Bradley Anstis, director of product management at security firm Marshal, said that spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account.
The scam on Google's video-sharing site is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm trojan.
To date, Marshal has tracked around 150,000 of the spam e-mail messages thought to have originated from YouTube accounts.
The e-mail messages are exploiting a vulnerability in the sign-up process, according to Marshal, which reported in August a Trojan designed to generate large numbers of Hotmail and Gmail accounts. A similar vulnerability is being exploited in the case of YouTube, said Anstis, adding that spammers have used intelligent character recognition (ICR) software to circumvent the verification system commonly known as Captcha. The Captcha system, in which a person must read and re-enter a selection of blurred or unevenly spaced letters and numbers into a box before being issued a new account--is used to make it harder for software programs, rather than genuine users, to sign up for services.
"There are ways of subverting those sort of systems," Anstis said. "Service providers need to look at how to prevent that from happening."
The YouTube help center also advises people to exclude the firstname.lastname@example.org e-mail address from spam filtering lists--a fact, Anstis, said spammers are likely aware of.
Security vendor Sophos has also reported the YouTube spam problem. Senior technology consultant for the company, Graham Cluley, said this incident differs from the technique commonly associated with the Storm worm, which typically targets PCs for the job of sending spam.
According to Cluley, the YouTube spamming marks a departure for the junk mailers--instead of using botnets to distribute spam, they can use a familiar Web site to pass on messages.
Anstis said this scam could herald the rise of outsourced bot-herding whereby the botnet controller pays a third party to acquire further bots.
"Now, you can rent time on a botnet network and have a tech support department. If I'm spammer, I would just rent time on a botnet which includes tech support from the botnet owner and a massive resource pool with huge amounts of bandwidth. This may be a third business--selling services to the Trojan operators to help expand their networks. For example, if I own a Trojan network, I pay you 20 cents per bot you get me," Anstis noted.