Malware and Video: The YouTube Connection

Watching online videos is addictive. No, really, there are people who have gone to rehab to get over their video watching addiction. Such people lose sleep, friends, family, and even jobs because video watching is more important than all of these. Experts claim that it is similar to gambling addiction and it can happen to anyone. Be honest. How many times have you gone to YouTube or other video sites to watch a video and then got interested in one of the suggested or related videos? Probably everyone has done this to some extent, but a few people can’t stop at watching just a few videos.

And videos are everywhere. You don’t need to visit some shady drug dealer or go to a casino. Videos are offered by every social media site and are sent to you by your best friends and closest family members. And because everyone is interested in videos, hackers are interested in videos. Hackers realize that videos hold a built-in interest factor, and they will exploit this curiosity in any way that they can.

But can the actual video contain the malware? Probably not. The video is data that requires interpretation by some software or, in this case, a media player. So, most of the time, hackers target vulnerabilities in media players. Other exploits simply use the attractiveness of video itself as a lure. These are the exploits that arrive via emails, messaging apps, or through social media. Here is a look at how some of these exploits operate.

Using Video Files as Malicious Lures

In the past, video files in the .swf, .asf, .wma, .wmv, .mov, and .mkv formats have been targeted. Although most of these exploits are old, the idea behind them is sound and we’ll likely see something similar arise from time to time. The idea is to have the victim download or play an apparent video. Naming the video in a way that is provocative is important for the hackers to complete the attack. For example, hackers have recently launched a spam-based email campaign to which is attached a file called, TRUMP_SEX_SCANDAL_VIDEO.jar. These hackers are simply hoping that curiosity triumphs over common sense, which it often does.

In any event, when the victim attempts to open one of these fake video files, they may either directly install malware, like the purported Trump video mentioned above, or call on the media player to open a file that can’t be opened because, although it has a video file extension, it is not a video file. Attempting to open the file will bring up something like the following.

In both the above cases, clicking on any of the suggested buttons will cause the victim to be led to a URL which will download malware.

Email attachments may hide the real extension of an attachment by putting the file into a zip file. Most email service providers will allow zip files but not .exe files. You may download the zip file and open it only to find something that appears to be a video file, like an mp4 file. However, this file, despite its apparent extension, may actually be an .exe file. If you do not have the “File name extension” box checked, an mp4 file could be a hidden .exe file.  A file that is really named, video.mp4.exe, for example, may be seen as video.mp4, so, be sure that you check the “File name extensions” box.

In any event, be careful of messages or emails that ask you to watch a video. See my post on the very successful, “It’s you?” Facebook Messenger campaign.

Exploits Using Vulnerabilities in Media Players

A couple of years ago, victims were sent mp4 videos via WhatsApp which were crafted in such a way that the receiver could watch the video while malicious code was being installed on their device. The hackers used what is known as a buffer overflow attack to install malware that could gain complete access to the victim’s device. A similar vulnerability was found on Android devices last year. It is not clear whether that vulnerability was exploited by criminals.

More often than not, videos with malware simply won’t play. However, this fact alone can be utilized by hackers to send victims to a site to get a fake update or codec in order to watch the video. And if you really want to watch that video, chances are you’ll try to get that codec.

A few years ago, criminals found a way to take over any device through the use of malicious subtitle files. Certain media players trust subtitle files, which are basically text files, and load them without any fanfare. Antivirus software treats them as harmless so the victims will receive no warnings. Most of the media players that were vulnerable to this attack vector have been patched, but it is a vector worth keeping an eye on.

And that brings us to the biggest promoter of videos of all, YouTube, the crack cocaine of video addicts. Here is a platform just waiting to be exploited. To some extent, it already has been, but not in the U.S., at least not as of this writing. A complex malware, known as Astraroth, is using YouTube as part of its attack architecture. The whole sequence of the attacks is too complex to get into here. However, for those interested, see the Cisco Talos dissection. The end result of the attack, though, is to lead victims to YouTube channels that they have set up with hidden links in the description which are constructed to automatically contact the malware’s command and control (C2) centers. Links to malicious sites can also be hidden in comments.

Probably the most devious use of YouTube is to use videos that actually show part of a real movie. The movie then stops and you will see a screen like this.

If the grammar doesn’t make you suspicious, the redirection to a link should.

The Astraroth malware, mentioned above, is not yet a problem in the U.S. It may be that they are making a conscious effort not to attack devices there for the time being. But the developers of this and other related malware are financial hackers and the U.S. is where the money is. So, it’s probably just a matter of time. It seems like these criminal hackers are located in Brazil and that country is its main target. It is, however, spreading, as can be seen in this map from Kaspersky.

So it seems pretty clear that video-based exploits and exploits that include YouTube will be the wave of the future. The good news is that many of these exploits can be neutralized by recognizing the common paths they all try to use. In short, don’t trust any videos that are recommended by anyone and never follow links on YouTube channels. That said, I expect this advice to be ignored. Addiction is hard to beat.

2 thoughts on “Malware and Video: The YouTube Connection

  1. Interesting. Traditionally it’s only been possible to embed malware in a file if it has an actual executable component – like a macro virus in a spreadsheet or an embedded executable in a PDF. Now they’ve found a way to do that with videos without having to execute them. In any case, I’ll be sure to watch out for stuff like this in the future.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s