The Malware that hacked Linus Tech Tips
Vložit
- čas přidán 22. 05. 2024
- Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: www.crowdsec.net/?mtm_campaig... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact - Věda a technologie
Imagine people who send malicious emails to someone named "The pc security channel"
this is more like a declaration of war
they're getting cocky :D
Automated
I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!
roll of the dice except its 100 sided
File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.
Yeah, it’s strange Windows hides them by default. Makes no sense.
The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.
@@fusseldieb Windows will warn you though if you try to do this.
It's times like this you really appreciate the execute permission bit on Linux.
There is a solution even for that, the right-to-left writing system. A file named for instance filename.exe.pdf can be actually a .exe if the character announcing the r-to-l is before "exe". I'll try finding the clip with this. I daily drive linux and don't care a lot about these; but on Windows I could have seen myself being fooled by this (not the .scr, as I made a few programs and even screesavers when I was in highschool, many years ago).
LE: found it on ThioJoe's channel - czcams.com/video/nIcRK4V_Zvc/video.html
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.
Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander
@@khoroshoorange Whatever floats your boat.
That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.
Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜
I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.
Facts, that is why I always activate the config to enable that
It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.
That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.
That's how you can spot computer literacy at a glance.
A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.
Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.
It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least
EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.
@@kaineuler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.
@@robertgarrison1738 I'm talking about windows defender or other basic antivirus.
@@kaineuler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.
LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But CZcams’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them.
Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,
Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video!
btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!
Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers
If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.
I agree, it’s Linus’ fault here for making his employees use Windows
A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.
@@SEMIA123 Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess."
Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.
@@jacquesfaba55 He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.
I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe
That's probably why they did it.
You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof.
To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end.
Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT.
But for now, it's not the case and it's ridiculous.
n00b
@@MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids
Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.
A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.
The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.
Why would anyone who's not a complete noob use Explorer as a file manager at all, let alone with hidden extensions?
"You are attempting to open an application file with the file extension [.ext] in front of it. Are you sure you want to open this application?"
[info of application, name, publisher etc]
Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.
An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.
I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.
Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.
I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible.
Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious.
So Linus (or his staff) made 4 mistakes that led to this tragedy:
1. Ignoring obvious spelling mistakes (if he received such a misspelled email)
2. extracting a huge zip file to get a simple pdf to state an agreement
3. ignoring the huge filesize for a simple pdf
4. running it with a visible file extension when extensions are hidden
@@powerpc6037 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.
Absolutely, a red flag with a fog horn.
the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening
exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)
Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed.
If it was just about editing videos, then they would have done it on an offline machine.
Maybe it was Linus himself.
@@Preetzole A Remote Desktop for YT account actions.
@@kkgt6591 I don't think Linus do those kind of things, I think he is only directing, managing now and prolly he employs PR, marketing, social scientist something, which prolly knows better what works.
Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.
I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.
1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed
Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.
Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.
maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension)
but i agree with you, they need to update the system
like,..they can just show the extension but not editable when rename the file
Agreed
It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.
@@richarda3659 Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.
@@richarda3659Well Apple isnt exactly a role model in anything anymore
I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.
I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.
Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on
Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.
anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.
@@greatveemon2 since 2006?
This video is so fantastic, I gasped a few times when you showed the properties and HEX... Good job!
Subbed for the quality of this video and the info in it.
The bit that suprised me was that LTT had a PC with both CZcams account access and was used to process incomming offers, I would have thought the two should be kept well apart
Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.
They said that sponsored videos are uploaded by the marketing department, so that would be why
Linus is barely even at the warehouse unless he has to be in the video.
@tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!
This guy (LTT)is an Amateur and Arrogant Rich Boy...nothing than a Microsoft Employee that did a anti-linux rally and then his Secure Windows was Bombed till the ground....
A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.
No i have seen 400mb pdfs. You obviously a noob.
The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading
@@HexRox The file is full of 0s, the zip archive would be actually quite small.
Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.
@@dismiggo A yearbook is different than an agreement form..
I watched a few other videos on this topic but idk why your explanation just sticks better in my brain lol
Thank you for letting me know about the screen saver file extension and how they can run as an application. I didn't know that.
I understand the dangers true scr files also start up just like exe files.
But the fact that CZcams doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me.
Or delete lot off files... crazy
I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.
@@alouiciouswrex7141That IP check would frequently get overboard when home ISPs and online proxies frequently change peoples public IPs. Same thing happens when facebook sends out an alert after every log in with an updated browser.
@@alouiciouswrex7141 That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data.
The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".
@@EvanOfTheDarkness Fair point, I hadn't considered mobile devices
@@EvanOfTheDarkness or mac adres for mobiel devices
In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)
Should've immediately logged out
let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
@@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down.
You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did).
And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.
best video in this regard- can you make a video about these session tokens?
Great coverage,thanks for sharing,you explain it very well and this is what people need
Thio Joe has recently done a couple of videos about this and similar attacks.
And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension.
That will keep you on your toes. And Thio Joe discussed that too.
yes, i saw that video 😁
Yes, there's some kind of hack involving right-to-left languages.
Interesting. It's U+202E
Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.
I was patiently waiting for your take on what happened, well delivered!
I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big CZcams channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the CZcams channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.
step 1: explore & gain trust
Channel notification on now , i want to be updated with all these stuffs :D
Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea.
That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?
While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites.
That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.
The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.
@@mechwarrior83 you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.
@@Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.
You sound too invested in them personally.
I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.
Except that many attackers want control of your recovery e-mail only (in that phase).
@@johndododoe1411 you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one
They're running a youtube channel, not a military base.
@@takatamiyagawa5688 If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.
mental outlaw has been saying for months and months if not years to go buy a shitty chrome book and use that to answer the business email.. Whats even worse is a lot of these losers use their personal email to get business emails, which has secured future fuckery. They SHOULD have a email solely for sponsorship offers, and you should only use that email on that latop. Unless you can have a braincapacity above a 5 year old and just not click them. Greed is what makes people fall fr this shit. Being content doesnt leave you with shady business.
very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr
honestly might have even caught me off guard if i had a youtube channel
Great video. Would it make any difference if you were to open these files if they're being send through google drive for example? Like the quick view in Gmail? Or would that also be enough to activate it?
100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.
weirdly it can be delegated via API which means if you have the capacity you can "relay" the intent with custom local tool/ web service
They could use clean virtual machine or server for posting only
That is 100% not at all what this ramps down to lmao.
@@dontaskiwasbored2008 True, but cool API fact.
CZcams Studio is just *incredibly* poorly designed. It's an absolute disgrace, especially since it took them absolutely forever to create and they had a very lengthy (multi year!) feedback period that they literally did not do anything with. In CZcams Studio you either have too little access or way too much access.
If you're an editor you can't even edit a playlist (because that can only be done in the main site, and they simply didn't bother to implement in in Studio!)
As someone who's been a professional in this space for half my life it's actually OFFENSIVE to me how poorly designed it is. They literally just didn't bother doing it anywhere close to properly. Everything about it fucking sucks ass from the UI to the core functionality.
First "trick" that my friend taught me on my first PC was how to see extensions and how to see hidden files.
It's the first thing I do after reinstalling windows.
Your friend is a true friend.
@@jinxterx Yeah he is a true friend for sure.
And this feature saved me several times.
I worked for a state company, and they actually had put in place such severe restrictions that did not allow anyone without privilege to open any file except those permitted such as .pdf and word docs.
Ontop of it all, the computers were thin clients connected to large array of servers, their sessions were all temporary VM's that would delete its instance after each use, all your files were stored on cloud essentially connected to your user account and constantly scanned, it was the most ridicules security setup I ever seen in my entire life, they also had automated software that scanned files developed in house to check if the files they received on email were proper or not, all happened in the background, I cannot say what state company it was you can probably already tell that stuff like this, is not just any ordinary mom and pops office job.
But in hindsight, its not that much work to setup something similar for a small business with virtual machines and auto scanners checking files beforehand or loading files isolated from the system.
The funniest thing from that job is how the tech got so tired of trying to fight the spam emails, they designed a DDOS program that would just automatically target the IP source of these spam mails and dedicate a small server just to run that script day and night, it worked but when the boss found out, man he was not happy knowing there was a server using 5kW of power everyday just to reverse uno email spammers LOL, I think they replaced that with an AI which was good enough to detect most of them and filter it out, that was right at the end when I left I never got to look at it because it would be handy to have something like that running in my basement.
Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.
Good information. Was kinda hoping for a bit of code breakdown, but this is my first time visiting the channel, so I'm not sure how deep you go. Either way, Thank you for putting such good info and good recommendations out there.
There are more in depth videos on the channel. :)
I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.
or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers
@@bluemeriadoc BUt you could still read it with regular executable programs.
Would you be okay entering a password every time you launch the browser?
@@rohanjamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both
@@bluemeriadoc encryption only works when theres a password attached to it. If the browser can launch without needing a password, the hacker can just steal all the app data of the browser and launch it in their system regardless of what the os does. Windows doesn't have strict permission checking for files and even if it did if the program got admin access, it's basically useless. The only way to fix this is to have your whole browser password authenticated, kind of like how password managers are as browser extensions. From a website pov, you should have implemented uuid checking or some hashed hardware Id checking in the cookie, again this should be implemented by browsers as it would be a security risk to allow websites to detect a hw id. Overall, I'd say from a developer perspective these kinds of attacks are really difficult to mitigate without making the ux of the user worse.
When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.
isn't there an automated process in any antimalware for deletimg the empty space in files?
At my company, we've been using a 'viewer' to 'checkout' files and virtually view them. Picture it as a way to look at documents in a secured environment using a remote external viewer. Validated sites been using this almost 25 years now. If things are isolated and viewed indirectly, that would probably halt the brakes on a lot of problems.
There are also samples that seem to use actual code instead of empty spaces. It appears that these samples consist of a bunch of randomly generated functions that will be called upon launch. However, if you remove them to reduce file size, the program will become corrupted and you won't be able to run it.
Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.
New protocol - dont click and open unknown files like you are 7 year old first time using email
apart from file-extensions being displayed I _always_ have the preview window open. If I don't see a matching preview to the file I have, when I know it is capable of displaying a preview, this file gets analyzed or deleted outright.
And I did actually develop the habit of crossreferencing the file size. A picture of 500x500 wihch is several mb in size goes in the trash.
Most malware is targeted at Windows, sandboxing public parts of interacting with the world in virtual machine could prevent that
im not a security specialist, but i spend most of my time on Linux primarily for the lack of tracking but also i generally dont have to worry about any windows based attacks. If i worked for a big YT channel I would certainly use linux for emails and almost anything else that didn't require windows. and if i DID have to use windows, id open a fresh VM just for internet and emails and never log into anything important.
Im actually surprised these content creators even use windows, I assumed they all used Macs, since they pretty much all use iphones as well.
Well, a bunch of amateurs will amateur.
This is one of the reasons why I'm on Linux 100% since 2007, and never went back to windows, not even for work.
The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.
Thanks for the explainations!
Sounds like it's time to sandbox certain functions and create a VM to open attachments and possibly get an antivirus that will scan large files. Also, I don't think it's hard to create a script to do some rudimentary analysis of files to display size, possible padding, extension, etc to alert to a Trojan horse file.
Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe
To add , thank you even I did not know for this way of attacking. I mean didn't know or paid attention to fact that antimalware , antivirus software skips on large files. So to me this information is very nice , thank you .
the problem is that you should always, ALWAYS make the file extensions visible.
in fact this kind of thing is easy to detect. windows can have some sort of a warning for this sort of file names added. so it saves a lot of users from running executables by mistake.
how do you activate it?
@@Gargantura depends on the version of the windows but a quick google search will give you the answer.
i usually do it by control panel and folder options. then there should be a checkbox somewhere to make em visible.
@@darthnegativehunter8659 aight thanks
Don't know if it was mentioned here but they did say their antivirus detected the malware but it wasn't fully set up to high enough level to deal with it yet as they were in the process of setting up a bunch of systems too I think
@@asksearchknock that's kind of super out of context though and not what he said. Obviously it makes sense in certain situations. And while it's probably blasphemy to say this on a malware channel I think he's probably right for most average people.
Im learning a lot, thanks for all this videos 👍🏼
Like how to monetize someone else's misery?
Excellent, super interesting video, thanks for the upload. Subbed.
Can I ask you a question? - do you think today/tomorrow's continuing march to abstract away much of what programming used to be is a significant cause for concern, particularly today's almost complete loss of assembly programming skills, and affecting the field of security? This, in context with the fact that every program and language used today, and for years to come, is ultimately converted to machine code.
I'd imagine that any country who's government sponsors the training of assembly language experts in the security field, can increasingly use these skills to cause some serious problems.
I'm speaking from the point of view of someone who used to program games in the 1980's-90's in assembly, when it was a very popular language. Yes, it's CPU specific, but if the majority are using a handful of generic CPU types then the potential is there.
You would think by now that AV scanners can be smart enough to see a big file, scan up to a certain point (or maybe just look at the end of the file), and when it catches all that padding to throw a red flag. If it gets to a reasonable point in the file and doesn't see anything suspicious, it can just stop scanning to save resources.
Sadly Linus got caught here by ignoring his cyber security expert Luke. On the WAN Show Luke pointed it out that he told Linus the EXACT account and method of the hack but Linus responding "I'm focusing" and ignored the entire message. Luke then had to reach out to Linus's wife to get access to accounts (as he didn't have permissions to do what was needed, which is an issue). He offered to RDP into Linus's PC to do it but Linus was too focused combating the attack vector he thought it was (SMS/Password) to listen.
Yeah, Linus talking about his being woken in the middle of the night and ADHD, plus the severe crisis is understandable, but it still shows a SEVERE flaw in their disaster management preparedness and lack of processes. Linus himself seems to need training in how to manage a crisis and delegate better. I took a whole class in my tech master's on crisis MGMT and we workshopped stuff having to perform as a team in front of our class to fix a problem live. Cool stuff and teaches you to communicate and calm down first THEN tackle the issue so you are being the most effective.
@@jmckey Google is more faulty for it
@@engineeingnerd for sure, Google HAS to change how they secure logins and manage cookie sessions but there HAS to be process changes in the meantime at LTT to prevent something like this happening again.
A Arrogant Adult imature Freak like Linus,ever hated and refused Linux,and now he got what he deserves beeing an annoying windows fanboy
Well, yeah... Linus is an amateur and a shill, not an IT Tech by any assessment worth a piss.
Hardly surprising they got hit like this.
Good video. And lots of great suggestions in the comments. Love to see it. And no one blaming "noobs" or non-tech savvy people. And you make it easy to understand. Love this.
If it's a scr file, then it would mean this attack would not work on a PC that is not a Windows one, correct? So, yet another security measure could be just using a different OS to do that type of work on, like one of the UNIX based ones.
This is a good video thank you for the information and keep up the good work
Okay that zero padding thing is outright negligence on the part of malware scanners.
Yes and no. You could probably come up with ways to determine a file as being potentially unsafe by looking at random bytes in a file to determine whether it contained zero padding or not. But that would likely also issue a ton of false positives. And zero padding is not the only way to circumvent it. It could just be a bunch of random data as well-it's now much harder to determine what the file is.
There are anti-malware that does this kind of analysis already, when you run a full scan or manually select a file for a scan. But while in the background, you don't want it to do a full scan and take up all your resources and potentially battery.
So it's both a user error and a problem of detection. If you are uncertain about a file, manually scan it with your anti-malware software at least.
Agree. Doesn't take much effort for a virus scanner to pass through the file with a trimmer to validate 99% of it being empty space. But of course, if they were to do that then the hackers would just start padding files with random noise, defeating trimming it .
Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.
Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?
@@richarda3659 Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present.
And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.
it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.
@@dealloc the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys.
encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack.
scowering memory is not a reliable vector of harvesting tokens.
There was a virus at our school that uses scr. It got everywhere. If you plug a usb into a computer, it would copy itself to it, then set all your folders to hidden + system, then create lnk files to match the name, set the link target to the malware on the stick, add an autorun.inf file to the stick.
Hidden and system meant you wouldn't see the real folders unless you turned on both show hidden files and show system files. Show system files was a bit hidden and it warns you not to do that. A clear giveaway that your usb was infected was that all your folders turned into shortcuts that had that little arrow thing in the corner. I removed the virus from a lot of computers and fixed the usbs of who ever lended me their flash drives.
Why does windows still have extensions turned off by default? Its ridiculous.
This is why it is important for me that the 'Type' column is always present whenever I view files through the 'Details' view. You can immediately identify what kind of file you are looking at before you would try to open it.
Also obvious if you always show the real extensions for all files. It should be the default in Windows, but it is not.
I always have extensions enabled on files by default now. First because I had trouble quickly finding the right file for my text based game (txt for lore, stats, etc, and bat for the MSDOS that it was programmed in). I then disabled it until I had a stressful 2 hours of trying to outpace malware by lagging the hell out of my current machine to delay its copying of the virus to other sectors. Took a lot of effort to do and after killing the automated script, I had to spend about 3 hours manually clearing the programs that were meant to reproduce itself. Eventually ran a 17 hour deep scan of my system to find another folder of the files and decided I'd leave extensions on so I dont double click another sus exe file.
6:03, even if you don't have the remember me box checked, requests are sent with a unique session token that changes on every re-authentication, which if stolen, will work (for about a day or so)
Thank you for this video! It really helped me understand what happened. Now I'm reviewing some of my own security protocols.
I'm actually more surprised that malware detection suites aren't robust enough to detect these types of attacks. A surface level check of RTL/LTR manipulation of the filename to hide the extension would catch this as a suspicious file. There aren't any legitimate use cases to use this hack in the real world, so it's pretty safe to say anything hiding the extension like this is likely to be malicious. Similarly, checking a file for padding is fairly easy to do, and doesn't require a lot of resources realistically to do so. Shrinking the file for an in-depth scan is also possible using sparsification, but thats a but more resource intensive - and only works on zero padded files directly.
Filetype manipulation can be accidental.
Some foreign languages are RTL, so yes there are legitimate use cases for the character appearing in a file name
@@o00nemesis00o but not in the extension, and that's pretty easy to check for.
@@LordSStorm windows warns users when changing the extension, and in this case the user could undo the mistake or make the logical conclusion that the file is or is not suspicious.
Easy fix from Google/CZcams, would be to detect that the IP address changed when the hackers enter the authentification cookies, and thus, ask for the 2FA again each time such location difference is detected.
That's why you always look at files in the explorer in the "details" view setting and make sure extensions are on.
I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao
Yes, It may help criminals more than users..
never use antivirus, just move linux, lol
@@vonKarma1186🤓
Totally DO use an antivirus if you want to throw 95% of your machine's performance away 100% of the time vs. that one time when you should have had the common sense to realize whatever you just downloaded should at least be checked by virustotal.
And I have just seen a channel that teaches people: "The first thing you should do when getting a computer is to shut down windows update and defender permanently. This is very important. Now do as I show you..."
For PDF's there luckily exists an FOSS tool called Dangerzone which cleans the PDF up inside a sandbox (basically acting like a virtual printer, converting the pdf to pure pixel data and then making that into an clean PDF) which can be handy for when you **have** to open up a PDF (contracts for example) but can't trust the source.
Thats cool
Or just open in Chrome
@@phir9255 While chrome does open PDF's in a sandbox which _should_ be secure that still doesn't solve all the other problems like "You opened an executable instead of a PDF".
@@cook_it True, people should enable visible extensions
@@phir9255 Absolutely.
But even then if there are other exploits like a sandbox escape in chrome you still get into problems.
With dedicated software like Dangerzone you would first need a exploit on LibreOffice or GraphicsMagick, then if you're on windows an VM escape from Docker Desktop or for Linux a container escape exploit, which is harder than a sandbox escape but still potentially possible.
tl:dr
Security is hard and mistakes can always happen. Never rely on a single software to keep you safe.
This is why I click show in folder rather than blindly running anything from browser download display and also display file extensions. Guessing the was no AV installed on the PC which is crazy considering it was a tech channel. Up through Win 98 screen savers were a common attack vector but less common now so less would be aware of that extension.
i am suprised how it is not just common practice to check the Win Explorere Setting to not hide the actual filetype extenseion.
Or at least how a .PDF is not a red flag if you do not see them regularly.
So either you have file extension names disabled then the .pdf extension should sound alarms in your head, or you do have them enabled then it will show as ".pdf.scr" which is also a red flag.
This crap is out of control, i get emails from amazon, walmart, Netflix, etc, all sketchy as hell.
Great diagnosis and analysis of the issue, but it would be great if you have described the remedy. I have many questions here, hope you could address them in other videos or in comment:
- How could you prevent malicious emails from harming your system from the beginning? Is opening emails in a sandbox (virtual machine) considered the ultimate solution for separating harmful content from the environment? how practical can this be especially in a working environment with many users?
- What is the best anti-virus? especially the ones that detects Maleware after falling to the hacking trap.
- in short: is there an ultimate solution??
In latest WAN show, Luke said the attack was flagged by their AV. But since they did not set it to highest level, the attack was not shown/seen. So curious about these too.
I believe he did - it's isolating the functions so the machine/person opening the emails doesn't have access to the higher privileges needed to attack. One thing he didn't mention is never use your machine when logged in as a local administrator. Only use those accounts when doing maintenance. I remember reading sometime back that most attacks will fail if the user only has "user" privileges. But people resist anything that gets in the way of doing what they want to do.
Also if you have a password manager as a browser extension is that bad would the session to that extension be easily compromised?
For me checking fine extensions, the answer is yes, I check them all the time, and they are visible by default on all the computers I own or manage
Imagine it was named: "LinusWare"
They totally should sell new underwear with that branding on it.
I think the easy fix for this would be for Microsoft to:
1. Enable file name extensions by default
2. Make the process for executing a file different from the one for opening it. Something like on Linux, where you need to explicitly choose "Execute" when you double-click a file in order to run it, or it just opens as a text file.
Such a shame it's 2023 and Windows is still so insecure.
In my Linux I can run by double click just fine.
Microshit even requires execute permission on every document you open with doubleclick, thus forcing insecure security settings .
@@FlorinArjocu Huh? Strange. Maybe it depends on the desktop environment. On Linux with KDE (and I think on Gnome too) the default behavior is to just open a file when you double-click it and never execute it unless specified.
@@EricchiYukia Don't remeber exactly, I think I do check the "execute" checkbox, but I think that is not always the case. In the end it depends on the permissions to the file, if it has the +X or not. I am on Gnome (Ubuntu).
@@FlorinArjocuYes, that too! Files downloaded from the internet always have the "executable" flag disabled on Linux, and that was made exactly to prevent incidents like the LTT one.
Since I got my first computer on 2002.
I have always enabled the show the extension feature.
I have never like not knowing what I’m opening.
Wouldn't it be possible to flag padded files like the PDF as suspicious, if they have unusually low entropy? To speed up this calculation, one could sample chunks from the entire range of the file, instead of scanning the whole file, and either calculate the overall entropy of these chunks or calculate an "entropy map", where files containing large low-entropy regions are marked as suspicious.
Sure, everything is possible. But the malware guys are very creative and they will find a way around. Your method will fail if there is one random byte in every chunk.
@@fred5459 True, it really is a never-ending struggle. I'm not sure why you think a single random byte in every chunk would make my method fail, but please elaborate.
@@mashroom_ Instead of zeros they could use megabytes of random data. Then your entropy idea would fail.
@@Hyxtryx You're right, but I would argue that this would make the file too difficult to compress and would hence exceed the maximum email attachment size.
@@mashroom_ Good point, I didn't think of that.
Just realised, another red flag is when you see a .PDF extension while you have show extensions disabled.
The sort of person that has file extensions disabled probably isn't paying attention to the end of the file's name,
@@takatamiyagawa5688 And wouldn't think anything of it, even if they did notice it. It's also possible that the person has extensions enabled on their home computer, but disabled on their "LTT work" computer, and missed it because of that. Or maybe it was a new install and somebody forgot to change the setting.
Show files extension - it's basically one of the first quality of life settings that I turn on, whenever I install Windows, or on any PC that I use, for that matter. It's been a habit for me since I can remember, probably year 2000. I'm also proud to say I have no idea how an antivirus looks anymore, I haven't used one in over 20 years and I never bonked my PC.
its annoying but when the firewall is set to interactive and it asks for every piece of code for network allowance this can be averted, as if its cant communicate its mostly harmless
I think browsers should encrypt stored data like session tokens, and ask for a decryption password when launched (which would imply never storing decrypted cookies outside of the RAM)
They do something similar to that for passwords, where they will use OS-level security/encryption as appropriate (on Linux and macOS you have KeyChain, Windows also has something similar). It would be nice if cookies are also caught in that.
Um.. the whole point of session tokens is to not have to put in a password... So the real solution is: "don't choose 'remember me'"
@@FrumpyJones I don't agree, having to login every time on every website can be tedious, where one prompt when you open your browser asks the user for much less effort.
The real solution would be to keep your sessions short
yeah but what if I just want to move my data from one pc to another? i just raw copy-paste files and tadaaa, I don't want encryption bllshit to deal with. Isn't windows fault it doesn't has a alert: u're about to open a .exe or.src file, are U SURE? And this to not be annoying, it would pop up only the first time u run a file. And u can even disable it...
I have a few questions, let's skip the part where we need to be careful. But doesn't Windows warn about unsigned exe/scr files? Doesn't it ask if I really want to run that file?
If I accidentally run a file like that, how can I prevent my data from being compromised? Could it be blocked? For example, I use Malwarebytes Windows Firewall Control program and set it up so that everything that goes out prompts me. Does this help? What other additional methods can we use?
Windows and its file signing can be bypassed for years already by just using a official signing tool on any regular executable and moving the bytes to the malware executable.
@@kuromiLayfe Then the signature wouldn't match the file.
@@Hyxtryx all the signature check does is see if the amount of bytes match that sig data and if they are in the correct spot… guess what is correct when those bytes gets moved or copied to a malware version of a executable ( exactly the same method as shown in this video to mask malware code by bloating the filesize to bypass online scanners)
It seems like it would be so trivial for chrome/edge/firefox to encrypt any session tokens and cookies on disk, and obfuscate the ones in memory a little.
Thank you for teaching us this things.
This is why I always have the "show file name extentions" checkbox checked on my windows explorer. You can never be too careful.
Have you watched ThioJoe's video that attackers can now fool that?
@@RobertSalas I saw it when he posted the video, and had never heard about that before. Had you? That was a very obscure thing. But now that you and others keep mentioning it, you can bet it's going to get used. It needs to stop getting mentioned. I know, that's security through obscurity, but that obscurity had been working quite well.
This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered.
The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(
No, because hiding file extensions has made this possible for decades, MS cannot possibly be ignorant of it, and they just won't do anything because... hell if I know why.
Browsers definitely need a way to harden their storage mechanisms. They already allow the users to encrypt stored passwords, but they should also allow to encrypt cookies, local storage and other stored data with a master key/password. And surely, only that exact browser with a verified vendor signature should have the OS's permission to work with its files.
Couldn't Windows come up with a way to tag any file that is executable? Maybe put a red outline around the icon?
It’s reckless for AV to *skip large files without notifying the user*
And how some of them demand to scan things that don't need to be scanned like movies and files that were already scanned a few days ago.
Yeah it's madness. What I don't understand is why AV engines don't just analyse the hex data of the file, just like Leo did here? In this case, they don't even need to use a lot of system resources to perform a full scan on the file, if they see a lot of empty space in the file they could simply block and alert on this suspicious property alone...
But maybe I'm missing some reason that this can't/shouldn't be done. Maybe there's some legitimate reasons for significant empty space that I'm not seeing?
@@itsmikedev I would say that checking for empty space means you need to read the whole file which takes resources, but that’s not true. They could read small chunks of it and flag if one of those bits is all empty space.
@J B yeah I wondered the same, surely taking small samples of bytes at a time and checking those would reduce the load.
Right off the bat, I noticed there are spelling mistakes on these emails. I’m surprised this wasn’t mentioned.
Linus and his workers are blinded by money.
Unfortunately Im not a native english speaker and I can’t notice some grammar mistakes :c
@@xr.spedtech kinda makes sense, considering how much sponsors they include
@@xr.spedtech I really hate ignorant comments like this regarding anyone
There are plenty of people not living in native English countries. We are much more tolerant to there mistakes as we grow up with our languages.