In the latest instance of a legitimate site being used to spread malware, YouTube is being used to distribute a variant of the Zlob adware.
According to Secure Computing, attackers are using a fake video link on the site to initiate infection with the Trojan, which bombards victims with porn adware, before installing data-stealing code.
To make matters worse, the only defence against such attacks on the popular video-hosting website is the diligence of YouTube's security personnel, who can remove attacks as soon as they find them. However, according to Secure Computing's Paul Henry, this gives the malware distributors a window of opportunity of at least a few hours.
"The fact is, no one expects to find malware hidden in YouTube files. Yet the medium's popularity is highly alluring as a mass distribution vehicle for malicious code. What's alarming is that - from a security perspective - many users and organizations will be blind sided and potentially seriously exposed," he said.
"Hackers look at cost of ownership. On YouTube it [the period of opportunity] is half a day."
The trend to compromise legitimate websites to distribute malware was the latest frontier for criminals, with a string of well-known sites having been hacked in recent times, he said. YouTube's allure was its massive and trusting user base, which cuts across every demographic.
Secure's solution was for companies to invest in 'reputation services' such Secure Computing's own, TrustedSource. Equally, companies might choose just to block access to YouTube.
YouTube-related hacks are nothing new. Last November, one appeared on MySpace that posed as a video from the site, but which turned out to be a similar malware scam to the Zlob hack without actually using the site itself.
More recently, hacks hosted on the site itself have started appearing, or using the promise of a YouTube video as bait.
One researcher even claimed to have uncovered a nest of vulnerabilities on the site, none of which YouTube's owners, Google, had been willing to discuss until he threatened to go public.