Thursday, January 17, 2013

About YouTube top comments


Have you seen  the top comments on YouTube recently? Mostly, they're about the videoclip itself, or about other artists that do not live up to the talent of said videoclip ;-) .

Sometimes, however, spam reaches the top comments (whether or not with a lot of upvotes):
Another user is being addressed, "confirming" the site is real








I've seen this kind of Youtube spam unfold into 2 scenarios:
1) The usual survey scams, promising an iPad for example
2) The download of adware or a PUP (Potentially Unwanted Program) to your machine


Let's take a look at both scenarios, we will go more in depth about the second one, as it is the most interesting. This post includes prevention methods, a removal process and a conclusion at the bottom if you want to skip the investigation.



Investigation


1) Survey scam

As seen in above picture, another user is being addressed. This user did not make any comments on the video at all. I'm guessing they use this little trick to 'confirm' someone asked about it and they are 'just helping out'. The comment has several upvotes as well, thanks to the use of bots.

Clicking on the bit.ly link, you are being redirected to another website:
hxxp://alllightsfull.info/prize/prize.html
2/30 - URLvoid Result
2/33 - VirusTotal Result
AllLightsFull.info - Whois Record

Screenshot:
Congratulations! You won a... Survey scam!
















After clicking on Start Now!, you'll get redirected to fill in a survey for a chance in winning an iPad... Which will redirect you to another survey... To another survey.... Until you need to fill in personal details such as your email address. In my case, I had to subscribe to about 20 other instances (read: Brace yourselves, spam is coming) to win the iPad.

 Obviously, you won't win anything and your email address will end up on several spamlists.

 

 2) Adware / Potentially Unwanted Program

In this scenario, you end up on a different website, but with a similar, easy layout:
Download Youtube videos with "YouTubeSaved"



























Some information about the website:  
hxxp://www.youtubesaved.com 
1/30 - URLVoid Result
0/34 - VirusTotal Result 
YoutubeSaved.com - Whois Record

You can download from Download.com/CNET or directly via their website. I'm not sure what's worse: the fact that you can download this beautiful piece of crap via CNET or that it's Norton/VeriSign Secured.

The following file is downloaded:
cid_185425_sono.exe
Result: 3/46
MD5: a3675a8439b09049a76da7f9c93c4a34
VirusTotal Report
Anubis Report
ThreatExpert Report


In the following minutes, I got several new screens to install additional software:
FLV Media Player coming along with WhiteSmoke


FLV Media Player coming along with PriceGong, Freetwittube,...

















Some readers might remember WhiteSmoke from a few years ago, when it came bundled with a rootkit and was particularly annoying as well as hard to remove.

While I was eagerly clicking Next on all of the screens, there were a few connections. In fact, in those 5 minuts of installing FLV Media Player, (and thus also: Yontoo, Relevant Knowledge, Free Ride Games, Moyea, Remote Programs, PriceGong, Conduit and WhiteSmoke) there were about 1140 outbound HTTP requests installing even more adware.

If you're interested in these connections, I have uploaded a Fiddler log to Pastebin:
http://pastebin.com/QxcHca1Z


Interesting to note is that Firefox gave a warning about a particular toolbar:
https://addons.mozilla.org/en/firefox/blocked/i226
From that page:
This add-on is silently side-installed by other software, and doesn't do much more than changing the users' settings, without reverting them on removal.

Actually it does more than that, it redirects your searches (through ad-sponsored networks), changes your homepage, annoys you with pop-ups, .... This does not solely apply to WhiteSmoke.

A total of 63 newly created PE files was found on my machine. Seems like they really wanted me to install as much toolbars and adware as possible. Sometimes, besides being referred to as a PUP or adware, this kind of software is called foistware.

You can find a Pastebin here with all VirusTotal results:http://pastebin.com/87HspUgu



Prevention

Now, how do we prevent these applications from ever entering our system? Here are a few tips:

  • Carefully consider what you are installing. Is this program known at all? What does it do? Do I really need this installed? A simple Google search reveals a lot of answers.
  • Don't click Next, Next, Next or OK to everything or in any of the screens you get. This is a golden rule in general.
  • Read the EULA. No wait, what? Those EULAs are always way too long! That's right, luckily there's a tool available which can assist us in identifying unwanted behaviour. The tools is called EULAlyzer, by the same developer as SpywareBlaster (which also helps prevent these).

    I did a scan on a EULA from PriceGong which uncovered the following results:
    EULA states advertising, your searches being submitted and more










  • Use the extension WOT (Web of Trust) to get a second opinion about website X or Y.
  • If you encounter a link that is shortened (for example bit.ly, t.co, tinyurl, ....) you can use a website as GetLinkInfo or Unshorten to acquire more information on that link. Awesome!



Removal

Of course, it might be too late for some users. They are already seeing pop-ups everywhere, getting amazing deals or are getting redirect in their search engines. Again, you can find some hints:

  • Most of these programs can be easily removed via the Control Panel > Add/Remove Programs. There's also a small guide by Microsoft on how to do that. After uninstallation, these programs will open your browser and offer to reinstall the "product". Just close the browser when that happens.
  • "I removed these programs but am still getting redirected. Why?"
    Probably the Add-On, Extension or Plugin is still installed and active in your browser. Remove or disable this manually by following these steps:
    Removing extensions from Internet Explorer
    Removing extensions from Mozilla Firefox
    Removing extensions from Google Chrome

    Restart your browser afterwards and confirm the changes. It's possible you need to manually reset your homepage as well.

  • "Not everything is gone and I don't see anything in the Add/Remove Programs."
    When this happens, you can use a tool like AdwCleaner. Please keep the following in mind:
    - Close all browsers before executing AdwCleaner
    - Click on Search. A logfile will open. Review this carefully! AdwCleaner is pretty strict in removing adware. Then, you can select delete to delete all the unwanted/malicious entries.
    - More information can be found on the download page of AdwCleaner (see above).
  • After following these steps, use your already installed Antivirus and perform a full scan. When that's finished, you can also use Malwarebytes to perform a Quick Scan and ensure everything is gone. Be sure to select in the Settings tab > Scanner Settings that PUPs are shown in the scan results.
  • If you are having difficulties or are not too sure of following these steps all by yourself, you can always make a post on one of the several forums out there specialized in removing malware and other nonsense from a machine. An example forum where you can get help is BleepingComputer.



Conclusion

After reading this post, I'm sure you can now differentiate the thin line between goodware and foistware, adware, or Potentially Unwanted Programs. With the tips above, you should be able to weapon yourself against this kind of threats.

Some legit programs like Java or Adobe also offer these "toolbars". Don't be fooled! The same above rules should be applied here. Tick off those boxes and read carefully through the installation wizard! Why are these things still around you might ask? There's an interesting article here by Ed Bott:
Why does crapware still exist? Follow the Silicon Valley money trail

You might wonder why your antivirus didn't ring any bells when installing this software. The easy answer is: it is hard to differentiate if this is malicious behaviour, as the users consents and agrees on the EULA - which is basically an agreement to all these unwanted modifications!
The hard and longer answer is something to discuss in a future blogpost.

Conclusion: don't install something when you have no idea what it is or does. Google can be your friend.


5 comments:

  1. usefull post for the users who are less committed to reading the eula...

    ReplyDelete
  2. Thanks, these are very informative and useful tips. I admire the time and effort you put into your well-detailed nice blog. I hope to see more of your write ups. Keep it up!!

    ReplyDelete
  3. A very great article.

    ReplyDelete
  4. Great site. A lot of useful information here. I'm sending it to several friends ans also sharing in delicious. And of course, thanks to your effort!

    ReplyDelete
  5. Thank you! I so appreciate this. You are a life saver.

    ReplyDelete