The Malware that hacked Linus Tech Tips

I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.

The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.

LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But Clip-Share’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them.
Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,

A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.

Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.

File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.

Thio Joe has recently done a couple of videos about this and similar attacks.
And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension.
That will keep you on your toes. And Thio Joe discussed that too.

I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.

I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.

I really hope that this is a lesson for all of LTT media to only give very specific people access to the actual channels. These aren't just user accounts This is what their whole business is built off of

Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.

Imagine people who send malicious emails to someone named "The pc security channel"

I dunno why, but I was kinda expecting you to run it so we could see the whole process. For example, when they opened it, what would've happened? (locked their pc, etc or would it have looked like a "real" agreement when opened and more of a stealth approach?) The effort some people go to is insane and I wonder how many people actually fell for the crypto videos/sent crypto.
I think with the rise of AI, this will get harder and harder to notice/detect and some people are already using AI to scam people. I heard about a case where they used AI voice cloning to clone the voice of a person and then called that persons parents pretending to need money for something serious and the parents never for a second thought it was a scam so handed over $5k. I'm not sure if you've looked into AI much, but I think you should definitely take a quick deep dive into it as the stuff is scary now and even if it is "bad", it's the worst it'll ever be and can only get better which is even scarier to thin about.
Also, uploading a crypto video on his YT channel doesn't seem like the smartest move if money was the main goal imo. Wouldn't it have been easier to just use their pc for ransomware or maybe LTT had backups or something. Still, very interesting video.

You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.

I personally think emails that come from verified marketing should have some form of badge that verifies from the company domain -- similar to an SSL cert / public key verification. else the influencer should just avoid opening attachments entirely.

Most of these attacks have the files in a zipped archive and they are encrypted requiring a password to open (this helps bypass antivirus as well). Anybody who goes through the process of entering the password into a zipped archive should not be allowed anywhere near anything tech related, thats an obvious huge red flag that anybody should be aware of. Its not as simple as "just clicking one file" its a multi step process

what makes it funnier is linus specifically mentioned this type of exploit in a video... and was like "I might have fallen for this one!"

Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.

Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video!
btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!

Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.

I used to be annoyed with myself over the fact that I got hacked but then seeing how many other people have fallen victim to hacking makes me feel better tbh

Problem is, that youtube offers almost no tools to limit privileges for people having access to a channel. Companies are sometimes forced to give main login information to people who will moderate chats, manage video descriptions etc.
Another thing is that malware hijacking session tokens and browser passwords doesn't even need admin privelage so restricting user accounts on PC will not defend aginst it.

It should probably be a standard protocol to educate staff dealing with a lot of external sources about standard internet security. Or pretty much just have an isolated virtual machine with detection and monitoring software that is used only for opening emails the first time just as an extra layer of security. Worst-case is that email gets phished and you can just deactivate it.
It shouldn't take too much to have your security expert teach someone on marketing how to detect when there's atleast an unusual activity by looking at the logs.

Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers

very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr
honestly might have even caught me off guard if i had a youtube channel

Would be nice if you could in a sandbox environment test the sample that bypassed their AV according to them the AV gave a notice but somehow it still was able to do the job my guess it has a way to inject a payload even with an AV and see what AV actually work against this.

Browsers definitely need a way to harden their storage mechanisms. They already allow the users to encrypt stored passwords, but they should also allow to encrypt cookies, local storage and other stored data with a master key/password. And surely, only that exact browser with a verified vendor signature should have the OS's permission to work with its files.

Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.

When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.

the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening

What would have been (more) interesting to know is what they could have done to stop the attack once they realized what was going on, perhaps nothing to do without the help of google ?

Linus mentioned he DID have youtube channel management parceled out. but the tool he used to do that made it difficult to tell which workstation it came from.

I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big Clip-Share channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the Clip-Share channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.

Linus said their corporate anti-malware program caught it, but it was only a notification. Because no one was constantly monitoring the dashboard, the malware slipped through.

One great protection is enable file extensions - you'll be able to see if it's .exe or not ...

The bit that suprised me was that LTT had a PC with both Clip-Share account access and was used to process incomming offers, I would have thought the two should be kept well apart

Everyone at Linus should have file extensions and hidden files enabled by default for windows explorer

Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe

I think browsers should encrypt stored data like session tokens, and ask for a decryption password when launched (which would imply never storing decrypted cookies outside of the RAM)

I remember this happening to the Neebs Gaming channel last year. Fortunately they were able to get their channel back and didn't loose any of their videos. Unfortunately this can literally happen to anybody no matter how careful you are.

I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe

Thanks once again for the Hex Editor trick! It saved me from having my pc infected by what seemed a setup file for bluestacks.

The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.

Linus should have made sure all computers were set to show extention and they should run every file from a 3rd party, regardless of size, through a competent antivirus. This is really not that difficult to do. Antivirus scans take seconds with an ssd. This is basic security for most.

What if youtubers like Linus can implement a strict protocol that they open sponsorship mails only on a VM? Would that be a solution for this?

I remember Nero Cinema was talking about how dumb a Activision employee was for getting hacked by checking a email and a couple of hours later he gets hacked by the same method.

An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.

You mentioned that only one person should have access to upload videos etc, but I think large youtube channels should go one step further. The access should probably not be associated with a regular account that people use as their "daily work driver". There should be a separate account that they need to log into and log out off after they are done managing the account. If you want to go wild, maybe even from a separate machine. Not being premanently logged in on the account that can change things would make this kind of attack more or less impossible.

You would think by now that AV scanners can be smart enough to see a big file, scan up to a certain point (or maybe just look at the end of the file), and when it catches all that padding to throw a red flag. If it gets to a reasonable point in the file and doesn't see anything suspicious, it can just stop scanning to save resources.

This vid confirms I'm doing great. On top of the regular AV I always paste suspicious files into virustotal too but I didn't know if it was worth anything. Seeing a tech Clip-Sharer use it validates my behavior yay

One good thing to do is set up different departments that don't has direct data connection to each other. For example, marketing department don't have access to finance department computers and archives and in Linus case, production or publishing department would be the only one with youtube channel access. All other departments can just have their own channel with no videos or information on them, only for viewing and some communications.

You know..i'm gonna subscribe to this channel because i know what happened to LTT and because the channel is very useful these days in a digital hackable world...Thank you for sharing.

I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.

Could an antivirus counter the virus after he clicked on the pdf file? Or is suspicion and common sense still the best protection?

I actually didn't know you can manipulate the letters in the end of files. Hmmm something new to learn today! Thank you!

That's what I was wondering about if the PDF file LTT received is really a PDF file ending with a .PDF extension or not. 'Coz I've read even legit PDF files from a hacker can compromise your system depending on what PDF reader software you used to open it. 🤔

I keep forgetting that the majority of users have the file name extensions hidden.
Thank you for the well explained video, it's great for sharing!

My biggest surprise here is that anyone involved with a tech channel would have "Show/Filename Extensions" set to the default. It's one of the first things I change.

Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.

I wasn't familiar with your channel. Good thing it was on my Clip-Share recommendations, your content looks amazing. Keep it up!

Thank you for teaching us this things.

So 2 things that kinda surprised me about this video: a) file extensions are not shown by default. That's turned on on my computer and not only does that help with identifying such files but also it can help in day-to-day-business as well, being able to see if a picture is PNG or JPEG or whatever else at a glance.
b) not using at least the windows antivirus security thingy. I do a windows defender scan on every single file i download from the net, just because it's a habit of mine and usually takes less than 10 sec to do so (and i don't download quite as many files as the employee might). Not sure if windows defender would've found that trojan because i guess that's the AV they're gonna try to fool most, but as soon as one right-clicks the file for the context menu (for scanning) one has the chance to see 770 MB file size on the bottom; one should get suspicious at that point. I know very few PDFs that are that large and they're thousands of pages or tons of pictures, so there's really no need for an offer to be that large.
I feel like all the warning signs are there for this case if you use proper precautions...

The worst part about not checking those big files is. I actually wouldn't mind if it did that, the thing that slows down my workflow (as a developer) is my AV getting in the way of compilation. Checking thousands of tiny little files. Please check EVERYTHING I download, and honestly don't check anything else thank you.

Wow, I haven't seen screen savers in forever! I forgot about those things. That's pretty sneaky. 🙁

I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.

I don't really get, why browsers don't change these security vulnerabilities by creating a sandbox where cookies are stored in. This way all user data for a specific page can only be accessed by that specific page and no other application. This could even further be improved if the device you are browsing from has a secure chip installed like most Macs do

Had quite a few mails claiming to be from MSI and asking for sponsorships, coming are from the same Mail provider as the ones you're showing in the beginning. Huge red flag, as well as the statement, that the "catalogue" I was supposed to check for products, would only work on windows machines. Stay safe everyone. If a deal sounds too good to be true, it probably is.

It seems like it would be so trivial for chrome/edge/firefox to encrypt any session tokens and cookies on disk, and obfuscate the ones in memory a little.

its always better to have a laptop or pc fully offline to open such things to stay safe :)

Only using VirusTotal instead of using an AV program is like running a background check on someone who's entering your house but actually not locking any doors or having any kind of alarm

I understand the dangers true scr files also start up just like exe files.
But the fact that Clip-Share doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me.
Or delete lot off files... crazy

Actually, I'd clarify that. It's not just like an EXE, an SCR file is a full-fledged EXE by a different extension just to make it obvious that it's intended to be a screensaver and not just any old program, but it is built just like any other EXE and then renamed to SCR as the last step.

I agree that limiting admin access will help prevent a takeover like this, however, I also agree with Linus that Clip-Share could do more. One thing that I predict will be a must for any platform, especially business platforms, will be Zero Trust tools and features. Had Clip-Share and LTT implemented Zero Trust into their environment, this sort of attack would be near impossible without physical access to their network and their devices. But from what I can tell, Clip-Share doesn't have any method for account owners to implement or integrate with a ZTN solution or even limit what IP addresses can perform administrator functions in content creators account.

wow.... this is one of the reasons i have my file extensions showing. also, if i suspect its suspicious, i will open in a hex editor or a plain text viewer. usually the first few characters are a dead give away.

It’s wild how stuff like this never gets attention until it affects a channel of 10mil+

I wrote a little CMD / BAT SCript for Windows that blocks the execution of potentially harmful SCR files, while allowing built-in screensavers to run, and applies a warning icon. Also you can unblock SCR files and restore the default icon. It does this by modifying Windows registry values. Keep your system safe from malicious SCR files!
Keep in mind that while this script is a helpful addition to your security measures, it may not provide 100% protection against all types of threats. However, it can certainly be a useful tool to help safeguard your Windows system.
@echo off
setlocal
:menu
cls
echo SCR Files Security Tool
echo 1. Block SCR files and apply warning icon
echo 2. Unblock SCR files and restore default icon
echo 3. Exit
echo.
set /p choice="Choose an option (1, 2 or 3): "
if "%choice%"=="1" goto :block
if "%choice%"=="2" goto :unblock
if "%choice%"=="3" goto :end
:block
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "PolicyScope" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "TransparentEnabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "BlockSCR" /t REG_SZ /d "*.scr" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "AllowSystem32SCR" /t REG_SZ /d "%SystemRoot%\System32*.scr" /f
reg add "HKCR\SystemFileAssociations.scr\DefaultIcon" /ve /t REG_SZ /d "%SystemRoot%\System32\shell32.dll,-154" /f
echo Execution of SCR files has been blocked except for built-in Windows screensavers. Warning icon has been applied.
goto :pause
:unblock
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "BlockSCR" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" /v "AllowSystem32SCR" /f
reg add "HKCR\SystemFileAssociations.scr\DefaultIcon" /ve /t REG_SZ /d "%SystemRoot%\System32\shell32.dll,-210" /f
echo Execution of SCR files has been unblocked. Default icon has been restored.
goto :pause
:pause
echo.
pause
goto :menu
:end
endlocal

Excellent analysis. It just goes to show if you allow even a small amount of complacency, you will get hurt...

100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.

Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.

When you brought the file in your hex editor, I knew immediately the file was an executable due to the Mz signature in the header.

This is one of those things where if you have a non-tech user than you should absolutely have training and AVs setup. For us that work with tech it's really nonsense to say this could happen to you. No-one in their right mind that has any bit of IT experience is extracting a zip file from a random email or even a semi-notable email source. Attachments of any kind in an email is a red flag, even if it's from a trusted source. In todays world you should just block zip files all together for a business in the spam filter.

@The PC Security Channel can you do a video on this specific malware being tested against the current top AV ? Whether they detect it or not :)

Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.

Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea.
That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?

On that list of antivirus programs that showed which ones detected it, I’m glad the one I use recognised it as a virus!

This was a really good one...keep up the great work.

Funny thing is, if their internet speed wasn’t so awesome, they might have spotted how large the file actually was.

This is why you keep the filename extensions on and scan every single file that you download.

If it's a scr file, then it would mean this attack would not work on a PC that is not a Windows one, correct? So, yet another security measure could be just using a different OS to do that type of work on, like one of the UNIX based ones.

I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao

I don’t understand why it hasn’t become standard practice to just block zip files at an organization level? We did this over five years ago and the amount of attempted malware has dropped significantly.😊

I'm surprised LTT didn't have a system like Zscaler to block file extension that should never be downloaded from the internet

A few comments mention turning on file extensions to avoid this. It won't help.
The extensions will still be hidden in the file name is long enough, only to be revealed when you click on the file. At that point you are probably double clicking it if you aren't actively searching for malware. It's an easy mistake to make.
And here is my solution: Total Commander. I have 3 ways it could have prevented this attack:
1. Extensions are shown by default without having to click on the thing and they are not hidden by longer file names.
2. The file size is shown by default without having to click on the thing. What the hell is a 700 Mb PDF?
3. The file icons are small and you won't look at it and automatically say it's a pdf based on the icon. It makes you consciously look at the extension because you won't know what it is just by looking at it.
Bonus: A download manager such as IDM.
The default setting creates a few folders in your downloads folder, such as documents, programs, videos, etc. If the pdf I downloaded didn't end up in the documents folder, something must be wrong. Perhaps it isn't a document at all...
Total Commander is superior to Windows Explorer in every single way and it makes your everyday life much easier. Might as well choose convenience every day and not fall for an attack once every 5 years. There is no catch.

This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered.
The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(

That's why you always look at files in the explorer in the "details" view setting and make sure extensions are on.

In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)

Blame email apps. They should block certain file types such as .SCR unless you have admin privileges and explicitly allow the download.

Wow. I learned a shit ton just from this one video. Thanks. ❤

this kind of thing must explain a number of obviously hacked youtube channels i've come across