The Malware that hacked Linus Tech Tips 

Imagine people who send malicious emails to someone named "The pc security channel"

File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.

The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.

I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.

Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.

Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.

LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But RU-vid’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them. Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,

Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers

An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.

Great video. Would it make any difference if you were to open these files if they're being send through google drive for example? Like the quick view in Gmail? Or would that also be enough to activate it?

Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.

I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.

I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe

This video is so fantastic, I gasped a few times when you showed the properties and HEX... Good job!

Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video! btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!

Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.

the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening

I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.

I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big RU-vid channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the RU-vid channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.

A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.

The bit that suprised me was that LTT had a PC with both RU-vid account access and was used to process incomming offers, I would have thought the two should be kept well apart

Channel notification on now , i want to be updated with all these stuffs :D

Thank you for letting me know about the screen saver file extension and how they can run as an application. I didn't know that.

I was patiently waiting for your take on what happened, well delivered!

In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)

Subbed for the quality of this video and the info in it.

I watched a few other videos on this topic but idk why your explanation just sticks better in my brain lol

Thio Joe has recently done a couple of videos about this and similar attacks. And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension. That will keep you on your toes. And Thio Joe discussed that too.

I understand the dangers true scr files also start up just like exe files. But the fact that RU-vid doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me. Or delete lot off files... crazy

Great coverage,thanks for sharing,you explain it very well and this is what people need

best video in this regard- can you make a video about these session tokens?

First "trick" that my friend taught me on my first PC was how to see extensions and how to see hidden files. It's the first thing I do after reinstalling windows.

I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.

A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.

very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr honestly might have even caught me off guard if i had a youtube channel

100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.

Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea. That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?

I don't care how legitimate your email is; if your domain is slightly off I will ignore it.

Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.

im not a security specialist, but i spend most of my time on Linux primarily for the lack of tracking but also i generally dont have to worry about any windows based attacks. If i worked for a big YT channel I would certainly use linux for emails and almost anything else that didn't require windows. and if i DID have to use windows, id open a fresh VM just for internet and emails and never log into anything important. Im actually surprised these content creators even use windows, I assumed they all used Macs, since they pretty much all use iphones as well.

Good information. Was kinda hoping for a bit of code breakdown, but this is my first time visiting the channel, so I'm not sure how deep you go. Either way, Thank you for putting such good info and good recommendations out there.

Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.

When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.

I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.

There are also samples that seem to use actual code instead of empty spaces. It appears that these samples consist of a bunch of randomly generated functions that will be called upon launch. However, if you remove them to reduce file size, the program will become corrupted and you won't be able to run it.

I worked for a state company, and they actually had put in place such severe restrictions that did not allow anyone without privilege to open any file except those permitted such as .pdf and word docs. Ontop of it all, the computers were thin clients connected to large array of servers, their sessions were all temporary VM's that would delete its instance after each use, all your files were stored on cloud essentially connected to your user account and constantly scanned, it was the most ridicules security setup I ever seen in my entire life, they also had automated software that scanned files developed in house to check if the files they received on email were proper or not, all happened in the background, I cannot say what state company it was you can probably already tell that stuff like this, is not just any ordinary mom and pops office job. But in hindsight, its not that much work to setup something similar for a small business with virtual machines and auto scanners checking files beforehand or loading files isolated from the system. The funniest thing from that job is how the tech got so tired of trying to fight the spam emails, they designed a DDOS program that would just automatically target the IP source of these spam mails and dedicate a small server just to run that script day and night, it worked but when the boss found out, man he was not happy knowing there was a server using 5kW of power everyday just to reverse uno email spammers LOL, I think they replaced that with an AI which was good enough to detect most of them and filter it out, that was right at the end when I left I never got to look at it because it would be handy to have something like that running in my basement.

Thanks for the explainations!

At my company, we've been using a 'viewer' to 'checkout' files and virtually view them. Picture it as a way to look at documents in a secured environment using a remote external viewer. Validated sites been using this almost 25 years now. If things are isolated and viewed indirectly, that would probably halt the brakes on a lot of problems.

Most malware is targeted at Windows, sandboxing public parts of interacting with the world in virtual machine could prevent that

The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.

To add , thank you even I did not know for this way of attacking. I mean didn't know or paid attention to fact that antimalware , antivirus software skips on large files. So to me this information is very nice , thank you .

Imagine it was named: "LinusWare"

Just realised, another red flag is when you see a .PDF extension while you have show extensions disabled.

That's why you always look at files in the explorer in the "details" view setting and make sure extensions are on.

It's also happening on Twitter DM's. I almost fell for it since they were uploading it onto google drive.

Sounds like it's time to sandbox certain functions and create a VM to open attachments and possibly get an antivirus that will scan large files. Also, I don't think it's hard to create a script to do some rudimentary analysis of files to display size, possible padding, extension, etc to alert to a Trojan horse file.

Don't know if it was mentioned here but they did say their antivirus detected the malware but it wasn't fully set up to high enough level to deal with it yet as they were in the process of setting up a bunch of systems too I think

I always assumed everyone displayed file extensions. I'm also surprised he uses email on a admin account.

Your videos are security education. Fully fledged bytes of security education that are dispersed, unorganized by topic. Just glad you exist bro

I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao

Okay that zero padding thing is outright negligence on the part of malware scanners.

this kind of thing must explain a number of obviously hacked youtube channels i've come across

surely this could be prevented if google server would check if request and session token is sent from a new ip address, or a different geo-ip location? then the token should be invalidated and the user asked to login again, this would defeat the attack. or put some device id into the cookie and have the server verify it matches the http request?

Im learning a lot, thanks for all this videos 👍🏼

Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe

For me checking fine extensions, the answer is yes, I check them all the time, and they are visible by default on all the computers I own or manage

Thanks for the explanation. Can't wait to use this example in class.

This is why you always show file extensions.

Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.

The large file size is also a massive red flag. No pdf should be that large 770 mb ???

I get anxiety attacks if I don't enable detailed view in file explorer.

I think the easy fix for this would be for Microsoft to: 1. Enable file name extensions by default 2. Make the process for executing a file different from the one for opening it. Something like on Linux, where you need to explicitly choose "Execute" when you double-click a file in order to run it, or it just opens as a text file. Such a shame it's 2023 and Windows is still so insecure.

Sadly Linus got caught here by ignoring his cyber security expert Luke. On the WAN Show Luke pointed it out that he told Linus the EXACT account and method of the hack but Linus responding "I'm focusing" and ignored the entire message. Luke then had to reach out to Linus's wife to get access to accounts (as he didn't have permissions to do what was needed, which is an issue). He offered to RDP into Linus's PC to do it but Linus was too focused combating the attack vector he thought it was (SMS/Password) to listen.

having the file extension on windows explorer enabled as well as "ask where to save a downloaded file" i your browser can be quite the combo

This is a good video thank you for the information and keep up the good work

This crap is out of control, i get emails from amazon, walmart, Netflix, etc, all sketchy as hell.

This is why it is important for me that the 'Type' column is always present whenever I view files through the 'Details' view. You can immediately identify what kind of file you are looking at before you would try to open it.

Subbed: excellent content!

Also if you have a password manager as a browser extension is that bad would the session to that extension be easily compromised?

Great diagnosis and analysis of the issue, but it would be great if you have described the remedy. I have many questions here, hope you could address them in other videos or in comment: - How could you prevent malicious emails from harming your system from the beginning? Is opening emails in a sandbox (virtual machine) considered the ultimate solution for separating harmful content from the environment? how practical can this be especially in a working environment with many users? - What is the best anti-virus? especially the ones that detects Maleware after falling to the hacking trap. - in short: is there an ultimate solution??

Linus said their corporate anti-malware program caught it, but it was only a notification. Because no one was constantly monitoring the dashboard, the malware slipped through.

We need more videos like this where it shows you the types of threats and how to identify them 👍

How can you detect malware and hacked processes when you run netstat or tcp view to check the network mapping? and thus remove the problem file?

Right off the bat, I noticed there are spelling mistakes on these emails. I’m surprised this wasn’t mentioned.

Why does windows still have extensions turned off by default? Its ridiculous.

I always have file extensions enabled, and if I didn't for some reason I'd notice the inconsistency with it showing .pdf while every other file doesn't show an extension

apart from file-extensions being displayed I _always_ have the preview window open. If I don't see a matching preview to the file I have, when I know it is capable of displaying a preview, this file gets analyzed or deleted outright. And I did actually develop the habit of crossreferencing the file size. A picture of 500x500 wihch is several mb in size goes in the trash.

Good video. And lots of great suggestions in the comments. Love to see it. And no one blaming "noobs" or non-tech savvy people. And you make it easy to understand. Love this.

I'm actually more surprised that malware detection suites aren't robust enough to detect these types of attacks. A surface level check of RTL/LTR manipulation of the filename to hide the extension would catch this as a suspicious file. There aren't any legitimate use cases to use this hack in the real world, so it's pretty safe to say anything hiding the extension like this is likely to be malicious. Similarly, checking a file for padding is fairly easy to do, and doesn't require a lot of resources realistically to do so. Shrinking the file for an in-depth scan is also possible using sparsification, but thats a but more resource intensive - and only works on zero padded files directly.

Since I got my first computer on 2002. I have always enabled the show the extension feature. I have never like not knowing what I’m opening.

what anti virus software do you recommend

No way Linus really collabed with Elon Musk also 1st cool

This is why it's time to buy a Mac or install Linux

Thanks for this great video, so if already clicked to execute the src file.. the question is... How to cleanly get rid of it? Thanks.

Is there a way to see the malware process running in the background as a windows process ?

What if they open their email attatchments in a Virtual machine? Wouldn't that be the wisest option?

I, as a youtuber, also receive this type of email, the first time I went with caution, because usually Contracts can be seen directly in the browser, you don't need to download a zip file with a password to be able to sign. Not to mention that when you download the file it has 14mb and when you extract it it shows these 770mb empty

Curious to know if Nod32 is able to pick up the original unaltered file or if adding all the filler makes it undetectable.

Thank you for the information.