Comments | daniel_vala: WARNING Rootkit virus embedded in video via comment spam

campylobacter in daniel_vala

WARNING Rootkit virus embedded in video via comment spam

Jul 24, 2012 04:40

Lately, I've had to delete about half a dozen spam comments from various entries on my LJ & at other communities. They've all shared a commonality: a single embed & link to a YouTube video in Portuguese titled "Camarate: A confissao de Farinha Simoes" or in English titled "Dying call from prison. Details about Portugal Premier Minister air-crash ( Read more... )

admin

Leave a comment

Back to all threads

brooke July 24 2012, 16:14:40 UTC

Hi, I don't even go here, but I stumbled across this entry and have been poking around and doing some careful research. I am by no means a computer expert and I could well be wrong but it seems to me that the information going around here isn't actually quite accurate... I find it bizarre that even though luma_chan's post is over two weeks old, Google searching gives me nothing at all in regards to this malware apart from her original entry and yours - and super old rootkit viruses. Livejournal spam issues aside, if there truly are users uploading virus-ridden videos to Youtube, it's very unlikely they're surviving for long enough on there to be spread around and clicked on hours later by unsuspecting users. (Not to mention the fact that any exploited security vulnerabilities would have long been sorted out in these two weeks!)

Honestly, based on the date of the original post, my guess is that it's related back to this. It's highly possible that these people have had malware on their systems the entire time and not known it ( ... )

campylobacter July 24 2012, 18:02:55 UTC

My first encounter with embedded video comment spam was about a month or so ago when livejournal left a comment on one of my entries. I was flattered (it notifies you via pingbacks that your entry ranks among Top 25 popular entries), to say the least, but wondered what the heck it had to do with "Portugal Premier Minister air-crash". I *did* play the video -- it seemed legit, and from a legit source -- but bailed after half a minute because it was boring. I'm wondering in hindsight if livejournal's account had been jacked or exploited? I don't know.

Fast-forward to the past few days: I've been receiving the same video embed in Suspicious comments from LJ accounts, and deleted them after reporting & banning them. I assumed that the spammers were looking for increasing the view-count on the video, for some inexplicable reason. I Googled, as you did, and found luma_chan post & thought "Eureka!" Then, "Oh shit, a rootkit can be hidden in a YouTube video ( ... )

sylvir July 25 2012, 02:25:13 UTC

I also watched about 10 seconds of the video and am concerned... So far I haven't gone anywhere that required me to input my password (I, unfortunately, have all my passwords saved due to my laziness), which is good... But I wish there was a way to confirm that there wasn't a rootkit virus embedded in the video so I can rest easy... :X

campylobacter July 25 2012, 17:04:19 UTC

I've been running a search on bing.com (since Google owns YouTube) for "trojan in video", "malware in video file", and "rootkit in YouTube video", but have only turned up 5-6 year old articles about trojans where the user must download & install a special video player (usually a .exe file) in order to view a video (common tactic on porn sites).

So far, I can't find anything about the YouTube video codec being compromised, or embedded YouTube ads being click-jacked. That doesn't mean they're not possible, but I'm still trying to figure out why this sub-species of spambots want us to watch that video, if not to increase the view count. To what purpose? It's so weird.

sylvir July 25 2012, 17:12:17 UTC

At this point, I would even laugh along the the originator(s) if the purpose was merely to troll LJ. At least then I'd know my bank account and personal information aren't compromised. I ran Spybot last night and then went to bed. I'll see after work if Spybot picked it up, assuming it even can detect it. Otherwise my computer has been running perfectly fine. How about on your end? Anything out of the ordinary since watching the video?

campylobacter July 25 2012, 17:31:10 UTC

I'm running ClamXav & a check against Crisis, but I doubt I'm infected.

campylobacter July 25 2012, 18:49:37 UTC

I've edited the original entry to reflect this conversation. Rootkits do exist, and there's a possibility that the Flash video codec can be exploited, but there's no article or news article I can find in all the AV tech sites that I've visited that indicate current virus-laden videos.

I'm still puzzled as to WHY the botnet is so dedicated & persistent in linking/embedding to those 2 vids. Other than increasing viewcount, what could be the purpose?

fiddlingfrog July 27 2012, 20:14:24 UTC

My guess? Either a) there's a lot of coding being stripped out of the comment so we never see the malicious/SEO stuff, or b) the botnet is running without a target right now, so the only thing it's submitting is the legit-looking fluff that's supposed to be around the spam body.

campylobacter July 28 2012, 22:53:27 UTC

Good points.
If a), then I've visited ALL the bot accounts listed, and the HTML in their embedded video entries has this in the page source:

http://www.youtube.com/watch?v=aMzgVshG6CI

There's doesn't appear to be any ( ... )

Back to all threads