Malware Threat Warning! Scam via Online Video!

Categories: Personal, Politics, Video
Tags: No Tags
Comments: 2 Comments
Published on: December 14, 2009

This is not a prank! I Just stumbled across this when videos by the YouTube user  Kaleigh421112Trang suddenly showed up in my subscriptions (based on Keywords) for my CirqueDuSoleilGuru account.

I made the URLs that are not hyperlinked this way on purpose, to prevent any accidental harm to the readers. You can copy and paste the URLs into your browsers address bar, if you know what you are doing at your own risk. Don’t say that I did not warn you!

The user account in question was just created on 12/13/2009

By now this user has already 190 virtually identical videos uploaded that don’t show much, except a message that the video cannot be watched on YouTube due to length limitation. See description for link to full video. etc. Here is a screen shot of it.

YouTubeScam01

E.g. Circus Circus Part 1/13 Online*:  http://www.youtube.com/watch?v=l5kYgqUX0rE

*This video was actually already taken down by YouTube, maybe because I flagged it as Spam from an established YouTube account with almost 2000 subscribers. But most of the other videos are still up as I am writing this. For example this one http://www.youtube.com/watch?v=hJj-PkdLqac  (which I also reported so it is probably being removed shortly as well)

YouTubeScam05

The videos that are still up all include a short description and a obscured link with tracking code embed via the redirection service TinyURL.com. In the example video that I mentioned before and reported to YouTube already the URL was: http://tinyurl.com/ycksuwy&499420166

Here Comes The Scammy Part

That URL redirects to: http://www.onlinemoviedb.info/watch.php?vid=Dreaming_in_Circus

The page states that a plug-in must be downloaded to watch the video. It includes multiple links where you are supposed to download the needed plug-in from, such as this one (Warning! Do not Download and Execute)!

http://preview.licenseacquisition.org/48/1056428137.51143/vlc-1.0.1-win32.exe

The referred to EXE “vlcsetup.exe” is 328,984 bytes in size. The file name is implying that the plug-in is related to the freeware VideoLan Video Player, what it is not.

YouTubeScam02

I downloaded the executable without starting it. I then scanned it with McAfee Viruscan, which did not detect anything yet. So I uploaded it to VirusTotal.com, an online on-demand virus and malware scanner, which scans files using over 50 different scanners such as McAfee, F-Secure, Bitdefender, Kaspersky, Panda, PC-Tools, Sophos, TrendMicro and others.

I wasn’t the first one who checked the file obviously, because a report was already available*, which gives it a 37% probability that it is infected. It is probably new and I bet the probability will increase as I write this (as do the uploads of virtually identical videos with the same purpose to YouTube).

Here is the link to the report from VirusTotal.com.

* VirusTotal.com knows that it is the same file as somebody else already submit based on the file size and file name, because that could be faked easily. It uses so called checksums that are generated from the entire content of the file. The Checksums for this file are for example:

MD5   : bead2d46d08ff080ac4a6d0908922230
SHA1  : 0697fe4257419efc39921c9da71c8339cde3f463
SHA256: 6e62e219e38c90562a59851b72f2929000b599a6ddd0f2482c7b1acda0a8ce9d

More Hints and Scale of the Problem

YouTubeScam04Here are more accounts on YouTube. Just to name a few (Each with hundreds of videos each):

http://www.youtube.com/user/Moon230377Arletta
http://www.youtube.com/user/Dirk891479Pasty
http://www.youtube.com/user/Kathy664276Dominica

There are most certainly a lot more, but they should be easily be detected. Look for new users that have hundred+ videos of 9:58 minutes length and a TinyURL.com link in the video description.

All of those Users always have video listing disabled (does not show anything on the user’s home page)

The target website itself lists tons of copyrighted movies on its homepage.

Also suspicious, the detail page of every movie has the same comments to give the impression that people watched the movie etc.

Here are the fake comments

Looploop
3rd link worked perfectly and fast mirror. I liked it. Thanks for the upload!

Hotjamz
Yep that was a good one 5/5

Monstersb
didn’t think it was all that,but it was good.7/10.great qualit tho

DazedNConfused
How do I watch this video?

DazedNConfused
Never mind. I just downloaded the plugin and the video worked flawlessly!

This Is Just The Beginning

The uploads are done on a large scale and with sophisticated scripts to dynamically create typical titles with matching descriptions in YouTube. YouTube also has a dupe checker that identical videos cannot be uploaded by the same account (at least used to be it that way). But changing a single byte is already enough to get around it. That’s probably all these guys did, because the videos appear to the human viewer identical. They also show all the same Thumbnail, which should raise suspicion by any user of YouTube with some working brain cells left (That is how I got suspicious). The hackers are obviously not sophisticated enough though, because they did not seem to have taken into account the problem with identical thumbnails that will appear in the box with “more videos by …” but also in the “related video box” where I got the other user names from. Because the videos are similar in some fashion, YouTube thinks that they are related.

It is very very hard to produce identical thumbnails for videos that are not identical. In the early days YouTube used frames that could be predicted in advance (and was used for manipulations by users). This isn’t possible today anymore.

I would not be surprised, if similar scams will pop-up in the future more and more, also on other smaller social networks and video sharing sites. Those scams will also get more and more sophisticated and users will be vulnerable until their Antivirus/Antispyware software will be updated to detect those new threats that will emerge and then disappear again quickly.

The only real protection is up to the user himself

NEVER download and install a plug-in where you don’t know and trust the source. Installing a malicious plug-in is like unlocking the door, disabling the alarm and then open it to invite the burglar in to have a look around and take whatever he likes.  Almost all video sharing sites use FLASH for the video playback. The Flash plug-in should only be downloaded from the Adobe.com web site (and not from anywhere else).

http://www.adobe.com/go/getflashplayer

Some apps might use the Shockwave plug-in, also from Adobe, which can be downloaded and installed via

http://www.adobe.com/go/getshockwave

Although I have not seen used with online video yet, web applications might also use JAVA by SUN, which can also be downloaded absolutely free of charge (like the FLASH and SHOCKWAVE plug-ins) from the web site that was created by SUN just for this. The URL is: http://www.java.com/download

Be Careful, without getting paranoid. Use common sense and caution where appropriate. Unfortunately not everybody on the Internet has the safety and happiness of the users in mind.

Be Safe!

Cheers!

Carsten aka Roy/SAC

2 Comments
  1. jung says:

    Randomly came across your site while I was googling to confirm my suspicion about those links –

    Besides the more obvious fraud parts of the video (the repeated comments, etc), a poke at the site code reveals that no video is even attempted to be loaded (the querystring is just a dummy) and the form to submit comments doesn’t even go anywhere.

  2. roy says:

    Recovered comments…

    comparison contrast essay says on August 30, 2010 at 1:53 pm:

    Hey, I’d personally love to say the fact that my partner and i enjoy your way of writing. It’s simple to discover the reason you have a lot of feedback on the web page. in any case great job with your blog.

    and on August 30, 2010 at 3:16 pm

    Hello there, I would love to say the fact that i love your actual writing style. Its simple to realize why you have a lot of views on your weblog. at any rate well-done with your blog.

    Jonathan says on November 10, 2010 at 4:38 pm:

    As a Ubuntu linux user, I feel pretty safe. I suggest you switch.

    Doug says on November 20, 2010 at 1:43 am

    Hi!

    Do you know what that executable file does? I accidentally (and stupidly) ran it when I was trying to download and install the VLC media player. I didn’t realize I was at a fake site until it was too late and I downloaded and ran that file. When VLC did not install, I started to investigate and I realized that I was at a fake VLC site.

    I ran a virus scan but it didn’t find anything. So do you have any idea what running that file might have done? And how to undo it?

    Thanks very much!

    Doug

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

NOTE! I believe in the right for freedom of speech and personal opinion and are against censorship, so feel free to tell me what you think and let me and others hear your opinion on this subject, but please avoid using the f-word and s-word as much as you possibly can, because at the end of the day this blog exists for the purpose of useful exchanges of thoughts, ideas and opinions and not as a valve for your accumulated anger and frustration. Get a shrink for that! Thanks.

Welcome , today is Thursday, November 23, 2017