? Statistics say you do — according to the video sharing site’s official statistics page, over 1 billion unique users visit and more than six billion hours of video are watched every month. The site is also seeing increased monetization with more than a million registered advertisers, many of which use TrueView in-stream ads. As noted by QZ, the market for ads on YouTube has nowhere to go but up: analysts at Jefferies say it could bring in $7 billion worth of revenue for Google in 2015 and easily top $30 in the next few years. With YouTube now responsible for 40 percent of all online video consumption, there’s a massive amount of headroom.

And there’s a problem. Recently, the site was targeted by ads infected with the “Sweet Orange” exploit kit, and has now sent over 113,000 users in the United States to malware-infected webpages. Here’s what you need to know.

Juicy Target

As noted by security firm Trend Micro, which first discovered this exploit, the vast majority of users affected are from the United States: 95.84 percent, to be exact. And while this kind of “malvertising” is a common way of convincing users to click on legitimate looking links, it’s the first time YouTube has been targeted to such a degree. In fact, attackers were able coordinate their efforts with the release of big-traffic videos, for example “a music video updated by a high-profile record label” that saw over 11 million views. The sheer volume of users targeted and the precision with which such attacks were carried out is cause for enough for concern — but how did malicious actors manage to get their foot in the door?

Foreign Oranges?

The natural assumption here is that the Sweet Orange gang is hiding out in another country, but analysis of the malware’s redirect patterns says otherwise. It starts with modified DNS information, specifically that of a Polish government site. The site itself wasn’t compromised — instead, attackers added their own server-specific subdomains to alter the original DNS. Users who clicked on malicious ads were first taken to a redirect server in the Netherlands, then a second server in the same region and finally back to a server in the United States.

In this case, Sweet Orange relied on two Internet Explorer vulnerabilities: CVE-2013-2551 and CVE-2014-0322, which ultimately led users to pages infected with the KOVTER family of malware, often used in ransomware attacks. A security patch released by Microsoft in 2013 eliminates the relevant vulnerabilities, but Sweet Orange can also target Java and Flash.

Google’s Answer

In an email to Business Insider, Google said “our teams have taken the appropriate actions to resolve this issue,” and noted that “the security of our users is a top priority.” According to a January 2014 blog post by the search giant, they’re always on the hunt for “bad ads” and removed more than 350 million in 2013 — up from 220 million the previous year.

But even accounting for Google’s diligence, these numbers are worrying. Sure, the company is catching more bad ads, but it’s not all thanks to better security practices or threat assessments — as YouTube viewership rises, so too does the interest of malicious attackers. And the best way in? Legitimate-looking ads.

Avoiding the “Bad Ads”

You could stop watching YouTube.

Take a deep breath — while this would solve part of the problem, it’s not really necessary. Instead, start with a secure VPN to prevent ads from determining your location or obtaining any data that might make you more likely to spare a click. Next, update your browser and read any warnings it displays about “suspicious” content. If you’re getting notified, chances are you should stay away. The biggest change to make, though? Don’t click on ads. Just don’t. Enjoy the video, but use the can’t-skip advertising time the same way you do when watching TV: get up, get a snack or check your email, and let the malvertising fall on deaf ears.