@@Nogardtist yeah, they could easily compile a script that crawls RUclips for channels over certain subscriber threshold, and set up a pipeline that compiles the malware and emails with the channel name and send them to the channel's email. Perhaps the initial mail and the reply sent by the channel was the trigger that fires up the pipeline. Obviously they want to minimize the number of specimens sent out instead of spamming them all over the place and risk them being automatically flagged.
@@kyouhyung wont making verified email by the brand or company with a mark or something to easier filter out these parasites then lets say a newcomer starts their channel most tutorials or guides are either wasting time or useless they dont give all the problems and tips a creator might face like quality of the videos why algorithm hates small creators ironically they say most updates are for smoll creators safety there bigger problems then the dislike ratio and its comment bots and fake sponsors then what google themselves provide with search results but asking google or youtube directly most likely gonna feel like talking to the void or a bot imagine if in youtube studio there was an option to directly talk them instead relaying on other sites for a chance to get a respond
The cheeky scammers be like: "Hey we found this *PC SECURITY CHANNEL* let's try to fish him in!" I would like to have the boldness of these people at least once in my life!
On the other hand, they say a professional cook does not really likes to cook at home on his spare night, you sometimes hear. Or in the case of Seinfeld when he had girlfriends that was a masseuse, but she refused to give him a neck massage. Meanwhile Kramer did get one I believe... ruclips.net/video/zLo3kbggWZs/видео.html
A "contract" that has a size of 750MB should always be a red flag. Regarding the behavioral protection, we have this at work, I'm a developer and it blocks a lot of completely legit tools.
Talking about a 700mb "word document", is it a good idea to just make a text file just 500mb and just shatters anyone with potato pc when opening it, aka spam E since why not, notepad did crash me at 250mb since my pc isn't the greatest as well, but it's funny and i did ruin my friend's pc, don't worry nothing is damaged the cpu is just broken. This reply is really long and probably as long as 1 paragraph of a wikipedia page
If your sponsor can analyze compressed files, I suggest they change their "file too big" dialog to tell the user to try compressing the file and resubmitting.
i actually got hacked few days, ago and my mc afe subscription got over, and i was pretty much downloading a filmora file, and dont know what had happend, my yt an all other accs got data breached online :/, i deleted that file, but im still scared
Another short trick you can use without hex editor, is to compress the exe by using Windows's built in NTFS compression. If it's full of zeros, the file size should show Size 700MB or whatever, and then Size on Disk will be something around 100 KB. I'm quite sure that the zip file in that download is also a few 100 KB as well due to compression, and 4 files more than 700 MB each in a zip which is barely a few KB is also a dead giveaway of something being very wrong. Nice video as always :D
The point isn’t to get the antivirus to find it. The point is to be able to see its a bloated file which is a dead giveaway of a virus program. An executable shouldn’t compress very much as it should have lots of important, non-compressing calls
First rule of security: Dont open EXE files unless they are from a trusted source. If something feels strange or wrong, its usally something bad. Say no thanks and cancel/X out.
That's an interesting trick you showed there! I've seen people embedding malware in bmp images and share a screensaver which will load executable from this bmp image, but this just blasting the size with zeroes is totally new. A question though: when you just select the zeroes and simply delete them, wouldn't that render the PE file invalid? Won't moving the offsets cause issues with the loader?
I'm not qualified to answer, but guess would be because it's essentially dead space, it shouldn't effect the program, which is why he just did a general delete of the zeros and didn't fine time it
The zeros were after the main PE sections, in between let's say the .rsrc section and the overlay(the zeros could also be in the overlay or in their own custom named section) and they don't affect any offsets as no code or data points to that zero section, and the overlay is mostly for display(most RedLine payloads use corrupted certificates from big companies to try to further deceive the user into executing the payload). Any other offset used by the program's internals is calculated at runtime with regard to the image base and different srctions in the PE.
I'm curious, since when did Antivirus decide not to scan a file based on size? I remember scanners taking HOURS to scan. Why did they shuffle to "oh 10 minute scans are superior, even if we miss the actual virus"?
Something I'm curious about, mainly with that scam in particular. Would the same thing happen with all the versions, regardless of sub count? do they all have the same code inside, just possibly inflated differently?
Is this threat part of your test suite? If not, do you plan to add it? It would be nice to know how well the big name security products handle it. Would any antivirus software have protected those RUclipsrs?
Hey, I have a quick question on a program that I've been using for a while its called Sandboxie and it's a program that runs other programs in a sandboxed environment, I would like to know if such a program could in theory protect most computers from unknown programs from my real machine. and maybe an opinion whoever used could help me also.
Have you just started to make these types of videos? I don't know why but it feels like you have more credibility because of them. I've watched some of your Antivirus A vs Antivirus B type videos in the past and always wondered if it was unbiased or paid by a company content.
Leo, have you done a how to regarding running a vitural pc? If so I'm not finding a vid. Too many vids out there with the wrong info, missing info, ect. While I have built my own system's for 20 years, know networking well, this eludes me a bit. I've tried it, cant get it work.
@@orbitalonyx I trust people and download files all the time, and that’s why I get nervous even when I know someone is on a VM. I do creative projects with people, so you just have to hope no one gets hacked or sends anything malicious 🙃
I clicked on a .scr file that came via a fake sponsorship and it seems to be exactly what you are explaining. Do you have any resources or videos you've made about how to make sure you've removed all of the viruses?
I'm curious about how you can just remove data via hex-editing, especially in the middle of the file. My experience, at least with editing game files, has been that this will break things due to the offsets not being correct anymore. Is it just not a problem for analyzing the file and the program will actually not work anymore? I would expect there to be an offset specifying where the actual code starts as well.
Hi sir. Can i ask some question regarding redline stealer. Does this malware exfiltrate datas from all IM clients that is installed in the PC or just some random im clients, and does it steal all the datas from desktop and documents folder? Hope to hear from you. Thank you
I'd like to ask you about this part: 2:10 When I download something, the first thing I do is right-click the file and have my antivirus (Bitdefender) scan it. Does this practice give me good enough protection if the file isn't password protected? Also, are you saying that a file above 700 MB is not automatically scanned by any locally installed antivirus program? Thank you.
Wow, this is the oldest trick in the book and it still work.... Changing the icon of an exe to something like Word or folder. Windows hiding the known file extension by default doesn't going to help either. And now we are starting to have people that doesn't even know what is "drive" and "file" is...... things are about to get worst from here haha
Adding to the IT illiteracy comes, that people just want to monetize themselves on YT without merit or talent on "character" alone. And who can blame them, once the Pauls succeeded with this crap. Be vigilant, but if you get screwed over, maybe it's time for a real job.
Would deleting the file, and doing a system restore to revert back be sufficient in ridding the threat? Im trying to avoid a clean wipe. Edit: actually, i extracted the contents, saw an .exe but ever ran it though. There's no reason a company offer should supply an exe.
So, If hypothetically my dad opens such document while Bitdefender total Security is active, Shouldn't that stop it? I get it won't get scanned initially for being 750 Mb but as soon as it launches any decent Av should be able to stop it right?
Great explanation, thanks. Given the size limitation of virus checkers, how can you check those big applications that you download from genuine companies, just in case they’ve been compromised without knowing? It would’ve been great if you could have executed the file anyway and showed how the virus checker would’ve handled it.
One thing that is not good is that some people don't enable that checkbox for showing file extensions and when they download such a file, they say "Oh ok this is a normal Word document, isn't it?" and they open it...
So I'm not that tech savvy and you mentioned maybe Windows defender wouldn't be strong enough for other things may not be strong enough to figure out what's wrong with this file what would be what software do we need to have that would work do you have any suggestions anything will help thank you.
Do conventional Anti Virus software like Kaspersky/Bitdefender with malware protection not detect large files like this. Or is this for typical low level software only?
thanks brother that was very informative. I just wanted to know will someone youtube be hacked even if they have a google key. Meaning you need to mandatorily connect your key(which is a USB) in order to open you youtube or gmail or facebook account
Hello, Unfortunately, I fell victim to one similar large size file, do you know what i supposed to do to overcome such condition? Currently, to remedy this problem, I've used (McAfee stinger+windows defender system) and both detected some high threats and either remove or quarantined those viruses. Do you think that would be enough? Thanks
You barely explained why no one would notice that the docx file is an exe file, especially if it show file extinctions is enabled(hate Microsoft for disabling this by default). The attackers did not even bother adding docx to trick some users.
That's very interesting that they stuffed the file with 0's to inflate the size! A bit clever, but not clever enough to trick you! Also, cool to see you also using a Shure MV7 since I got the silver one on Black Friday!
Yo….. this tells me something. If nothing is ever written in zeros and nothing is ever written with many zeros in line…….. isn’t there ways scanners can use methods to detect the 0’s and deem them redundant or whatever? Can’t it just immediately see that the 0’s are in a line and then just not scan those?
Wow! Great video! My channel was recently hacked because I opened an attachment similar to this one. I posted a video a few days ago explaining how it happened and how I was able to get my Gmail account back the same day. Crazy stuff! I’m way more cautious now.
I suffered from the exact same malware tho instead of exe, the attacker had used chrome extension that had great reputation, and reviews so were hard to determine if it was malicious or not. Oddly enough after 2 months it had remotely installed redline stealer along with some other nasties and later on kicked off the chrome store.
Wow... From a Chrome Extension that seemed legitimate and good reviews.. I'm often suspicious of Extensions for browsers, Google Office and MS Office products..
Which is why I trust only extensions that have been available for 2+ years, and have plenty of downloads and plenty of reviews. Very easy to get a few hundred fake reviews.
You can take this to a Linux machine and run an audit on the EXE file itself and examine its contents all just the same with a disassembler tool for reading Windows EXE files. It be a safer environment for scanning them too, or inside of a VM works also. Also I think its foolish for AVs to have a file size limit for scanning files if you can just bloat the file with zeros to bypass scanning checks.
its a pain in the ass to develop a code to scan large files, the thing is even malware coders evade bloating with gibberish data since they are heavier to transport, you can easily write a way less file to transport easy and do what it has to do being fast and delete itself.
most have such limit but it can be disabled actually that setup is for low performance hardware imagine if you would remove the limmit a pc with a 1 5 ghz and 4 ram would become unresponsive freze on high end flagships you will have diffrent features than on low resources so most infected machines are those that are not that performant, on high end hardware you will have hardware av wich will bloch the execution if the code is not a standard behavior rootkit won't even run at boot times due to secure boot deep is als there and on some motherboards they have also a special procesor for pre processing the code and only valide code is passed to main cpu such configuration is bulet prof
Which reminds me... Ever since mods for the indie beat-em-up game Sifu came out, there's been a rash of scam channels taking advantage of people's gullibility by posting videos purporting to offer skin mods for the game, only for the link to be a scam site leading to what may be malware similar to this.
I have a question..sorry I'm no expert..but let's just say I have subscribed to a decent/topnotch AV software..say, Kaspersky..and the noobest of all noob/stupid mind that I have still went for the executable..would the AV slap my wrist and stop me from running the disguised malware?
Learning from your channel I use Intezer to analyze a small file with the extension .doc inside a password zip folder seems like it's a very popular technique of putting files inside a password lock zip file. Intezer reported the file as malicious. 🤣 Question can a windows type malware infected an android device if it's unpack using an android device? Yes it's the doc file but I did not execute or open it just extract and submit directly to intezer.
how can i defend myself last year i had a ransomware i had to format my entire pc i lost all my data so i wana be prepared from now on wat program is recommended
Thank you for sharing! Quick question... How would they bypass the 2-factor authentication? Even if they force you to log in again, steal passwords and the 2-factor value, when they go and use those credentials they will need to type another 2-factor value, right? That they don't have... 🤔
u log in and it makes a cookie and when u exploit a cookie by injecting it (if u really wanna know and want an example id look up how to log into discord using discord token its the exact same) because when u inject a cookie the device/account thinks: "oh hey i know this one he doesnt need to do 2FA cuz i trust him :D"
So if i was to scan with microsoft defender, it would not flag it as a virus? -i'm not experienced dealing with viruses. I dont download files from strange places, and have never read an email with such a link. I have a "system" and it has protected me very well. But I wanted to know if a manual scan just passes it because of its file size.
adding a new sub set to that system; If my stuff is logged out like browser sites or wifi , and i didnt do anything to cause it, check cookies and if not there then wipe, format, and re flash back 1 week,
really interesting video. Really really awesome. If I want to investigate these type of malware do you recommend doing it in a safe environment like tailsOS or a VM in a VM?
im not the guy you are asking this to, but unless you are Marcus Hutchins, you should probably get a vm,(if you dont plan to run anything, then you could just use your pc, but for the love of god dont run a debugger). by the time you will get to something that its going to bypass your vm you will probably be expert enough to not make the mistake of opening it
i just tried to download the file myself, but theyve changed the 7zip password. No chance to extrakt the file. Maybe ill try it with bruteforce attack.
hey, question for you, real great content by the way. I was one of the content creators hacked by basically this same thing. I wiped my computer and i HOPE i got it all lol wondering what I can do to make sure I'm safe, I am so paranoid now and it has been a stressful situation. Thanks
@Appu26j I didn't do it on purpose lol I was one of the content creators that was tricked by the collaboration proposal emails about doing an ad for a game (more than 15k content creators got hit) Normally I ignore spam but this one seemed legit as the last one that seemed sketchy was legit and made a decent amount of money from doing it so it seemed like it was possibly real .......... Guess it wasn't 🤣
Great Content, I see Professional RUclipsr has compromised I don't know is it by this malware or not. My question is, if he was enabled 2FA does the attacker have the ability to bypass it?
is it possible for you to show us the code of some malware like this? Im interested in the deep end of the files and how to actually view the code of files like this.
Given the fact that so many people who are on YT are also not familiar with TECH and its related issues. hackers even can get a grip off experienced users
Wow I didn't know that antivirus software will just skip large files! Would it work if I just right click and choose scan the file with my antivirus software instaed of going through all these savvy steps?
"Malware authors *hate* this secret trick!"
Hilarious! Thank you for taking the time to help regular users, Leo.
lol
nah we don't hate these "sectret tricks" since we can hide absolutely everything and bypass every single antivirus
they hate a rescue disc more
@@RubenDeJong1207 we get to keep your informations '-'
@@stylite1637 every single antivirus ? geez lol. wait.. are you a malware author lol
Imagine trying to hack someone named the pc security channel
and get exposed step by step
Leo: It sounded cool.
its most likely a bot programmed to send malware to youtubers mail
@@Nogardtist yeah, they could easily compile a script that crawls RUclips for channels over certain subscriber threshold, and set up a pipeline that compiles the malware and emails with the channel name and send them to the channel's email. Perhaps the initial mail and the reply sent by the channel was the trigger that fires up the pipeline. Obviously they want to minimize the number of specimens sent out instead of spamming them all over the place and risk them being automatically flagged.
@@kyouhyung wont making verified email by the brand or company with a mark or something to easier filter out these parasites
then lets say a newcomer starts their channel most tutorials or guides are either wasting time or useless they dont give all the problems and tips a creator might face like quality of the videos why algorithm hates small creators ironically they say most updates are for smoll creators safety there bigger problems then the dislike ratio and its comment bots and fake sponsors then what google themselves provide with search results but asking google or youtube directly most likely gonna feel like talking to the void or a bot imagine if in youtube studio there was an option to directly talk them instead relaying on other sites for a chance to get a respond
The cheeky scammers be like:
"Hey we found this *PC SECURITY CHANNEL* let's try to fish him in!"
I would like to have the boldness of these people at least once in my life!
@@synthlord6575 how is it cringe
This thread is cringe.
@@synthlord6575 I’m confused how you’re confused
Lmao
On the other hand, they say a professional cook does not really likes to cook at home on his spare night, you sometimes hear. Or in the case of Seinfeld when he had girlfriends that was a masseuse, but she refused to give him a neck massage. Meanwhile Kramer did get one I believe... ruclips.net/video/zLo3kbggWZs/видео.html
A "contract" that has a size of 750MB should always be a red flag.
Regarding the behavioral protection, we have this at work, I'm a developer and it blocks a lot of completely legit tools.
They hope you don't notice because it's packed so small.
Talking about a 700mb "word document", is it a good idea to just make a text file just 500mb and just shatters anyone with potato pc when opening it, aka spam E since why not, notepad did crash me at 250mb since my pc isn't the greatest as well, but it's funny and i did ruin my friend's pc, don't worry nothing is damaged the cpu is just broken. This reply is really long and probably as long as 1 paragraph of a wikipedia page
Did my RUclips just crashed?
@@_auser_ at least ur reply isnt tons of E's
@@HuntingKingYT but its as big as one wikipedia paragraph
I did not know about the large file trick to evade detection! Now I understand the real reason to be wary of large downloaded/unknown files.
You mean those GB's of torrent download files? This is why torrent is dead.
@@dp6123 Lol
@@dp6123 Lol
@@dp6123 Lol
@@dp6123 Lol
If your sponsor can analyze compressed files, I suggest they change their "file too big" dialog to tell the user to try compressing the file and resubmitting.
i actually got hacked few days, ago and my mc afe subscription got over, and i was pretty much downloading a filmora file, and dont know what had happend, my yt an all other accs got data breached online :/, i deleted that file, but im still scared
@@Steveson lol who told download cracked
@@Steveson Immediately change your google and other necessary passwords like Facebook, netbanking passwords, etc
Another short trick you can use without hex editor, is to compress the exe by using Windows's built in NTFS compression. If it's full of zeros, the file size should show Size 700MB or whatever, and then Size on Disk will be something around 100 KB. I'm quite sure that the zip file in that download is also a few 100 KB as well due to compression, and 4 files more than 700 MB each in a zip which is barely a few KB is also a dead giveaway of something being very wrong. Nice video as always :D
Great tip! Thank you!
The ZIP-Archive he downloaded was shown as only ~400 kb, which was a pretty clear indicator the the file was bloated w/o any other tricks.
@@themasterofdisastr1226 yo bro
VirusTotal still wouldn't take the file in regardless of compression tactics.
Besides that, the original zipped files are still encrypted.
The point isn’t to get the antivirus to find it. The point is to be able to see its a bloated file which is a dead giveaway of a virus program. An executable shouldn’t compress very much as it should have lots of important, non-compressing calls
First rule of security: Dont open EXE files unless they are from a trusted source. If something feels strange or wrong, its usally something bad. Say no thanks and cancel/X out.
or/and DELETE! 🗑
@@RubenDeJong1207 My first rule of security is: unless it came with Windows, don't trust it! And even if it did, still don't!!
First rule of security: don't store your precious data on Windows
first rule of security: just don't
First rule of security: n o
The part where he got rid of the blank spaces which were only there to fill space to make the malware undetectable was mind blowing!
Would be interesting to see what happens when you actually execute it with different AVs (especially windows defender :) )
Try it and tell us! 😉
Windows defender is shit
You sadly are fucked if you solely rely on anything microsoft makes XD
@@whocares7078 cringe
Happend to me you don't want that 😅
@@whocares7078 windows defender is honestly underrated because most people think that Microsoft software is pure trash.
That's an interesting trick you showed there! I've seen people embedding malware in bmp images and share a screensaver which will load executable from this bmp image, but this just blasting the size with zeroes is totally new. A question though: when you just select the zeroes and simply delete them, wouldn't that render the PE file invalid? Won't moving the offsets cause issues with the loader?
I'm not qualified to answer, but guess would be because it's essentially dead space, it shouldn't effect the program, which is why he just did a general delete of the zeros and didn't fine time it
@@randomdude12370 It must be for the same reason they could add all the zeros just in that place, the program is behaving the same anyway
The zeros were after the main PE sections, in between let's say the .rsrc section and the overlay(the zeros could also be in the overlay or in their own custom named section) and they don't affect any offsets as no code or data points to that zero section, and the overlay is mostly for display(most RedLine payloads use corrupted certificates from big companies to try to further deceive the user into executing the payload). Any other offset used by the program's internals is calculated at runtime with regard to the image base and different srctions in the PE.
I'm curious, since when did Antivirus decide not to scan a file based on size? I remember scanners taking HOURS to scan. Why did they shuffle to "oh 10 minute scans are superior, even if we miss the actual virus"?
I was wondering that too
Lots of facecam lately interesting change
I learned more about malware analysis in this video than the entire module on it in my masters in cybersecurity
Is it really that easy to study cyber security?
I fell for one of these once, kind of sad this has become such a popular thing now..
did you actually run the file or no
@@jello3064 yes, but it wasn't a contract like here, but instead a game demo
@@Aci_yt Any game that comes with no textures are dll files are fake because then it couldn't display anything
@@pengwino828 it supposedly was the installer
@@Aci_yt wow, they really thought that far ahead. At least you got your channel back.
Something I'm curious about, mainly with that scam in particular. Would the same thing happen with all the versions, regardless of sub count? do they all have the same code inside, just possibly inflated differently?
Is this threat part of your test suite? If not, do you plan to add it? It would be nice to know how well the big name security products handle it. Would any antivirus software have protected those RUclipsrs?
Straight away subscribed. This is the first video i watched from you and loved it.
What antivirus do you personally use? Of course I've seen your tier list but I'm super curious to know what you use on your machine
Linux probably
@@elevul huh???????????
Yes please more of these, even if I'm quite techy it's super good to have these types of videos to send to others! :)
Agree! More!
Hey, I have a quick question on a program that I've been using for a while its called Sandboxie and it's a program that runs other programs in a sandboxed environment, I would like to know if such a program could in theory protect most computers from unknown programs from my real machine. and maybe an opinion whoever used could help me also.
What interface are you using with the MV7?
Have you just started to make these types of videos?
I don't know why but it feels like you have more credibility because of them. I've watched some of your Antivirus A vs Antivirus B type videos in the past and always wondered if it was unbiased or paid by a company content.
Leo, have you done a how to regarding running a vitural pc? If so I'm not finding a vid. Too many vids out there with the wrong info, missing info, ect. While I have built my own system's for 20 years, know networking well, this eludes me a bit. I've tried it, cant get it work.
this is your best video, actually showing us the forensics of a malware. WOW
I love how calm you are while dealing with malware
For real if I get a virus I would probably breakdown or something idk I have bad anxiety lol
He was probably in a VM
@@kamilo1175 yeah most likely pretty much every person that deals with stuff uses vm
@@kamilo1175 Indeed, or he's just experienced, or even both.
@@orbitalonyx I trust people and download files all the time, and that’s why I get nervous even when I know someone is on a VM. I do creative projects with people, so you just have to hope no one gets hacked or sends anything malicious 🙃
What about free/open source HIDS vs this types of malwares? It works better than regular av?
I clicked on a .scr file that came via a fake sponsorship and it seems to be exactly what you are explaining. Do you have any resources or videos you've made about how to make sure you've removed all of the viruses?
I'm curious about how you can just remove data via hex-editing, especially in the middle of the file. My experience, at least with editing game files, has been that this will break things due to the offsets not being correct anymore. Is it just not a problem for analyzing the file and the program will actually not work anymore? I would expect there to be an offset specifying where the actual code starts as well.
Hi sir. Can i ask some question regarding redline stealer. Does this malware exfiltrate datas from all IM clients that is installed in the PC or just some random im clients, and does it steal all the datas from desktop and documents folder? Hope to hear from you. Thank you
would you recommend the google usb stick for access and security?
I expect some antivirus software would check for padding with zeros (or similar patterns) right, then analyse the result after this is stripped away?
Gotta have to admit, that file size trick was quite clever.
Thanks for the post Leo.First Time giving a post on your channel.One of the best Security Channels
Didn't expect your face reveal
I'd like to ask you about this part: 2:10 When I download something, the first thing I do is right-click the file and have my antivirus (Bitdefender) scan it. Does this practice give me good enough protection if the file isn't password protected? Also, are you saying that a file above 700 MB is not automatically scanned by any locally installed antivirus program? Thank you.
I'm pretty sure he was wrong about antivirus software skipping large exe's (or similar).
Wow, this is the oldest trick in the book and it still work.... Changing the icon of an exe to something like Word or folder. Windows hiding the known file extension by default doesn't going to help either. And now we are starting to have people that doesn't even know what is "drive" and "file" is...... things are about to get worst from here haha
Zoomers are the new Boomers. We gotta help them so they have basic tech skills and aren't vulnerable.
thats implying the mid 2000's weren't god awful haha
limewire ruined so many pcs
Adding to the IT illiteracy comes, that people just want to monetize themselves on YT without merit or talent on "character" alone. And who can blame them, once the Pauls succeeded with this crap. Be vigilant, but if you get screwed over, maybe it's time for a real job.
I had no idea about the size limit. thanks for the heads up.
Have you tried this in a VM and if you close the VM without saving anything, is any bad stuff sticky enough to survive?
Would deleting the file, and doing a system restore to revert back be sufficient in ridding the threat? Im trying to avoid a clean wipe.
Edit: actually, i extracted the contents, saw an .exe but ever ran it though. There's no reason a company offer should supply an exe.
So, If hypothetically my dad opens such document while Bitdefender total Security is active, Shouldn't that stop it? I get it won't get scanned initially for being 750 Mb but as soon as it launches any decent Av should be able to stop it right?
Great explanation, thanks. Given the size limitation of virus checkers, how can you check those big applications that you download from genuine companies, just in case they’ve been compromised without knowing?
It would’ve been great if you could have executed the file anyway and showed how the virus checker would’ve handled it.
Pup finders tend to do a better job at this. Most antivirus’s now are just bloatware sadly.
Thanks for the video, it really helps with malware analysis for beginners
One thing that is not good is that some people don't enable that checkbox for showing file extensions and when they download such a file, they say "Oh ok this is a normal Word document, isn't it?" and they open it...
Thanks for this video. I was wondering HOW ON EARTH these ppl got around 2FA recently. Now I know. Great info.
And knowing is half the battle.
How do you check large files that exceed limit? I don't know how to remove empty space to make it smaller
You explained it well.
So I have a question. Avast or Malware Bytes? I prefer Malware Bytes.
Good video, thanks for making it.
Where do you get pestudio from?
So I'm not that tech savvy and you mentioned maybe Windows defender wouldn't be strong enough for other things may not be strong enough to figure out what's wrong with this file what would be what software do we need to have that would work do you have any suggestions anything will help thank you.
Do conventional Anti Virus software like Kaspersky/Bitdefender with malware protection not detect large files like this. Or is this for typical low level software only?
Oh, antiviral software do indeed detect this, it's just....if a file is behind a password protected thingy, no dice.
thanks brother that was very informative. I just wanted to know will someone youtube be hacked even if they have a google key. Meaning you need to mandatorily connect your key(which is a USB) in order to open you youtube or gmail or facebook account
Yes. If you execute malware they can hijack sessions, spy on you indefinitely, etc. That's how they defeated Linus's hardware keys.
wasn't there a jump instruction in there or does the malware just passthrough all the nops?
Why did you use different online services before and after removing the middle space????
thanks for the info
An awesome presentation! How is the 2FA data communicated back to them Leo?
What are some top behavioral detection tools (both free and commercial)???
Hello,
Unfortunately, I fell victim to one similar large size file, do you know what i supposed to do to overcome such condition?
Currently, to remedy this problem, I've used (McAfee stinger+windows defender system) and both detected some high threats and either remove or quarantined those viruses. Do you think that would be enough?
Thanks
You barely explained why no one would notice that the docx file is an exe file, especially if it show file extinctions is enabled(hate Microsoft for disabling this by default). The attackers did not even bother adding docx to trick some users.
It's part Microsoft - part stupid people renaming the file _including_ the extension and complaining why Office won't load their files.
That's very interesting that they stuffed the file with 0's to inflate the size! A bit clever, but not clever enough to trick you! Also, cool to see you also using a Shure MV7 since I got the silver one on Black Friday!
Isn't there an option on most AVs where they can scan any file regardless of file size?
Yo….. this tells me something. If nothing is ever written in zeros and nothing is ever written with many zeros in line…….. isn’t there ways scanners can use methods to detect the 0’s and deem them redundant or whatever? Can’t it just immediately see that the 0’s are in a line and then just not scan those?
Please tell me if Norton 360 can scan big files when we use full scan?? Yes or no?
This is Cyber Security class in a RUclips video
Thanks for the info digital science guy on the PC Security Channel
(sorry, don't know your name or nickname)
Have fun and be safe.
Wow! Great video! My channel was recently hacked because I opened an attachment similar to this one. I posted a video a few days ago explaining how it happened and how I was able to get my Gmail account back the same day. Crazy stuff! I’m way more cautious now.
Can you get the malware from watching RUclips video’s?
How did they increased size by this amount like did they edit the payload using hexeditor and added it manually or used any tool for that
they tipped a lot of 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
I suffered from the exact same malware tho instead of exe, the attacker had used chrome extension that had great reputation, and reviews so were hard to determine if it was malicious or not. Oddly enough after 2 months it had remotely installed redline stealer along with some other nasties and later on kicked off the chrome store.
Wow... From a Chrome Extension that seemed legitimate and good reviews..
I'm often suspicious of Extensions for browsers, Google Office and MS Office products..
@@joemama3372 Should also be suspicious about PlayStore apps as Google doesn't do good job when it comes to auditing.
Which is why I trust only extensions that have been available for 2+ years, and have plenty of downloads and plenty of reviews. Very easy to get a few hundred fake reviews.
You can take this to a Linux machine and run an audit on the EXE file itself and examine its contents all just the same with a disassembler tool for reading Windows EXE files. It be a safer environment for scanning them too, or inside of a VM works also.
Also I think its foolish for AVs to have a file size limit for scanning files if you can just bloat the file with zeros to bypass scanning checks.
They do it because scanning huge data takes longer and it's vulnerable to zip bombs or people sending huge packets to cause a server outage
its a pain in the ass to develop a code to scan large files, the thing is even malware coders evade bloating with gibberish data since they are heavier to transport, you can easily write a way less file to transport easy and do what it has to do being fast and delete itself.
most have such limit but it can be disabled actually that setup is for low performance hardware imagine if you would remove the limmit a pc with a 1 5 ghz and 4 ram would become unresponsive freze on high end flagships you will have diffrent features than on low resources so most infected machines are those that are not that performant, on high end hardware you will have hardware av wich will bloch the execution if the code is not a standard behavior rootkit won't even run at boot times due to secure boot deep is als there and on some motherboards they have also a special procesor for pre processing the code and only valide code is passed to main cpu such configuration is bulet prof
Hi Leo. Why won't an AV scan a file that big automatically?
How can I change this setting in my anti virus?
Currently on Kaspersky cloud free AV.
this is like the lockpicking lawyer getting a package of a lock that says "unpickable".
Which reminds me... Ever since mods for the indie beat-em-up game Sifu came out, there's been a rash of scam channels taking advantage of people's gullibility by posting videos purporting to offer skin mods for the game, only for the link to be a scam site leading to what may be malware similar to this.
I wondered for long when you would put a face behind the brilliant work you do and you did.Thanks alot for the tip
I have a question..sorry I'm no expert..but let's just say I have subscribed to a decent/topnotch AV software..say, Kaspersky..and the noobest of all noob/stupid mind that I have still went for the executable..would the AV slap my wrist and stop me from running the disguised malware?
Learning from your channel I use Intezer to analyze a small file with the extension .doc inside a password zip folder seems like it's a very popular technique of putting files inside a password lock zip file. Intezer reported the file as malicious. 🤣 Question can a windows type malware infected an android device if it's unpack using an android device? Yes it's the doc file but I did not execute or open it just extract and submit directly to intezer.
The ".scr" file, like in 1:53, was used to hack the crypto assets of streamers here in the Philippines.
I always knew something was off with that Pipe Dream screensaver....
That's a screensaver file...
@@nevergonnagiveyouup4189 I didnt know that, I thought they were limited to animations
Oh gosh does that username have RTL in it or something?
Edit: it only appears weird on mobile
@@AlfiesFuntime why did you write backwards
If you manually add this large file and scan using antivirus will antivirus be able to detect it?
how can i defend myself last year i had a ransomware i had to format my entire pc i lost all my data so i wana be prepared from now on wat program is recommended
are you using a filter or is your skin just so smooth?
Thank you for sharing! Quick question... How would they bypass the 2-factor authentication? Even if they force you to log in again, steal passwords and the 2-factor value, when they go and use those credentials they will need to type another 2-factor value, right? That they don't have... 🤔
u log in and it makes a cookie and when u exploit a cookie by injecting it (if u really wanna know and want an example id look up how to log into discord using discord token its the exact same) because when u inject a cookie the device/account thinks: "oh hey i know this one he doesnt need to do 2FA cuz i trust him :D"
but that trust wouldn't extend to sensitive operations like password changes? So how would they steal the account/lock you out?
@@flyhtz Aren't cookies linked to specific devices? If not, yes, that's quite a big security hole!
@@nickwoodward819 no it would not but as soon as they have the cookie they can change the password and email
@@javiTests they are not they are linked to browsers so u can inject them
So if i was to scan with microsoft defender, it would not flag it as a virus? -i'm not experienced dealing with viruses. I dont download files from strange places, and have never read an email with such a link. I have a "system" and it has protected me very well. But I wanted to know if a manual scan just passes it because of its file size.
adding a new sub set to that system; If my stuff is logged out like browser sites or wifi , and i didnt do anything to cause it, check cookies and if not there then wipe, format, and re flash back 1 week,
really interesting video. Really really awesome.
If I want to investigate these type of malware do you recommend doing it in a safe environment like tailsOS or a VM in a VM?
im not the guy you are asking this to, but unless you are Marcus Hutchins, you should probably get a vm,(if you dont plan to run anything, then you could just use your pc, but for the love of god dont run a debugger). by the time you will get to something that its going to bypass your vm you will probably be expert enough to not make the mistake of opening it
that's why you need second opinion scans like Hitman Pro Alert
i wonder how the executable would perform on virustotal after you removed the unnecessary parts.
i just tried to download the file myself, but theyve changed the 7zip password. No chance to extrakt the file. Maybe ill try it with bruteforce attack.
Hi can you tell me how you downloaded the file ?????
I want to put it through virus total
@@paullombardi9506 just copy the link seen in the Video
@@kastrodyll1724 how was your test? Is it detected?
does malwarebytes premium distinguish if the file is a malware or not?
This is one of the best RUclips videos that I've seen in a long time. Thanks for sharing this.
hey, question for you,
real great content by the way.
I was one of the content creators hacked by basically this same thing. I wiped my computer and i HOPE i got it all lol
wondering what I can do to make sure I'm safe, I am so paranoid now and it has been a stressful situation.
Thanks
@Appu26j I didn't do it on purpose lol
I was one of the content creators that was tricked by the collaboration proposal emails about doing an ad for a game (more than 15k content creators got hit)
Normally I ignore spam but this one seemed legit as the last one that seemed sketchy was legit and made a decent amount of money from doing it so it seemed like it was possibly real .......... Guess it wasn't 🤣
Why did they padded it with 0s, not some other random binary data, say from another exe?
Great Content, I see Professional RUclipsr has compromised I don't know is it by this malware or not. My question is, if he was enabled 2FA does the attacker have the ability to bypass it?
is it possible for you to show us the code of some malware like this? Im interested in the deep end of the files and how to actually view the code of files like this.
Based on the train reflection in your mirror you live in Boston, or the UK also has some silver trains with 2 windows per car.
Why the hell the file poof in the zip when you extracted it? That makes no sense since on my system it doesn't even do this.
Would there be a way to get rid of this after it affected your system?
Love this kind of content how to actually analyse, run sandboxes and what antiviral software to use.
Given the fact that so many people who are on YT are also not familiar with TECH and its related issues. hackers even can get a grip off experienced users
Hackers tries to hack The PC Security Channel
Random hacker: "Why do i hear boss music?"
What happens if you right click and analyze it with Kaspersky?
So this is what security research is. I like this alot
I´ve got infected by this kind of files and I restarted my pc last week. Am I safe?
Wow I didn't know that antivirus software will just skip large files! Would it work if I just right click and choose scan the file with my antivirus software instaed of going through all these savvy steps?
I think they're the same kind of scan, so you can't tell the antivirus to analyze it as well