Tap to unmute
The Malware that hacked Linus Tech Tips
- Published on May 29, 2023 veröffentlicht
- Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: www.crowdsec.net/?mtm_campaig... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact
- Science & Technology
Comments • 3 103
I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.
Facts, that is why I always activate the config to enable that
It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.
That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.
That's how you can spot computer literacy at a glance.
A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.
Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander
@M. B. Whatever floats your boat.
That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.
The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading
@Hex Rox The file is full of 0s, the zip archive would be actually quite small.
Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.
@revoxx A yearbook is different than an agreement form..
LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But Clip-Share’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them.
Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,
A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.
The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.
Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.
Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜
File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.
Yeah, it’s strange Windows hides them by default. Makes no sense.
The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.
@Fusseldieb Windows will warn you though if you try to do this.
It's times like this you really appreciate the execute permission bit on Linux.
Thio Joe has recently done a couple of videos about this and similar attacks.
And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension.
That will keep you on your toes. And Thio Joe discussed that too.
yes, i saw that video 😁
Yes, there's some kind of hack involving right-to-left languages.
Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.
I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.
or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers
It is not saved in plain text in your browser the malicious code just bypassed that, it acts like its your own computer
Would you be okay entering a password every time you launch the browser?
@Rohan.S. Jamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both
I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.
1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed
Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.
I really hope that this is a lesson for all of LTT media to only give very specific people access to the actual channels. These aren't just user accounts This is what their whole business is built off of
Also, from a different standpoint, Clip-Share could have a better system to manage content. Like a multi-user system with different permissions regarding a channel, like one user does community posts and responds to comments, other can check analytics, and only the superuser can upload/delete videos/stream. Something like that. Many channels are kept by companies at this point I'm surprised YT doesn't have a paid company service that accommodates to them. Surely beats making money by forcing 300 ads per minute down people's throats.
@Amanda Alexandre They do haev a system like that. The account that was stolen had access to uploading videos because the marketing/advertisement people at LTT upload the fully sponsored videos, like the partnerships with AMD.
Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.
New protocol - dont click and open unknown files like you are 7 year old first time using email
Imagine people who send malicious emails to someone named "The pc security channel"
this is more like a declaration of war
they're getting cocky :D
I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!
roll of the dice except its 100 sided
I dunno why, but I was kinda expecting you to run it so we could see the whole process. For example, when they opened it, what would've happened? (locked their pc, etc or would it have looked like a "real" agreement when opened and more of a stealth approach?) The effort some people go to is insane and I wonder how many people actually fell for the crypto videos/sent crypto.
I think with the rise of AI, this will get harder and harder to notice/detect and some people are already using AI to scam people. I heard about a case where they used AI voice cloning to clone the voice of a person and then called that persons parents pretending to need money for something serious and the parents never for a second thought it was a scam so handed over $5k. I'm not sure if you've looked into AI much, but I think you should definitely take a quick deep dive into it as the stuff is scary now and even if it is "bad", it's the worst it'll ever be and can only get better which is even scarier to thin about.
Also, uploading a crypto video on his YT channel doesn't seem like the smartest move if money was the main goal imo. Wouldn't it have been easier to just use their pc for ransomware or maybe LTT had backups or something. Still, very interesting video.
You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.
I personally think emails that come from verified marketing should have some form of badge that verifies from the company domain -- similar to an SSL cert / public key verification. else the influencer should just avoid opening attachments entirely.
Most of these attacks have the files in a zipped archive and they are encrypted requiring a password to open (this helps bypass antivirus as well). Anybody who goes through the process of entering the password into a zipped archive should not be allowed anywhere near anything tech related, thats an obvious huge red flag that anybody should be aware of. Its not as simple as "just clicking one file" its a multi step process
Im sorry alex stump but i did not know putting a password on a zip file helps bypass antivirus, do i now no longer have access to my computer?
what makes it funnier is linus specifically mentioned this type of exploit in a video... and was like "I might have fallen for this one!"
Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.
It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least
EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.
@kain euler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.
@Robert Garrison I'm talking about windows defender or other basic antivirus.
@kain euler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.
Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video!
btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!
Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.
I used to be annoyed with myself over the fact that I got hacked but then seeing how many other people have fallen victim to hacking makes me feel better tbh
how did you get hacked? and how did you find out
@Spontaneity there are multiple ways the two most common ways are people losing a tablet, phone or laptop and someone finds it or someone downloads something like SCR or free stuff that contains the malware.
Problem is, that youtube offers almost no tools to limit privileges for people having access to a channel. Companies are sometimes forced to give main login information to people who will moderate chats, manage video descriptions etc.
Another thing is that malware hijacking session tokens and browser passwords doesn't even need admin privelage so restricting user accounts on PC will not defend aginst it.
It should probably be a standard protocol to educate staff dealing with a lot of external sources about standard internet security. Or pretty much just have an isolated virtual machine with detection and monitoring software that is used only for opening emails the first time just as an extra layer of security. Worst-case is that email gets phished and you can just deactivate it.
It shouldn't take too much to have your security expert teach someone on marketing how to detect when there's atleast an unusual activity by looking at the logs.
Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers
If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.
I agree, it’s Linus’ fault here for making his employees use Windows
A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.
@IrreverantRex Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess."
Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.
@Jacques Faba He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.
very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr
honestly might have even caught me off guard if i had a youtube channel
Would be nice if you could in a sandbox environment test the sample that bypassed their AV according to them the AV gave a notice but somehow it still was able to do the job my guess it has a way to inject a payload even with an AV and see what AV actually work against this.
Browsers definitely need a way to harden their storage mechanisms. They already allow the users to encrypt stored passwords, but they should also allow to encrypt cookies, local storage and other stored data with a master key/password. And surely, only that exact browser with a verified vendor signature should have the OS's permission to work with its files.
Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.
Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?
@Richard Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present.
And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.
it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.
@ui_wizard the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys.
encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack.
scowering memory is not a reliable vector of harvesting tokens.
When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.
the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening
exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)
Virtual machine maybe?
Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed.
If it was just about editing videos, then they would have done it on an offline machine.
Maybe it was Linus himself.
@Bruhmaster A Remote Desktop for YT account actions.
What would have been (more) interesting to know is what they could have done to stop the attack once they realized what was going on, perhaps nothing to do without the help of google ?
Linus mentioned he DID have youtube channel management parceled out. but the tool he used to do that made it difficult to tell which workstation it came from.
I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big Clip-Share channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the Clip-Share channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.
step 1: explore & gain trust
Linus said their corporate anti-malware program caught it, but it was only a notification. Because no one was constantly monitoring the dashboard, the malware slipped through.
i Hope More Malware builders test on LTTs Ecosystem.....i hate that guy·....
not like they can get Remote tools to check for them
because of one thing
Being too famous is asking for problems
he get out of the shower to check his channel
Not getting dress like an fother does
If I was an kid I would be outside because of the noise
from an hacked channel to scar kids as well
One great protection is enable file extensions - you'll be able to see if it's .exe or not ...
The bit that suprised me was that LTT had a PC with both Clip-Share account access and was used to process incomming offers, I would have thought the two should be kept well apart
Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.
They said that sponsored videos are uploaded by the marketing department, so that would be why
Linus is barely even at the warehouse unless he has to be in the video.
@tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!
Everyone at Linus should have file extensions and hidden files enabled by default for windows explorer
Why? Did he spend a cent for security training for his employees?
There is a reason why tech companies doing security training multiple times per year.
Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe
I think browsers should encrypt stored data like session tokens, and ask for a decryption password when launched (which would imply never storing decrypted cookies outside of the RAM)
They do something similar to that for passwords, where they will use OS-level security/encryption as appropriate (on Linux and macOS you have KeyChain, Windows also has something similar). It would be nice if cookies are also caught in that.
Um.. the whole point of session tokens is to not have to put in a password... So the real solution is: "don't choose 'remember me'"
@Colin Joyce I don't agree, having to login every time on every website can be tedious, where one prompt when you open your browser asks the user for much less effort.
The real solution would be to keep your sessions short
yeah but what if I just want to move my data from one pc to another? i just raw copy-paste files and tadaaa, I don't want encryption bllshit to deal with. Isn't windows fault it doesn't has a alert: u're about to open a .exe or.src file, are U SURE? And this to not be annoying, it would pop up only the first time u run a file. And u can even disable it...
I remember this happening to the Neebs Gaming channel last year. Fortunately they were able to get their channel back and didn't loose any of their videos. Unfortunately this can literally happen to anybody no matter how careful you are.
I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe
That's probably why they did it.
You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof.
To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end.
Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT.
But for now, it's not the case and it's ridiculous.
@MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids
Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.
Thanks once again for the Hex Editor trick! It saved me from having my pc infected by what seemed a setup file for bluestacks.
The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.
Linus should have made sure all computers were set to show extention and they should run every file from a 3rd party, regardless of size, through a competent antivirus. This is really not that difficult to do. Antivirus scans take seconds with an ssd. This is basic security for most.
What if youtubers like Linus can implement a strict protocol that they open sponsorship mails only on a VM? Would that be a solution for this?
I remember Nero Cinema was talking about how dumb a Activision employee was for getting hacked by checking a email and a couple of hours later he gets hacked by the same method.
An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.
I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.
Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.
I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible.
Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious.
So Linus (or his staff) made 4 mistakes that led to this tragedy:
1. Ignoring obvious spelling mistakes (if he received such a misspelled email)
2. extracting a huge zip file to get a simple pdf to state an agreement
3. ignoring the huge filesize for a simple pdf
4. running it with a visible file extension when extensions are hidden
@PowerPC603 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.
Absolutely, a red flag with a fog horn.
You mentioned that only one person should have access to upload videos etc, but I think large youtube channels should go one step further. The access should probably not be associated with a regular account that people use as their "daily work driver". There should be a separate account that they need to log into and log out off after they are done managing the account. If you want to go wild, maybe even from a separate machine. Not being premanently logged in on the account that can change things would make this kind of attack more or less impossible.
You would think by now that AV scanners can be smart enough to see a big file, scan up to a certain point (or maybe just look at the end of the file), and when it catches all that padding to throw a red flag. If it gets to a reasonable point in the file and doesn't see anything suspicious, it can just stop scanning to save resources.
This vid confirms I'm doing great. On top of the regular AV I always paste suspicious files into virustotal too but I didn't know if it was worth anything. Seeing a tech Clip-Sharer use it validates my behavior yay
One good thing to do is set up different departments that don't has direct data connection to each other. For example, marketing department don't have access to finance department computers and archives and in Linus case, production or publishing department would be the only one with youtube channel access. All other departments can just have their own channel with no videos or information on them, only for viewing and some communications.
You know..i'm gonna subscribe to this channel because i know what happened to LTT and because the channel is very useful these days in a digital hackable world...Thank you for sharing.
I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.
I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.
Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on
Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.
anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.
@Nara Ken delos Santos since 2006?
Could an antivirus counter the virus after he clicked on the pdf file? Or is suspicion and common sense still the best protection?
I actually didn't know you can manipulate the letters in the end of files. Hmmm something new to learn today! Thank you!
That's what I was wondering about if the PDF file LTT received is really a PDF file ending with a .PDF extension or not. 'Coz I've read even legit PDF files from a hacker can compromise your system depending on what PDF reader software you used to open it. 🤔
I keep forgetting that the majority of users have the file name extensions hidden.
Thank you for the well explained video, it's great for sharing!
My biggest surprise here is that anyone involved with a tech channel would have "Show/Filename Extensions" set to the default. It's one of the first things I change.
Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.
They should really stop being a company and putting out that virus, windows.
maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension)
but i agree with you, they need to update the system
like,..they can just show the extension but not editable when rename the file
It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.
@Richard Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.
I wasn't familiar with your channel. Good thing it was on my Clip-Share recommendations, your content looks amazing. Keep it up!
Thank you for teaching us this things.
So 2 things that kinda surprised me about this video: a) file extensions are not shown by default. That's turned on on my computer and not only does that help with identifying such files but also it can help in day-to-day-business as well, being able to see if a picture is PNG or JPEG or whatever else at a glance.
b) not using at least the windows antivirus security thingy. I do a windows defender scan on every single file i download from the net, just because it's a habit of mine and usually takes less than 10 sec to do so (and i don't download quite as many files as the employee might). Not sure if windows defender would've found that trojan because i guess that's the AV they're gonna try to fool most, but as soon as one right-clicks the file for the context menu (for scanning) one has the chance to see 770 MB file size on the bottom; one should get suspicious at that point. I know very few PDFs that are that large and they're thousands of pages or tons of pictures, so there's really no need for an offer to be that large.
I feel like all the warning signs are there for this case if you use proper precautions...
The worst part about not checking those big files is. I actually wouldn't mind if it did that, the thing that slows down my workflow (as a developer) is my AV getting in the way of compilation. Checking thousands of tiny little files. Please check EVERYTHING I download, and honestly don't check anything else thank you.
Wow, I haven't seen screen savers in forever! I forgot about those things. That's pretty sneaky. 🙁
I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.
Except that many attackers want control of your recovery e-mail only (in that phase).
@John DoDo Doe you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one
They're running a youtube channel, not a military base.
@Takata Miyagawa If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.
I don't really get, why browsers don't change these security vulnerabilities by creating a sandbox where cookies are stored in. This way all user data for a specific page can only be accessed by that specific page and no other application. This could even further be improved if the device you are browsing from has a secure chip installed like most Macs do
Had quite a few mails claiming to be from MSI and asking for sponsorships, coming are from the same Mail provider as the ones you're showing in the beginning. Huge red flag, as well as the statement, that the "catalogue" I was supposed to check for products, would only work on windows machines. Stay safe everyone. If a deal sounds too good to be true, it probably is.
It seems like it would be so trivial for chrome/edge/firefox to encrypt any session tokens and cookies on disk, and obfuscate the ones in memory a little.
its always better to have a laptop or pc fully offline to open such things to stay safe :)
Only using VirusTotal instead of using an AV program is like running a background check on someone who's entering your house but actually not locking any doors or having any kind of alarm
I means, for your "casual" "Home Gamer who's a Reddit user" they don't really care because "muh Performance" and sometime even "muh Privacy" (While using Pirated/"Cracked" Softwares) and "A waste of money, Windows Defender is bloatware blah blah". Which is fair, its their own Devices in their own Network so whatever float their boat.
But in the Companies space and a Tech Company at that, i don't know why they didn't deploy an Antivirus for the whole building? Which is very weird.
I doubt i'd be "Zero-day Exploit" but.
I understand the dangers true scr files also start up just like exe files.
But the fact that Clip-Share doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me.
Or delete lot off files... crazy
I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.
@Alouicious Wrex That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data.
The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".
@Evan Dark Fair point, I hadn't considered mobile devices
@Evan Dark or mac adres for mobiel devices
Actually, I'd clarify that. It's not just like an EXE, an SCR file is a full-fledged EXE by a different extension just to make it obvious that it's intended to be a screensaver and not just any old program, but it is built just like any other EXE and then renamed to SCR as the last step.
I agree that limiting admin access will help prevent a takeover like this, however, I also agree with Linus that Clip-Share could do more. One thing that I predict will be a must for any platform, especially business platforms, will be Zero Trust tools and features. Had Clip-Share and LTT implemented Zero Trust into their environment, this sort of attack would be near impossible without physical access to their network and their devices. But from what I can tell, Clip-Share doesn't have any method for account owners to implement or integrate with a ZTN solution or even limit what IP addresses can perform administrator functions in content creators account.
wow.... this is one of the reasons i have my file extensions showing. also, if i suspect its suspicious, i will open in a hex editor or a plain text viewer. usually the first few characters are a dead give away.
It’s wild how stuff like this never gets attention until it affects a channel of 10mil+
I wrote a little CMD / BAT SCript for Windows that blocks the execution of potentially harmful SCR files, while allowing built-in screensavers to run, and applies a warning icon. Also you can unblock SCR files and restore the default icon. It does this by modifying Windows registry values. Keep your system safe from malicious SCR files!
Keep in mind that while this script is a helpful addition to your security measures, it may not provide 100% protection against all types of threats. However, it can certainly be a useful tool to help safeguard your Windows system.
echo SCR Files Security Tool
echo 1. Block SCR files and apply warning icon
echo 2. Unblock SCR files and restore default icon
echo 3. Exit
set /p choice="Choose an option (1, 2 or 3): "
if "%choice%"=="1" goto :block
if "%choice%"=="2" goto :unblock
if "%choice%"=="3" goto :end
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "PolicyScope" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "TransparentEnabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "BlockSCR" /t REG_SZ /d "*.scr" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "AllowSystem32SCR" /t REG_SZ /d "%SystemRoot%\System32*.scr" /f
reg add "HKCR\SystemFileAssociations.scr\DefaultIcon" /ve /t REG_SZ /d "%SystemRoot%\System32\shell32.dll,-154" /f
echo Execution of SCR files has been blocked except for built-in Windows screensavers. Warning icon has been applied.
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "BlockSCR" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "AllowSystem32SCR" /f
reg add "HKCR\SystemFileAssociations.scr\DefaultIcon" /ve /t REG_SZ /d "%SystemRoot%\System32\shell32.dll,-210" /f
echo Execution of SCR files has been unblocked. Default icon has been restored.
Excellent analysis. It just goes to show if you allow even a small amount of complacency, you will get hurt...
100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.
weirdly it can be delegated via API which means if you have the capacity you can "relay" the intent with custom local tool/ web service
They could use clean virtual machine or server for posting only
That is 100% not at all what this ramps down to lmao.
@dontaskiwasbored2008 True, but cool API fact.
Clip-Share Studio is just *incredibly* poorly designed. It's an absolute disgrace, especially since it took them absolutely forever to create and they had a very lengthy (multi year!) feedback period that they literally did not do anything with. In Clip-Share Studio you either have too little access or way too much access.
If you're an editor you can't even edit a playlist (because that can only be done in the main site, and they simply didn't bother to implement in in Studio!)
As someone who's been a professional in this space for half my life it's actually OFFENSIVE to me how poorly designed it is. They literally just didn't bother doing it anywhere close to properly. Everything about it fucking sucks ass from the UI to the core functionality.
Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.
When you brought the file in your hex editor, I knew immediately the file was an executable due to the Mz signature in the header.
This is one of those things where if you have a non-tech user than you should absolutely have training and AVs setup. For us that work with tech it's really nonsense to say this could happen to you. No-one in their right mind that has any bit of IT experience is extracting a zip file from a random email or even a semi-notable email source. Attachments of any kind in an email is a red flag, even if it's from a trusted source. In todays world you should just block zip files all together for a business in the spam filter.
@The PC Security Channel can you do a video on this specific malware being tested against the current top AV ? Whether they detect it or not :)
Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.
Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea.
That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?
While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites.
That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.
The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.
@Sazey you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.
@Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.
You sound too invested in them personally.
On that list of antivirus programs that showed which ones detected it, I’m glad the one I use recognised it as a virus!
This was a really good one...keep up the great work.
Funny thing is, if their internet speed wasn’t so awesome, they might have spotted how large the file actually was.
True that at 10Gb/sec you even won't notice. 😂😂😂
All those zeros will compress to nothing in the zip.
This is why you keep the filename extensions on and scan every single file that you download.
If it's a scr file, then it would mean this attack would not work on a PC that is not a Windows one, correct? So, yet another security measure could be just using a different OS to do that type of work on, like one of the UNIX based ones.
I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao
Yes, It may help criminals more than users..
never use antivirus, just move linux, lol
@AOE gaming AEGIS (will only be effective until linux marketshare increases to the point it'll be worth making linux malware, even then i'd still be careful with downloaded files on linux, by lowering your guard you increase your risk of getting hacked by a lot which is why i still triple check downloaded files as a linux user myself)
Totally DO use an antivirus if you want to throw 95% of your machine's performance away 100% of the time vs. that one time when you should have had the common sense to realize whatever you just downloaded should at least be checked by virustotal.
I don’t understand why it hasn’t become standard practice to just block zip files at an organization level? We did this over five years ago and the amount of attempted malware has dropped significantly.😊
I'm surprised LTT didn't have a system like Zscaler to block file extension that should never be downloaded from the internet
yeah as a security guy, this is hilarious to me lmao
@Private Joker what do you mean by security guy
@Thawne I work in IT security
@Private Joker did you go to university
@Thawne yes, i got a degree in computer engineering... many people from USA say getting a degree is not worth it, but its because a degree is too expensive there.. if it's not too expensive in your country, it's worth it
A few comments mention turning on file extensions to avoid this. It won't help.
The extensions will still be hidden in the file name is long enough, only to be revealed when you click on the file. At that point you are probably double clicking it if you aren't actively searching for malware. It's an easy mistake to make.
And here is my solution: Total Commander. I have 3 ways it could have prevented this attack:
1. Extensions are shown by default without having to click on the thing and they are not hidden by longer file names.
2. The file size is shown by default without having to click on the thing. What the hell is a 700 Mb PDF?
3. The file icons are small and you won't look at it and automatically say it's a pdf based on the icon. It makes you consciously look at the extension because you won't know what it is just by looking at it.
Bonus: A download manager such as IDM.
The default setting creates a few folders in your downloads folder, such as documents, programs, videos, etc. If the pdf I downloaded didn't end up in the documents folder, something must be wrong. Perhaps it isn't a document at all...
Total Commander is superior to Windows Explorer in every single way and it makes your everyday life much easier. Might as well choose convenience every day and not fall for an attack once every 5 years. There is no catch.
This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered.
The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(
That's why you always look at files in the explorer in the "details" view setting and make sure extensions are on.
In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)
Should've immediately logged out
let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down.
You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did).
And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.
Blame email apps. They should block certain file types such as .SCR unless you have admin privileges and explicitly allow the download.
Wow. I learned a shit ton just from this one video. Thanks. ❤
this kind of thing must explain a number of obviously hacked youtube channels i've come across
At first I've thought that those channels sold their souls to devils for quite a lot of grands but then I realized that most of them might have been hacked like Linus.