McAfee Avert Labs has observed a new trend in W32/Nuwar spamming over the weekend. The authors of this malware have resorted to spamming HTML formatted emails that pretend to be from a friend sending a link to a video from YouTube. A copy of the spammed email is as follows:

To the average computer user, the link in the email would seem perfectly legitimate as it points to youtube.com but if one were to hover the mouse over the URL, it would point to a numeric ip address. This is achieved by using special HTML anchor tags in order to obfuscate the malicious URL so that what the victim sees is usually not what they get. As if forecasting the Nuwar author’s next move, McAfee Avert Labs had recently blogged about the risks of using HTML formatted email.

For users who fall for this bait and click the link, they are directed to a site containing an image, tagging back to YouTube’s logo.

In the background an embedded obfuscated JavaScript routine that attempts a cocktail of browser and application exploits is executed. If successful, the user’s machine gets infected with a copy of W32/Nuwar. If the exploits fails to run on a fully patched machine, the malware author has used clever wordings on the webpage in order to entice users to manually download and launch the virus via good old social engineering.

With so much thought and creativity going into keeping the W32/Nuwar juggernaut rolling, it will be interesting to see how the field plays out. Remember for every counter measure, there is a counter-counter measure. We only lose if we stand still. And what would be the fun in that?