WARNING Rootkit virus embedded in video via comment spam

Jul 24, 2012 04:40

Lately, I've had to delete about half a dozen spam comments from various entries on my LJ & at other communities. They've all shared a commonality: a single embed & link to a YouTube video in Portuguese titled "Camarate: A confissao de Farinha Simoes" or in English titled "Dying call from prison. Details about Portugal Premier Minister air-crash ( Read more... )

admin

Leave a comment

campylobacter July 24 2012, 18:02:55 UTC
My first encounter with embedded video comment spam was about a month or so ago when livejournal left a comment on one of my entries. I was flattered (it notifies you via pingbacks that your entry ranks among Top 25 popular entries), to say the least, but wondered what the heck it had to do with "Portugal Premier Minister air-crash". I *did* play the video -- it seemed legit, and from a legit source -- but bailed after half a minute because it was boring. I'm wondering in hindsight if livejournal's account had been jacked or exploited? I don't know.

Fast-forward to the past few days: I've been receiving the same video embed in Suspicious comments from LJ accounts, and deleted them after reporting & banning them. I assumed that the spammers were looking for increasing the view-count on the video, for some inexplicable reason. I Googled, as you did, and found luma_chan post & thought "Eureka!" Then, "Oh shit, a rootkit can be hidden in a YouTube video?"

I, too, have been searching for more information on how a trojan can be part of a video file, but no luck. If indeed a rootkit can be buried inside a video file, HOLY CRAP THIS IS A PROBLEM. I mean, embed it in a Lady Gaga music video & it'll spread like wildfire, right? If this isn't a trojan, but just a viewcount-boosting tactic, it's pretty lame.

In any case, the accounts ARE spambots, and it frustrates me that LiveJournal hasn't deleted the accounts by now.

Reply

sylvir July 25 2012, 02:25:13 UTC
I also watched about 10 seconds of the video and am concerned... So far I haven't gone anywhere that required me to input my password (I, unfortunately, have all my passwords saved due to my laziness), which is good... But I wish there was a way to confirm that there wasn't a rootkit virus embedded in the video so I can rest easy... :X

Reply

campylobacter July 25 2012, 17:04:19 UTC
I've been running a search on bing.com (since Google owns YouTube) for "trojan in video", "malware in video file", and "rootkit in YouTube video", but have only turned up 5-6 year old articles about trojans where the user must download & install a special video player (usually a .exe file) in order to view a video (common tactic on porn sites).

So far, I can't find anything about the YouTube video codec being compromised, or embedded YouTube ads being click-jacked. That doesn't mean they're not possible, but I'm still trying to figure out why this sub-species of spambots want us to watch that video, if not to increase the view count. To what purpose? It's so weird.

Reply

sylvir July 25 2012, 17:12:17 UTC
At this point, I would even laugh along the the originator(s) if the purpose was merely to troll LJ. At least then I'd know my bank account and personal information aren't compromised. I ran Spybot last night and then went to bed. I'll see after work if Spybot picked it up, assuming it even can detect it. Otherwise my computer has been running perfectly fine. How about on your end? Anything out of the ordinary since watching the video?

Reply

campylobacter July 25 2012, 17:31:10 UTC
I'm running ClamXav & a check against Crisis, but I doubt I'm infected.

Reply


Leave a comment

Up