The Malware that hacked Linus Tech Tips

File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.

thepwrtank

Imagine people who send malicious emails to someone named "The pc security channel"

shorts

The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

davidfrischknecht

I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.

Magnum.Bloodstone

Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.

Tigrou

Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.

redboxthief

Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers

sliceoflife

An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.

JzJad

LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But YouTube’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them.

Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,

DavidRomigJr

I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.

DerLung

Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.

HollywoodCameraWork

Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.

LithiumSolar

I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe

Yemto

I was patiently waiting for your take on what happened, well delivered!

khaledxo

A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.

yungkneez

the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening

SYLperc

Thio Joe has recently done a couple of videos about this and similar attacks.
And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension.
That will keep you on your toes. And Thio Joe discussed that too.

kevbu

I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.

Ramonatho

The bit that suprised me was that LTT had a PC with both YouTube account access and was used to process incomming offers, I would have thought the two should be kept well apart

paulstubbs

In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)

AaronShenghao