The Malware that hacked Linus Tech Tips 

File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.

Imagine people who send malicious emails to someone named "The pc security channel"

The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But RU-vid’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them. Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,

I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.

Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.

Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.

Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.

Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers

An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.

Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video! btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!

Great video. Would it make any difference if you were to open these files if they're being send through google drive for example? Like the quick view in Gmail? Or would that also be enough to activate it?

Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.

I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe

Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.

I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.

I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.

the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening

I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big RU-vid channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the RU-vid channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.

This video is so fantastic, I gasped a few times when you showed the properties and HEX... Good job!

The bit that suprised me was that LTT had a PC with both RU-vid account access and was used to process incomming offers, I would have thought the two should be kept well apart

A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.

A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.

best video in this regard- can you make a video about these session tokens?

Thio Joe has recently done a couple of videos about this and similar attacks. And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension. That will keep you on your toes. And Thio Joe discussed that too.

In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)

Thank you for letting me know about the screen saver file extension and how they can run as an application. I didn't know that.

I worked for a state company, and they actually had put in place such severe restrictions that did not allow anyone without privilege to open any file except those permitted such as .pdf and word docs. Ontop of it all, the computers were thin clients connected to large array of servers, their sessions were all temporary VM's that would delete its instance after each use, all your files were stored on cloud essentially connected to your user account and constantly scanned, it was the most ridicules security setup I ever seen in my entire life, they also had automated software that scanned files developed in house to check if the files they received on email were proper or not, all happened in the background, I cannot say what state company it was you can probably already tell that stuff like this, is not just any ordinary mom and pops office job. But in hindsight, its not that much work to setup something similar for a small business with virtual machines and auto scanners checking files beforehand or loading files isolated from the system. The funniest thing from that job is how the tech got so tired of trying to fight the spam emails, they designed a DDOS program that would just automatically target the IP source of these spam mails and dedicate a small server just to run that script day and night, it worked but when the boss found out, man he was not happy knowing there was a server using 5kW of power everyday just to reverse uno email spammers LOL, I think they replaced that with an AI which was good enough to detect most of them and filter it out, that was right at the end when I left I never got to look at it because it would be handy to have something like that running in my basement.

I understand the dangers true scr files also start up just like exe files. But the fact that RU-vid doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me. Or delete lot off files... crazy

I was patiently waiting for your take on what happened, well delivered!

I watched a few other videos on this topic but idk why your explanation just sticks better in my brain lol

Subbed for the quality of this video and the info in it.

100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.

I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.

very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr honestly might have even caught me off guard if i had a youtube channel

The large file size is also a massive red flag. No pdf should be that large 770 mb ???

Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea. That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?

First "trick" that my friend taught me on my first PC was how to see extensions and how to see hidden files. It's the first thing I do after reinstalling windows.

Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.

If it's a scr file, then it would mean this attack would not work on a PC that is not a Windows one, correct? So, yet another security measure could be just using a different OS to do that type of work on, like one of the UNIX based ones.

Good information. Was kinda hoping for a bit of code breakdown, but this is my first time visiting the channel, so I'm not sure how deep you go. Either way, Thank you for putting such good info and good recommendations out there.

Most malware is targeted at Windows, sandboxing public parts of interacting with the world in virtual machine could prevent that

Channel notification on now , i want to be updated with all these stuffs :D

Great coverage,thanks for sharing,you explain it very well and this is what people need

im not a security specialist, but i spend most of my time on Linux primarily for the lack of tracking but also i generally dont have to worry about any windows based attacks. If i worked for a big YT channel I would certainly use linux for emails and almost anything else that didn't require windows. and if i DID have to use windows, id open a fresh VM just for internet and emails and never log into anything important. Im actually surprised these content creators even use windows, I assumed they all used Macs, since they pretty much all use iphones as well.

There are also samples that seem to use actual code instead of empty spaces. It appears that these samples consist of a bunch of randomly generated functions that will be called upon launch. However, if you remove them to reduce file size, the program will become corrupted and you won't be able to run it.

Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.

You didn't mention that basically all compression algorithms will reduce the padding to about 2 bytes - that's why it ships perfectly fine via email, and probably why it explodes so quickly also. You would obviously notice if the zipped PDF you received is taking like 10 minutes to extract.

At my company, we've been using a 'viewer' to 'checkout' files and virtually view them. Picture it as a way to look at documents in a secured environment using a remote external viewer. Validated sites been using this almost 25 years now. If things are isolated and viewed indirectly, that would probably halt the brakes on a lot of problems.

I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.

When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.

Excellent, super interesting video, thanks for the upload. Subbed. Can I ask you a question? - do you think today/tomorrow's continuing march to abstract away much of what programming used to be is a significant cause for concern, particularly today's almost complete loss of assembly programming skills, and affecting the field of security? This, in context with the fact that every program and language used today, and for years to come, is ultimately converted to machine code. I'd imagine that any country who's government sponsors the training of assembly language experts in the security field, can increasingly use these skills to cause some serious problems. I'm speaking from the point of view of someone who used to program games in the 1980's-90's in assembly, when it was a very popular language. Yes, it's CPU specific, but if the majority are using a handful of generic CPU types then the potential is there.

Sounds like it's time to sandbox certain functions and create a VM to open attachments and possibly get an antivirus that will scan large files. Also, I don't think it's hard to create a script to do some rudimentary analysis of files to display size, possible padding, extension, etc to alert to a Trojan horse file.

Don't know if it was mentioned here but they did say their antivirus detected the malware but it wasn't fully set up to high enough level to deal with it yet as they were in the process of setting up a bunch of systems too I think

So, if you receive this email, just clicking on the attachment in gmail would allow that malware to do its work? Or would the file have to be saved to your computer then opened to be affected by the malware?

isn't there an automated process in any antimalware for deletimg the empty space in files?

Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe

Just realised, another red flag is when you see a .PDF extension while you have show extensions disabled.

The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.

the problem is that you should always, ALWAYS make the file extensions visible. in fact this kind of thing is easy to detect. windows can have some sort of a warning for this sort of file names added. so it saves a lot of users from running executables by mistake.

This crap is out of control, i get emails from amazon, walmart, Netflix, etc, all sketchy as hell.

Okay that zero padding thing is outright negligence on the part of malware scanners.

There was a virus at our school that uses scr. It got everywhere. If you plug a usb into a computer, it would copy itself to it, then set all your folders to hidden + system, then create lnk files to match the name, set the link target to the malware on the stick, add an autorun.inf file to the stick. Hidden and system meant you wouldn't see the real folders unless you turned on both show hidden files and show system files. Show system files was a bit hidden and it warns you not to do that. A clear giveaway that your usb was infected was that all your folders turned into shortcuts that had that little arrow thing in the corner. I removed the virus from a lot of computers and fixed the usbs of who ever lended me their flash drives.

Am I to understand that this vulnerability would not be applicable if one were to log out after every session/not select the myriad "Remember me on this device" options? I'm aware that is more hassle than a lot of people would want to go to these days, but it would illustrate another example of why availing yourself of those options is not a particularly secure choice in the long run.

Sadly Linus got caught here by ignoring his cyber security expert Luke. On the WAN Show Luke pointed it out that he told Linus the EXACT account and method of the hack but Linus responding "I'm focusing" and ignored the entire message. Luke then had to reach out to Linus's wife to get access to accounts (as he didn't have permissions to do what was needed, which is an issue). He offered to RDP into Linus's PC to do it but Linus was too focused combating the attack vector he thought it was (SMS/Password) to listen.

Imagine it was named: "LinusWare"

i am suprised how it is not just common practice to check the Win Explorere Setting to not hide the actual filetype extenseion. Or at least how a .PDF is not a red flag if you do not see them regularly. So either you have file extension names disabled then the .pdf extension should sound alarms in your head, or you do have them enabled then it will show as ".pdf.scr" which is also a red flag.

Are you building software on a unstable production floor or design a new products on a unstable production floor that comes from outside forces that sell to you

Why does windows still have extensions turned off by default? Its ridiculous.

Im learning a lot, thanks for all this videos 👍🏼

apart from file-extensions being displayed I _always_ have the preview window open. If I don't see a matching preview to the file I have, when I know it is capable of displaying a preview, this file gets analyzed or deleted outright. And I did actually develop the habit of crossreferencing the file size. A picture of 500x500 wihch is several mb in size goes in the trash.

Easy fix from Google/RU-vid, would be to detect that the IP address changed when the hackers enter the authentification cookies, and thus, ask for the 2FA again each time such location difference is detected.

This is why it is important for me that the 'Type' column is always present whenever I view files through the 'Details' view. You can immediately identify what kind of file you are looking at before you would try to open it.

What if they open their email attatchments in a Virtual machine? Wouldn't that be the wisest option?

6:03, even if you don't have the remember me box checked, requests are sent with a unique session token that changes on every re-authentication, which if stolen, will work (for about a day or so)

Do you recommend a anti-virus Programm and if yes which one? I always thought the windows anti-virus is good enough

I'm actually more surprised that malware detection suites aren't robust enough to detect these types of attacks. A surface level check of RTL/LTR manipulation of the filename to hide the extension would catch this as a suspicious file. There aren't any legitimate use cases to use this hack in the real world, so it's pretty safe to say anything hiding the extension like this is likely to be malicious. Similarly, checking a file for padding is fairly easy to do, and doesn't require a lot of resources realistically to do so. Shrinking the file for an in-depth scan is also possible using sparsification, but thats a but more resource intensive - and only works on zero padded files directly.

I have a few questions, let's skip the part where we need to be careful. But doesn't Windows warn about unsigned exe/scr files? Doesn't it ask if I really want to run that file? If I accidentally run a file like that, how can I prevent my data from being compromised? Could it be blocked? For example, I use Malwarebytes Windows Firewall Control program and set it up so that everything that goes out prompts me. Does this help? What other additional methods can we use?

Would this have been caught by a contextual scan prior to opening the file?

Not a tech nerd and our firm only has two pc´s which allow emails to be received by unknown senders, these are not connected to the rest of the grid and function mainly to create new contacts. Once the contacts have been verified ... other stuff happens, somebody explained to me but I didn´t understand much of it, something to do with a third computer which functions as a transition hub. I am not allowed to receive any emails at work, can´t browse either. Pretty much all I can do is use the software meant for my job, as far as I understood the system has redundant layers of protection, if one gets broken/infected ... the other just continues normally. I think there are 10 PCs in total ... so not a huge firm.

All those bytes being zero means the compression can have it result in a normal looking size when zipped, right? You didn’t mention that.

This is why you always show file extensions.

Linus should have made sure all computers were set to show extention and they should run every file from a 3rd party, regardless of size, through a competent antivirus. This is really not that difficult to do. Antivirus scans take seconds with an ssd. This is basic security for most.

With such an important site, his backups can be used to restore the content he had on RU-vid. He just needs to rebuild from backups his new site. Some lost time, but no list content with the backups he has.

Great diagnosis and analysis of the issue, but it would be great if you have described the remedy. I have many questions here, hope you could address them in other videos or in comment: - How could you prevent malicious emails from harming your system from the beginning? Is opening emails in a sandbox (virtual machine) considered the ultimate solution for separating harmful content from the environment? how practical can this be especially in a working environment with many users? - What is the best anti-virus? especially the ones that detects Maleware after falling to the hacking trap. - in short: is there an ultimate solution??

I think the easy fix for this would be for Microsoft to: 1. Enable file name extensions by default 2. Make the process for executing a file different from the one for opening it. Something like on Linux, where you need to explicitly choose "Execute" when you double-click a file in order to run it, or it just opens as a text file. Such a shame it's 2023 and Windows is still so insecure.

Also if you have a password manager as a browser extension is that bad would the session to that extension be easily compromised?

You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.

Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.

This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered. The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(

Show files extension - it's basically one of the first quality of life settings that I turn on, whenever I install Windows, or on any PC that I use, for that matter. It's been a habit for me since I can remember, probably year 2000. I'm also proud to say I have no idea how an antivirus looks anymore, I haven't used one in over 20 years and I never bonked my PC.

So 2 things that kinda surprised me about this video: a) file extensions are not shown by default. That's turned on on my computer and not only does that help with identifying such files but also it can help in day-to-day-business as well, being able to see if a picture is PNG or JPEG or whatever else at a glance. b) not using at least the windows antivirus security thingy. I do a windows defender scan on every single file i download from the net, just because it's a habit of mine and usually takes less than 10 sec to do so (and i don't download quite as many files as the employee might). Not sure if windows defender would've found that trojan because i guess that's the AV they're gonna try to fool most, but as soon as one right-clicks the file for the context menu (for scanning) one has the chance to see 770 MB file size on the bottom; one should get suspicious at that point. I know very few PDFs that are that large and they're thousands of pages or tons of pictures, so there's really no need for an offer to be that large. I feel like all the warning signs are there for this case if you use proper precautions...

I thought anti viruses could detect if the file’s been pumped, or just detect the abnormal amount of zeros

this kind of thing must explain a number of obviously hacked youtube channels i've come across

The thing also is, it's pretty hard for a pdf file to have a large size unless it's a 100 page filled with high resolution images. A business inquiry or similar types of documents hardly go over 10mb

To add , thank you even I did not know for this way of attacking. I mean didn't know or paid attention to fact that antimalware , antivirus software skips on large files. So to me this information is very nice , thank you .

Wouldn't it be possible to flag padded files like the PDF as suspicious, if they have unusually low entropy? To speed up this calculation, one could sample chunks from the entire range of the file, instead of scanning the whole file, and either calculate the overall entropy of these chunks or calculate an "entropy map", where files containing large low-entropy regions are marked as suspicious.

You don't have to have file extensions disable to pull off this exploit. You can use RTL encoding to make it where the extension doesn't appear at the end. How many people are going to look for the letters rcs anywhere in the filename?

You would think by now that AV scanners can be smart enough to see a big file, scan up to a certain point (or maybe just look at the end of the file), and when it catches all that padding to throw a red flag. If it gets to a reasonable point in the file and doesn't see anything suspicious, it can just stop scanning to save resources.

For PDF's there luckily exists an FOSS tool called Dangerzone which cleans the PDF up inside a sandbox (basically acting like a virtual printer, converting the pdf to pure pixel data and then making that into an clean PDF) which can be handy for when you **have** to open up a PDF (contracts for example) but can't trust the source.