Tap to unmute

The Malware that hacked Linus Tech Tips

  • Published on May 29, 2023 veröffentlicht
  • Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: www.crowdsec.net/?mtm_campaig... (sponsor)
    Buy the best antivirus: thepcsecuritychannel.com/best...
    Join the discussion on Discord: discord.tpsc.tech/
    Get your business endpoints tested by us: tpsc.tech/
    Contact us for business: thepcsecuritychannel.com/contact
  • Science & TechnologyScience & Technology

Comments • 3 103

  • Magnum Bloodstone
    Magnum Bloodstone 2 months ago +3508

    I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.

    • M29
      M29 2 months ago +117

      Facts, that is why I always activate the config to enable that

    • Hendrik
      Hendrik 2 months ago +82

      It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.

    • CD
      CD 2 months ago +59

      That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.

    • Dick Cheney
      Dick Cheney 2 months ago +8

      That's how you can spot computer literacy at a glance.

    • Sierra Whisky
      Sierra Whisky 2 months ago +16

      A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.

  • David Frischknecht
    David Frischknecht 2 months ago +474

    The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

    • Tice Nits
      Tice Nits 2 months ago +52

      That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.

    • M. B.
      M. B. 2 months ago +8

      Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander

    • David Frischknecht
      David Frischknecht 2 months ago +45

      @M. B. Whatever floats your boat.

    • Bas Biemans
      Bas Biemans 2 months ago +9

      That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf

    • Ella Soderstrom
      Ella Soderstrom 2 months ago +9

      The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

  • Flyboy
    Flyboy 2 months ago +422

    A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.

    • Hex Rox
      Hex Rox Month ago +31

      The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading

    • Meneldal
      Meneldal Month ago +37

      @Hex Rox The file is full of 0s, the zip archive would be actually quite small.

    • revoxx
      revoxx Month ago +6

      Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.

    • Dyson
      Dyson Month ago +6

      @revoxx A yearbook is different than an agreement form..

  • David Romig
    David Romig Month ago +25

    LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But Clip-Share’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them.
    Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,

  • YK
    YK 2 months ago +14

    A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.

    • Hammer Fist
      Hammer Fist 2 months ago

      The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.

  • william henry
    william henry Month ago +29

    Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.

    • Kossi
      Kossi Month ago +1

      Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜

  • Name
    Name 2 months ago +6224

    File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.

    • B Gill
      B Gill 2 months ago +485

      Yeah, it’s strange Windows hides them by default. Makes no sense.

    • Fusseldieb
      Fusseldieb 2 months ago +311

      The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.

    • B Gill
      B Gill 2 months ago +451

      @Fusseldieb Windows will warn you though if you try to do this.

    • torsten_dev
      torsten_dev 2 months ago +204

      It's times like this you really appreciate the execute permission bit on Linux.

  • kevbu4
    kevbu4 2 months ago +105

    Thio Joe has recently done a couple of videos about this and similar attacks.
    And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension.
    That will keep you on your toes. And Thio Joe discussed that too.

    • Hirendra Prakash - Exoplanet Creator
      Hirendra Prakash - Exoplanet Creator 2 months ago +3

      yes, i saw that video 😁

    • Richard
      Richard 2 months ago +8

      Yes, there's some kind of hack involving right-to-left languages.

    • TechJunkie
      TechJunkie Month ago

      Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.

  • André Silva
    André Silva 2 months ago +70

    I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.

    • blue internet
      blue internet 2 months ago +7

      or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers

    • CtrlAltDelicious69
      CtrlAltDelicious69 2 months ago +9

      It is not saved in plain text in your browser the malicious code just bypassed that, it acts like its your own computer

    • Rohan.S. Jamadagni
      Rohan.S. Jamadagni 2 months ago +2

      Would you be okay entering a password every time you launch the browser?

    • blue internet
      blue internet 2 months ago +4

      @Rohan.S. Jamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both

  • Ramonatho
    Ramonatho 2 months ago +42

    I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.

    • AegisHyperon
      AegisHyperon Month ago

      1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed

    • flubnub
      flubnub Month ago +4

      Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.

  • klaykid117
    klaykid117 2 months ago +35

    I really hope that this is a lesson for all of LTT media to only give very specific people access to the actual channels. These aren't just user accounts This is what their whole business is built off of

    • Amanda Alexandre
      Amanda Alexandre Month ago

      Also, from a different standpoint, Clip-Share could have a better system to manage content. Like a multi-user system with different permissions regarding a channel, like one user does community posts and responds to comments, other can check analytics, and only the superuser can upload/delete videos/stream. Something like that. Many channels are kept by companies at this point I'm surprised YT doesn't have a paid company service that accommodates to them. Surely beats making money by forcing 300 ads per minute down people's throats.

    • Neptune
      Neptune Month ago

      @Amanda Alexandre They do haev a system like that. The account that was stolen had access to uploading videos because the marketing/advertisement people at LTT upload the fully sponsored videos, like the partnerships with AMD.

  • Rudy Soliz
    Rudy Soliz 2 months ago +14

    Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.

    • Dzen acs
      Dzen acs Month ago

      New protocol - dont click and open unknown files like you are 7 year old first time using email

  • shorts
    shorts 2 months ago +5900

    Imagine people who send malicious emails to someone named "The pc security channel"

    • Chiru
      Chiru 2 months ago +691

      this is more like a declaration of war

    • ChosenToKill
      ChosenToKill 2 months ago +281

      they're getting cocky :D

    • Tathan
      Tathan 2 months ago +123


    • WloCkuz
      WloCkuz 2 months ago +432

      I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!

    • Cedric Son Aquevido
      Cedric Son Aquevido 2 months ago +44

      roll of the dice except its 100 sided

  • King Squirrel
    King Squirrel Month ago +2

    I dunno why, but I was kinda expecting you to run it so we could see the whole process. For example, when they opened it, what would've happened? (locked their pc, etc or would it have looked like a "real" agreement when opened and more of a stealth approach?) The effort some people go to is insane and I wonder how many people actually fell for the crypto videos/sent crypto.
    I think with the rise of AI, this will get harder and harder to notice/detect and some people are already using AI to scam people. I heard about a case where they used AI voice cloning to clone the voice of a person and then called that persons parents pretending to need money for something serious and the parents never for a second thought it was a scam so handed over $5k. I'm not sure if you've looked into AI much, but I think you should definitely take a quick deep dive into it as the stuff is scary now and even if it is "bad", it's the worst it'll ever be and can only get better which is even scarier to thin about.
    Also, uploading a crypto video on his YT channel doesn't seem like the smartest move if money was the main goal imo. Wouldn't it have been easier to just use their pc for ransomware or maybe LTT had backups or something. Still, very interesting video.

  • Alexander Miller
    Alexander Miller Month ago +2

    You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.

  • Woe To The Vanquished
    Woe To The Vanquished 2 months ago +1

    I personally think emails that come from verified marketing should have some form of badge that verifies from the company domain -- similar to an SSL cert / public key verification. else the influencer should just avoid opening attachments entirely.

  • Alex Stump
    Alex Stump 2 months ago +21

    Most of these attacks have the files in a zipped archive and they are encrypted requiring a password to open (this helps bypass antivirus as well). Anybody who goes through the process of entering the password into a zipped archive should not be allowed anywhere near anything tech related, thats an obvious huge red flag that anybody should be aware of. Its not as simple as "just clicking one file" its a multi step process

    • Omega
      Omega Month ago +3

      Im sorry alex stump but i did not know putting a password on a zip file helps bypass antivirus, do i now no longer have access to my computer?

  • king james488
    king james488 Month ago +1

    what makes it funnier is linus specifically mentioned this type of exploit in a video... and was like "I might have fallen for this one!"

  • Tigrou7777
    Tigrou7777 2 months ago +2243

    Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.

    • ·
      · 2 months ago +266

      It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least

    • Robert Garrison
      Robert Garrison 2 months ago +60

      EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.

    • Robert Garrison
      Robert Garrison 2 months ago +20

      @kain euler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.

    • kain euler
      kain euler 2 months ago +52

      @Robert Garrison I'm talking about windows defender or other basic antivirus.

    • Robert Garrison
      Robert Garrison 2 months ago +25

      @kain euler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.

  • Michael Joaquin
    Michael Joaquin Month ago +1

    Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video!
    btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!

  • Lithium Solar
    Lithium Solar 2 months ago +4

    Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.

  • Pathetic People
    Pathetic People 2 months ago +22

    I used to be annoyed with myself over the fact that I got hacked but then seeing how many other people have fallen victim to hacking makes me feel better tbh

    • Spontaneity
      Spontaneity 2 months ago

      how did you get hacked? and how did you find out

    • Unity Tech Future
      Unity Tech Future Month ago

      @Spontaneity there are multiple ways the two most common ways are people losing a tablet, phone or laptop and someone finds it or someone downloads something like SCR or free stuff that contains the malware.

  • BigFootpl
    BigFootpl 2 months ago +6

    Problem is, that youtube offers almost no tools to limit privileges for people having access to a channel. Companies are sometimes forced to give main login information to people who will moderate chats, manage video descriptions etc.
    Another thing is that malware hijacking session tokens and browser passwords doesn't even need admin privelage so restricting user accounts on PC will not defend aginst it.

  • BKApe
    BKApe 2 months ago +2

    It should probably be a standard protocol to educate staff dealing with a lot of external sources about standard internet security. Or pretty much just have an isolated virtual machine with detection and monitoring software that is used only for opening emails the first time just as an extra layer of security. Worst-case is that email gets phished and you can just deactivate it.
    It shouldn't take too much to have your security expert teach someone on marketing how to detect when there's atleast an unusual activity by looking at the logs.

  • VadeVerum
    VadeVerum 2 months ago +912

    Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers

    • IrreverantRex
      IrreverantRex 2 months ago +135

      If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.

    • Jacques Faba
      Jacques Faba 2 months ago +27

      I agree, it’s Linus’ fault here for making his employees use Windows

    • Hendrik
      Hendrik 2 months ago +6

      A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.

    • Anxious Earth
      Anxious Earth 2 months ago +38

      @IrreverantRex Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess."
      Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.

    • SomeGuyNamedMelvin
      SomeGuyNamedMelvin 2 months ago +11

      @Jacques Faba He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.

  • Michael
    Michael Month ago +1

    very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr
    honestly might have even caught me off guard if i had a youtube channel

  • Techguy 411
    Techguy 411 2 months ago +1

    Would be nice if you could in a sandbox environment test the sample that bypassed their AV according to them the AV gave a notice but somehow it still was able to do the job my guess it has a way to inject a payload even with an AV and see what AV actually work against this.

  • Arthur Khazbs
    Arthur Khazbs 2 months ago

    Browsers definitely need a way to harden their storage mechanisms. They already allow the users to encrypt stored passwords, but they should also allow to encrypt cookies, local storage and other stored data with a master key/password. And surely, only that exact browser with a verified vendor signature should have the OS's permission to work with its files.

  • Michael Tedeschi
    Michael Tedeschi 2 months ago +3

    Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.

    • Richard
      Richard 2 months ago

      Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?

    • ui_wizard
      ui_wizard 2 months ago +1

      @Richard Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present.
      And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.

    • JebacTych Policjantow
      JebacTych Policjantow Month ago

      it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.

    • JebacTych Policjantow
      JebacTych Policjantow Month ago

      ​@ui_wizard the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys.
      encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack.
      scowering memory is not a reliable vector of harvesting tokens.

  • Nino Heđi
    Nino Heđi 2 months ago

    When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.

  • SYLperc
    SYLperc 2 months ago +455

    the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening

    • O-HO gameplay
      O-HO gameplay 2 months ago +79

      exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)

    • Bruhmaster
      Bruhmaster 2 months ago +13

      Virtual machine maybe?

    • MAST
      MAST 2 months ago +10

      Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed.
      If it was just about editing videos, then they would have done it on an offline machine.

    • kkg T
      kkg T 2 months ago +2

      Maybe it was Linus himself.

    • ʇɐɔʎɯpǝʞɔıʞ
      ʇɐɔʎɯpǝʞɔıʞ 2 months ago

      @Bruhmaster A Remote Desktop for YT account actions.

  • Gurk Burk
    Gurk Burk 2 months ago

    What would have been (more) interesting to know is what they could have done to stop the attack once they realized what was going on, perhaps nothing to do without the help of google ?

  • hengineer
    hengineer 2 months ago +1

    Linus mentioned he DID have youtube channel management parceled out. but the tool he used to do that made it difficult to tell which workstation it came from.

  • Ganondork
    Ganondork 2 months ago +2

    I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big Clip-Share channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the Clip-Share channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.

  • Bob Joe
    Bob Joe 2 months ago +6

    Linus said their corporate anti-malware program caught it, but it was only a notification. Because no one was constantly monitoring the dashboard, the malware slipped through.

    • fabricio
      fabricio 2 months ago +6

      i Hope More Malware builders test on LTTs Ecosystem.....i hate that guy·....

    • RobloxYoutuber
      RobloxYoutuber Month ago

      not like they can get Remote tools to check for them
      because of one thing
      Being too famous is asking for problems
      he get out of the shower to check his channel
      Not getting dress like an fother does
      If I was an kid I would be outside because of the noise
      from an hacked channel to scar kids as well

  • Jan Bostl
    Jan Bostl Month ago

    One great protection is enable file extensions - you'll be able to see if it's .exe or not ...

  • Paul Stubbs
    Paul Stubbs 2 months ago +592

    The bit that suprised me was that LTT had a PC with both Clip-Share account access and was used to process incomming offers, I would have thought the two should be kept well apart

    • Tomato Brush
      Tomato Brush 2 months ago +53

      Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.

    • tegneren
      tegneren 2 months ago +76

      They said that sponsored videos are uploaded by the marketing department, so that would be why

    • N Werd
      N Werd 2 months ago +9

      Linus is barely even at the warehouse unless he has to be in the video.

    • John Carter
      John Carter 2 months ago +26

      @tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!

  • Ghost_Ship_Supreme
    Ghost_Ship_Supreme 2 months ago +9

    Everyone at Linus should have file extensions and hidden files enabled by default for windows explorer

    • PuzzLeet Puzzles
      PuzzLeet Puzzles Month ago

      Why? Did he spend a cent for security training for his employees?
      There is a reason why tech companies doing security training multiple times per year.

  • Kevin H
    Kevin H 2 months ago +7

    Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe

  • Adzy
    Adzy 2 months ago +9

    I think browsers should encrypt stored data like session tokens, and ask for a decryption password when launched (which would imply never storing decrypted cookies outside of the RAM)

    • Paul-Stelian Olaru
      Paul-Stelian Olaru 2 months ago +1

      They do something similar to that for passwords, where they will use OS-level security/encryption as appropriate (on Linux and macOS you have KeyChain, Windows also has something similar). It would be nice if cookies are also caught in that.

    • Colin Joyce
      Colin Joyce 2 months ago +3

      Um.. the whole point of session tokens is to not have to put in a password... So the real solution is: "don't choose 'remember me'"

    • Adzy
      Adzy 2 months ago

      @Colin Joyce I don't agree, having to login every time on every website can be tedious, where one prompt when you open your browser asks the user for much less effort.

    • tobelix
      tobelix 2 months ago +2

      The real solution would be to keep your sessions short

    • AOE gaming AEGIS
      AOE gaming AEGIS 2 months ago

      yeah but what if I just want to move my data from one pc to another? i just raw copy-paste files and tadaaa, I don't want encryption bllshit to deal with. Isn't windows fault it doesn't has a alert: u're about to open a .exe or.src file, are U SURE? And this to not be annoying, it would pop up only the first time u run a file. And u can even disable it...

  • Kingklump
    Kingklump 2 months ago

    I remember this happening to the Neebs Gaming channel last year. Fortunately they were able to get their channel back and didn't loose any of their videos. Unfortunately this can literally happen to anybody no matter how careful you are.

  • Yemto
    Yemto 2 months ago +441

    I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe

    • Fusseldieb
      Fusseldieb 2 months ago +15

      That's probably why they did it.

    • G YTCommnts
      G YTCommnts 2 months ago +75

      You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof.
      To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end.
      Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT.
      But for now, it's not the case and it's ridiculous.

    • tehjamez
      tehjamez 2 months ago +1


    • Tryanoto Sehat santoso
      Tryanoto Sehat santoso 2 months ago +8

      @MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids

    • BattleMaster
      BattleMaster 2 months ago +4

      Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.

  • American Ketchup
    American Ketchup 2 months ago

    Thanks once again for the Hex Editor trick! It saved me from having my pc infected by what seemed a setup file for bluestacks.

  • Welshmanshots
    Welshmanshots 2 months ago +1

    The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.

  • --
    -- 2 months ago +1

    Linus should have made sure all computers were set to show extention and they should run every file from a 3rd party, regardless of size, through a competent antivirus. This is really not that difficult to do. Antivirus scans take seconds with an ssd. This is basic security for most.

  • Nanogalaxy
    Nanogalaxy 2 months ago

    What if youtubers like Linus can implement a strict protocol that they open sponsorship mails only on a VM? Would that be a solution for this?

    H8RSAPPRECIATE 2 months ago

    I remember Nero Cinema was talking about how dumb a Activision employee was for getting hacked by checking a email and a couple of hours later he gets hacked by the same method.

  • JzJad
    JzJad 2 months ago +401

    An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.

    • NelielSugiura
      NelielSugiura 2 months ago +6

      I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.

    • N Werd
      N Werd 2 months ago +2

      Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.

    • PowerPC603
      PowerPC603 2 months ago +2

      I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible.
      Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious.
      So Linus (or his staff) made 4 mistakes that led to this tragedy:
      1. Ignoring obvious spelling mistakes (if he received such a misspelled email)
      2. extracting a huge zip file to get a simple pdf to state an agreement
      3. ignoring the huge filesize for a simple pdf
      4. running it with a visible file extension when extensions are hidden

    • asdf asdf
      asdf asdf 2 months ago +3

      @PowerPC603 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.

    • Tom S.
      Tom S. 2 months ago +2

      Absolutely, a red flag with a fog horn.

  • NiteLite
    NiteLite 2 months ago

    You mentioned that only one person should have access to upload videos etc, but I think large youtube channels should go one step further. The access should probably not be associated with a regular account that people use as their "daily work driver". There should be a separate account that they need to log into and log out off after they are done managing the account. If you want to go wild, maybe even from a separate machine. Not being premanently logged in on the account that can change things would make this kind of attack more or less impossible.

  • Bryan P.
    Bryan P. Month ago

    You would think by now that AV scanners can be smart enough to see a big file, scan up to a certain point (or maybe just look at the end of the file), and when it catches all that padding to throw a red flag. If it gets to a reasonable point in the file and doesn't see anything suspicious, it can just stop scanning to save resources.

  • Jeffrey Guilmot
    Jeffrey Guilmot 2 months ago

    This vid confirms I'm doing great. On top of the regular AV I always paste suspicious files into virustotal too but I didn't know if it was worth anything. Seeing a tech Clip-Sharer use it validates my behavior yay

  • penitent2401
    penitent2401 2 months ago

    One good thing to do is set up different departments that don't has direct data connection to each other. For example, marketing department don't have access to finance department computers and archives and in Linus case, production or publishing department would be the only one with youtube channel access. All other departments can just have their own channel with no videos or information on them, only for viewing and some communications.

  • danwithjesus
    danwithjesus 2 months ago

    You know..i'm gonna subscribe to this channel because i know what happened to LTT and because the channel is very useful these days in a digital hackable world...Thank you for sharing.

  • DerLungYT
    DerLungYT 2 months ago +203

    I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.

    • Takata Miyagawa
      Takata Miyagawa 2 months ago +39

      I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.

    • Rusl1Rusl
      Rusl1Rusl 2 months ago +6

      Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on

    • PowerPC603
      PowerPC603 2 months ago +15

      Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.

    • Nara Ken delos Santos
      Nara Ken delos Santos 2 months ago +5

      anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.

    • Joke Bambi
      Joke Bambi 2 months ago +1

      @Nara Ken delos Santos since 2006?

  • Andreas Mustola
    Andreas Mustola 2 months ago +2

    Could an antivirus counter the virus after he clicked on the pdf file? Or is suspicion and common sense still the best protection?

  • JeyJonsan
    JeyJonsan 2 months ago

    I actually didn't know you can manipulate the letters in the end of files. Hmmm something new to learn today! Thank you!

  • Xellaz
    Xellaz 2 months ago +1

    That's what I was wondering about if the PDF file LTT received is really a PDF file ending with a .PDF extension or not. 'Coz I've read even legit PDF files from a hacker can compromise your system depending on what PDF reader software you used to open it. 🤔

  • stay positive
    stay positive 2 months ago

    I keep forgetting that the majority of users have the file name extensions hidden.
    Thank you for the well explained video, it's great for sharing!

  • LuciferStarr
    LuciferStarr 2 months ago

    My biggest surprise here is that anyone involved with a tech channel would have "Show/Filename Extensions" set to the default. It's one of the first things I change.

  • Hollywood Camera Work
    Hollywood Camera Work 2 months ago +153

    Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.

    • Guitarzen
      Guitarzen 2 months ago +1

      They should really stop being a company and putting out that virus, windows.

    • PizzaMi
      PizzaMi 2 months ago +7

      maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension)
      but i agree with you, they need to update the system
      like,..they can just show the extension but not editable when rename the file

    • roblox fan
      roblox fan 2 months ago


    • Richard
      Richard 2 months ago +3

      It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.

    • Hollywood Camera Work
      Hollywood Camera Work 2 months ago +4

      @Richard Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.

  • Victor
    Victor 2 months ago

    I wasn't familiar with your channel. Good thing it was on my Clip-Share recommendations, your content looks amazing. Keep it up!

  • Noir got blues
    Noir got blues 2 months ago

    Thank you for teaching us this things.

  • asdf asdf
    asdf asdf 2 months ago

    So 2 things that kinda surprised me about this video: a) file extensions are not shown by default. That's turned on on my computer and not only does that help with identifying such files but also it can help in day-to-day-business as well, being able to see if a picture is PNG or JPEG or whatever else at a glance.
    b) not using at least the windows antivirus security thingy. I do a windows defender scan on every single file i download from the net, just because it's a habit of mine and usually takes less than 10 sec to do so (and i don't download quite as many files as the employee might). Not sure if windows defender would've found that trojan because i guess that's the AV they're gonna try to fool most, but as soon as one right-clicks the file for the context menu (for scanning) one has the chance to see 770 MB file size on the bottom; one should get suspicious at that point. I know very few PDFs that are that large and they're thousands of pages or tons of pictures, so there's really no need for an offer to be that large.
    I feel like all the warning signs are there for this case if you use proper precautions...

  • Exerosis
    Exerosis 2 months ago

    The worst part about not checking those big files is. I actually wouldn't mind if it did that, the thing that slows down my workflow (as a developer) is my AV getting in the way of compilation. Checking thousands of tiny little files. Please check EVERYTHING I download, and honestly don't check anything else thank you.

  • TechnoGlowStick
    TechnoGlowStick Month ago

    Wow, I haven't seen screen savers in forever! I forgot about those things. That's pretty sneaky. 🙁

  • IrreverantRex
    IrreverantRex 2 months ago +64

    I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.

    • John DoDo Doe
      John DoDo Doe 2 months ago +2

      Except that many attackers want control of your recovery e-mail only (in that phase).

    • Bog Monster
      Bog Monster 2 months ago +5

      @John DoDo Doe you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one

    • Takata Miyagawa
      Takata Miyagawa 2 months ago +3

      They're running a youtube channel, not a military base.

    • Luka
      Luka 2 months ago +22

      @Takata Miyagawa If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.

  • myDecisi0n
    myDecisi0n 2 months ago +1

    I don't really get, why browsers don't change these security vulnerabilities by creating a sandbox where cookies are stored in. This way all user data for a specific page can only be accessed by that specific page and no other application. This could even further be improved if the device you are browsing from has a secure chip installed like most Macs do

  • A.N.O.
    A.N.O. 2 months ago

    Had quite a few mails claiming to be from MSI and asking for sponsorships, coming are from the same Mail provider as the ones you're showing in the beginning. Huge red flag, as well as the statement, that the "catalogue" I was supposed to check for products, would only work on windows machines. Stay safe everyone. If a deal sounds too good to be true, it probably is.

  • BOX
    BOX 2 months ago +1

    It seems like it would be so trivial for chrome/edge/firefox to encrypt any session tokens and cookies on disk, and obfuscate the ones in memory a little.

  • Unity Tech Future
    Unity Tech Future Month ago

    its always better to have a laptop or pc fully offline to open such things to stay safe :)

  • Macusercom
    Macusercom 2 months ago +1

    Only using VirusTotal instead of using an AV program is like running a background check on someone who's entering your house but actually not locking any doors or having any kind of alarm

    • NBLT
      NBLT Month ago

      I means, for your "casual" "Home Gamer who's a Reddit user" they don't really care because "muh Performance" and sometime even "muh Privacy" (While using Pirated/"Cracked" Softwares) and "A waste of money, Windows Defender is bloatware blah blah". Which is fair, its their own Devices in their own Network so whatever float their boat.
      But in the Companies space and a Tech Company at that, i don't know why they didn't deploy an Antivirus for the whole building? Which is very weird.
      I doubt i'd be "Zero-day Exploit" but.

  • Eddie Legs
    Eddie Legs 2 months ago +170

    I understand the dangers true scr files also start up just like exe files.
    But the fact that Clip-Share doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me.
    Or delete lot off files... crazy

    • Alouicious Wrex
      Alouicious Wrex 2 months ago +17

      I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.

    • Evan Dark
      Evan Dark 2 months ago +27

      @Alouicious Wrex That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data.
      The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".

    • Alouicious Wrex
      Alouicious Wrex 2 months ago +2

      @Evan Dark Fair point, I hadn't considered mobile devices

    • Eddie Legs
      Eddie Legs 2 months ago +1

      @Evan Dark or mac adres for mobiel devices

  • Loren M. Lang
    Loren M. Lang Month ago

    Actually, I'd clarify that. It's not just like an EXE, an SCR file is a full-fledged EXE by a different extension just to make it obvious that it's intended to be a screensaver and not just any old program, but it is built just like any other EXE and then renamed to SCR as the last step.

  • Jordan Drake
    Jordan Drake 2 months ago +6

    I agree that limiting admin access will help prevent a takeover like this, however, I also agree with Linus that Clip-Share could do more. One thing that I predict will be a must for any platform, especially business platforms, will be Zero Trust tools and features. Had Clip-Share and LTT implemented Zero Trust into their environment, this sort of attack would be near impossible without physical access to their network and their devices. But from what I can tell, Clip-Share doesn't have any method for account owners to implement or integrate with a ZTN solution or even limit what IP addresses can perform administrator functions in content creators account.

  • CoderzF1
    CoderzF1 2 months ago

    wow.... this is one of the reasons i have my file extensions showing. also, if i suspect its suspicious, i will open in a hex editor or a plain text viewer. usually the first few characters are a dead give away.

  • Speed Racer
    Speed Racer 2 months ago +2

    It’s wild how stuff like this never gets attention until it affects a channel of 10mil+

  • AI-Mindstream
    AI-Mindstream 2 months ago +2

    I wrote a little CMD / BAT SCript for Windows that blocks the execution of potentially harmful SCR files, while allowing built-in screensavers to run, and applies a warning icon. Also you can unblock SCR files and restore the default icon. It does this by modifying Windows registry values. Keep your system safe from malicious SCR files!
    Keep in mind that while this script is a helpful addition to your security measures, it may not provide 100% protection against all types of threats. However, it can certainly be a useful tool to help safeguard your Windows system.
    @echo off
    echo SCR Files Security Tool
    echo 1. Block SCR files and apply warning icon
    echo 2. Unblock SCR files and restore default icon
    echo 3. Exit
    set /p choice="Choose an option (1, 2 or 3): "
    if "%choice%"=="1" goto :block
    if "%choice%"=="2" goto :unblock
    if "%choice%"=="3" goto :end
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "PolicyScope" /t REG_DWORD /d "0" /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "TransparentEnabled" /t REG_DWORD /d "1" /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "BlockSCR" /t REG_SZ /d "*.scr" /f
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "AllowSystem32SCR" /t REG_SZ /d "%SystemRoot%\System32*.scr" /f
    reg add "HKCR\SystemFileAssociations.scr\DefaultIcon" /ve /t REG_SZ /d "%SystemRoot%\System32\shell32.dll,-154" /f
    echo Execution of SCR files has been blocked except for built-in Windows screensavers. Warning icon has been applied.
    goto :pause
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "BlockSCR" /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "AllowSystem32SCR" /f
    reg add "HKCR\SystemFileAssociations.scr\DefaultIcon" /ve /t REG_SZ /d "%SystemRoot%\System32\shell32.dll,-210" /f
    echo Execution of SCR files has been unblocked. Default icon has been restored.
    goto :pause
    goto :menu

  • Balaji Raman
    Balaji Raman 2 months ago

    Excellent analysis. It just goes to show if you allow even a small amount of complacency, you will get hurt...

  • Snorpi
    Snorpi 2 months ago +140

    100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.

    • Fathin
      Fathin 2 months ago +4

      weirdly it can be delegated via API which means if you have the capacity you can "relay" the intent with custom local tool/ web service

    • wadimek11
      wadimek11 2 months ago

      They could use clean virtual machine or server for posting only

    • dontaskiwasbored2008
      dontaskiwasbored2008 2 months ago +3

      That is 100% not at all what this ramps down to lmao.

    • Mini Meatwad
      Mini Meatwad 2 months ago +2

      @dontaskiwasbored2008 True, but cool API fact.

    • helloitismetomato
      helloitismetomato 2 months ago +10

      Clip-Share Studio is just *incredibly* poorly designed. It's an absolute disgrace, especially since it took them absolutely forever to create and they had a very lengthy (multi year!) feedback period that they literally did not do anything with. In Clip-Share Studio you either have too little access or way too much access.
      If you're an editor you can't even edit a playlist (because that can only be done in the main site, and they simply didn't bother to implement in in Studio!)
      As someone who's been a professional in this space for half my life it's actually OFFENSIVE to me how poorly designed it is. They literally just didn't bother doing it anywhere close to properly. Everything about it fucking sucks ass from the UI to the core functionality.

  • Nextor Hdex
    Nextor Hdex 2 months ago

    Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.

  • Dave Keyes
    Dave Keyes 2 months ago

    When you brought the file in your hex editor, I knew immediately the file was an executable due to the Mz signature in the header.

  • Craig FromTheLand
    Craig FromTheLand 2 months ago

    This is one of those things where if you have a non-tech user than you should absolutely have training and AVs setup. For us that work with tech it's really nonsense to say this could happen to you. No-one in their right mind that has any bit of IT experience is extracting a zip file from a random email or even a semi-notable email source. Attachments of any kind in an email is a red flag, even if it's from a trusted source. In todays world you should just block zip files all together for a business in the spam filter.

  • Dhaval
    Dhaval 2 months ago

    @The PC Security Channel can you do a video on this specific malware being tested against the current top AV ? Whether they detect it or not :)

  • Sterling
    Sterling 2 months ago

    Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.

  • NuDimon
    NuDimon 2 months ago +96

    Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea.
    That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?

    • Miguel Ángel Prosper
      Miguel Ángel Prosper 2 months ago +14

      While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites.
      That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.

    • Sazey
      Sazey 2 months ago +14

      The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.

    • Pandaptable
      Pandaptable 2 months ago

      @Sazey you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.

    • Rez Whap
      Rez Whap 2 months ago +9

      @Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.

    • HOAS
      HOAS 2 months ago

      You sound too invested in them personally.

  • TimeHunter
    TimeHunter 2 months ago

    On that list of antivirus programs that showed which ones detected it, I’m glad the one I use recognised it as a virus!

  • Phil Ryles
    Phil Ryles 2 months ago

    This was a really good one...keep up the great work.

  • KrustyDustieTV
    KrustyDustieTV Month ago +2

    Funny thing is, if their internet speed wasn’t so awesome, they might have spotted how large the file actually was.

    • Peace Jon
      Peace Jon Month ago +1

      True that at 10Gb/sec you even won't notice. 😂😂😂

    • mgjk
      mgjk Month ago

      All those zeros will compress to nothing in the zip.

  • FireOccator
    FireOccator 2 months ago

    This is why you keep the filename extensions on and scan every single file that you download.

  • ThePortuguesePlayer
    ThePortuguesePlayer 2 months ago +1

    If it's a scr file, then it would mean this attack would not work on a PC that is not a Windows one, correct? So, yet another security measure could be just using a different OS to do that type of work on, like one of the UNIX based ones.

  • Snickerdoodle
    Snickerdoodle 2 months ago +83

    I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao

    • Jordi
      Jordi 2 months ago

      Yes, It may help criminals more than users..

    • AOE gaming AEGIS
      AOE gaming AEGIS 2 months ago +1

      never use antivirus, just move linux, lol

    • vonKarma1186
      vonKarma1186 2 months ago +4

      @AOE gaming AEGIS (will only be effective until linux marketshare increases to the point it'll be worth making linux malware, even then i'd still be careful with downloaded files on linux, by lowering your guard you increase your risk of getting hacked by a lot which is why i still triple check downloaded files as a linux user myself)

    • Attila Asztalos
      Attila Asztalos 2 months ago

      Totally DO use an antivirus if you want to throw 95% of your machine's performance away 100% of the time vs. that one time when you should have had the common sense to realize whatever you just downloaded should at least be checked by virustotal.

  • MrTechGuy
    MrTechGuy 2 months ago

    I don’t understand why it hasn’t become standard practice to just block zip files at an organization level? We did this over five years ago and the amount of attempted malware has dropped significantly.😊

  • Path Finder
    Path Finder 2 months ago +7

    I'm surprised LTT didn't have a system like Zscaler to block file extension that should never be downloaded from the internet

    • Private Joker
      Private Joker Month ago +1

      yeah as a security guy, this is hilarious to me lmao

    • Thawne
      Thawne Month ago

      @Private Joker what do you mean by security guy

    • Private Joker
      Private Joker Month ago

      @Thawne I work in IT security

    • Thawne
      Thawne Month ago

      @Private Joker did you go to university

    • Private Joker
      Private Joker Month ago

      @Thawne yes, i got a degree in computer engineering... many people from USA say getting a degree is not worth it, but its because a degree is too expensive there.. if it's not too expensive in your country, it's worth it

  • ast5515
    ast5515 2 months ago

    A few comments mention turning on file extensions to avoid this. It won't help.
    The extensions will still be hidden in the file name is long enough, only to be revealed when you click on the file. At that point you are probably double clicking it if you aren't actively searching for malware. It's an easy mistake to make.
    And here is my solution: Total Commander. I have 3 ways it could have prevented this attack:
    1. Extensions are shown by default without having to click on the thing and they are not hidden by longer file names.
    2. The file size is shown by default without having to click on the thing. What the hell is a 700 Mb PDF?
    3. The file icons are small and you won't look at it and automatically say it's a pdf based on the icon. It makes you consciously look at the extension because you won't know what it is just by looking at it.
    Bonus: A download manager such as IDM.
    The default setting creates a few folders in your downloads folder, such as documents, programs, videos, etc. If the pdf I downloaded didn't end up in the documents folder, something must be wrong. Perhaps it isn't a document at all...
    Total Commander is superior to Windows Explorer in every single way and it makes your everyday life much easier. Might as well choose convenience every day and not fall for an attack once every 5 years. There is no catch.

  • NelielSugiura
    NelielSugiura 2 months ago +5

    This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered.
    The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(

  • coldfya
    coldfya 2 months ago

    That's why you always look at files in the explorer in the "details" view setting and make sure extensions are on.

  • AaronShenghao
    AaronShenghao 2 months ago +63

    In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)

    • phir
      phir 2 months ago

      Should've immediately logged out

    • Awaken
      Awaken 2 months ago

      let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did

    • flameshana9
      flameshana9 2 months ago +10

      How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?

    • flameshana9
      flameshana9 2 months ago +2

      How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?

    • Shaun Young
      Shaun Young Month ago

      ​@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down.
      You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did).
      And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.

  • Peter D Morrison
    Peter D Morrison 2 months ago +1

    Blame email apps. They should block certain file types such as .SCR unless you have admin privileges and explicitly allow the download.

  • Hackcult
    Hackcult 2 months ago

    Wow. I learned a shit ton just from this one video. Thanks. ❤

  • dont-want-no-wrench
    dont-want-no-wrench 2 months ago +5

    this kind of thing must explain a number of obviously hacked youtube channels i've come across

    • vakho30
      vakho30 Month ago

      At first I've thought that those channels sold their souls to devils for quite a lot of grands but then I realized that most of them might have been hacked like Linus.