WARNING Rootkit virus embedded in video via comment spam

[campylobacter]

Lately, I've had to delete about half a dozen spam comments from various entries on my LJ & at other communities. They've all shared a commonality: a single embed & link to a YouTube video in Portuguese titled "Camarate: A confissao de Farinha Simoes" or in English titled "Dying call from prison. Details about Portugal Premier Minister air-crash

Comments

[maridee42]

I had two guys: veatorecu and jonmeino. nothing's happened to my computer yet, tho.

[campylobacter]

Thanks! I'll add them to the list.

According to luma_chan, it's " the same virus that's stealing people's bank account info and then faking bank statements so that people don't even know about it so pretty scary stuff, and since it's new and nasty otherwise too, virus programs don't help and not sure how even the professionals manage with clearing those..."

I'm not sure if the video spyware virus needs to download completely to lurk in your cache & sneak around keylogging passwords while you have no idea about it, but I'll be looking out for malware removal kits when the anti-virus organizations catch up to this and will let everyone here know when it's available

Hope your computer is malware-free.

[maridee42]

I could pretty much tell they were the same person, or bot, or whatever, because they both posted the exact same thing on a post I made months ago. so, you know. applauding their mad sneak skills.

i haven't seen any problems yet? but if i do, i'll let y'all know.

[thoughtless]

I had this happen with 'justiczjatu' and 'analiseacalo' also if you are wanting to list the people posting the comments.

[campylobacter]

Thanks! I've added them to the list, banned them & reported them. :)

[brooke]

Hi, I don't even go here, but I stumbled across this entry and have been poking around and doing some careful research. I am by no means a computer expert and I could well be wrong but it seems to me that the information going around here isn't actually quite accurate... I find it bizarre that even though luma_chan's post is over two weeks old, Google searching gives me nothing at all in regards to this malware apart from her original entry and yours - and super old rootkit viruses. Livejournal spam issues aside, if there truly are users uploading virus-ridden videos to Youtube, it's very unlikely they're surviving for long enough on there to be spread around and clicked on hours later by unsuspecting users. (Not to mention the fact that any exploited security vulnerabilities would have long been sorted out in these two weeks!)

Honestly, based on the date of the original post, my guess is that it's related back to this. It's highly possible that these people have had malware on their systems the entire time and not known it

[campylobacter]

My first encounter with embedded video comment spam was about a month or so ago when livejournal left a comment on one of my entries. I was flattered (it notifies you via pingbacks that your entry ranks among Top 25 popular entries), to say the least, but wondered what the heck it had to do with "Portugal Premier Minister air-crash". I *did* play the video -- it seemed legit, and from a legit source -- but bailed after half a minute because it was boring. I'm wondering in hindsight if livejournal's account had been jacked or exploited? I don't know.

Fast-forward to the past few days: I've been receiving the same video embed in Suspicious comments from LJ accounts, and deleted them after reporting & banning them. I assumed that the spammers were looking for increasing the view-count on the video, for some inexplicable reason. I Googled, as you did, and found luma_chan post & thought "Eureka!" Then, "Oh shit, a rootkit can be hidden in a YouTube video

[sylvir]

I also watched about 10 seconds of the video and am concerned... So far I haven't gone anywhere that required me to input my password (I, unfortunately, have all my passwords saved due to my laziness), which is good... But I wish there was a way to confirm that there wasn't a rootkit virus embedded in the video so I can rest easy... :X

[campylobacter]

I've been running a search on bing.com (since Google owns YouTube) for "trojan in video", "malware in video file", and "rootkit in YouTube video", but have only turned up 5-6 year old articles about trojans where the user must download & install a special video player (usually a .exe file) in order to view a video (common tactic on porn sites).

So far, I can't find anything about the YouTube video codec being compromised, or embedded YouTube ads being click-jacked. That doesn't mean they're not possible, but I'm still trying to figure out why this sub-species of spambots want us to watch that video, if not to increase the view count. To what purpose? It's so weird.

[cyanglow]

Adding the following names to the list:

golubcavav
owenddhd
milburrujyvy
ngpase

[campylobacter]

Thanks!

The growing list is indeed disturbing. :/

[cyanglow]

No problem. Thanks for making the post! A friend linked me to it earlier.

I've been saving the email notifications of the suspicious comments, since I didn't know where to report them aside from the "Report Suspected Bot" function and banning them individually. The first two came in on July 8, and the other two within the past 48 hours. It's very upsetting that this has been going on for weeks but nothing's even been acknowledged about it by lj.

[kawaii_musouka]

I had meratee05250 and 1310ardfey in the last two days.

[campylobacter]

Thank you. OH GOSH THERE ARE 20 OF THEM NOW.