Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"
"Are they going to try to push YouTube updates?"
Short answer: of course they will... along with many other chameleon-like variations--at varying degrees of effectiveness/deadliness.
But, getting down to fundamentals...
I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams, made such delivery easier, and therefore increased the rate of delivery. After all, that's what technology does. But, when we hear that there's a "new" scam, all I see is just a new variation of a repackaged scam, delivered by a slicker, faster method.
Once we decided that users should be prompted to allow an update, we effectively created a procedural convention that could be leveraged by fakes.
The fundamental problem is making it impossible to fake an official notification. Basic rule of security: you can make things harder, slow the rate of compromise, and mitigate the risks/costs--but you can't make fakes impossible--just costlier.
And then, if you've bothered to read this far, there's that final unfortunate trade-off. Barriers to fakes usually make things harder on users (think TSA), so we don't build the best barriers in the hopes that users will tolerate and comply with the ones we put in place. It's a bit of a juggle.
Flash is just one of those pervasive things that should have died long ago. It's persistence is simply easily exploited. It's a bit of low-hanging fruit that should