From the scammers point of view, it must be frustrating that one of the first batch of victims just happened to be someone who was able to identify the signs and get the thing listed in public databases.
Imagine working on a virus for hours and days even just for one of your first victims to be him. Reported it to his antivirus developer, even multiple AV devs, made a video about it and showed how to protect yourself from this RAT, but also many others. If I was behind this virus, I'd probably be in depression if I wasn't already xD
@@qkzalswns He doesn't need to. He just need the virus to run on a few dozens computers, steal some CC info, some crypto wallet keys and wallah he has good ROI.
@@qkzalswns the person running it probably didn’t work on it at all. Since it has marketing, it’s probably being sold off to people. The scammer is definitely slamming their keyboard over having their money wasted though
Absolutely! @ThioJoe Can you also describe your rules for AppLocker in the description text? I have been scrolling over and over through the video, which is good for the 'view time' of course, but it would be more practical to also have some kind of overview.
"this stuff happens all the time" I haven't run into a virus since around 2005. It's just user error to download and run files without verifying them. It's yet another reason you should code things yourself instead of importing libraries for everything.
A error message about a invalid character on any download should be a HUGE red flag. I would never think to tell people this. Thank you for your service!
The problem is that even if there is no "init.ps1" file the package can be dangerous. And even worse when you compile it into your own software it can also be spreading with your application. Nowerdays also analyzers and stuff can be installed via nuget package and run alongside visual studio. You don't even need to start your app for the code to execute.
I'm a coder and had a Security+ certification in a prior life - and I'm blown away by how many new things I learned from this video. I've been a big fan of your channel for a while, but - wow - this video is truly outstanding. I know I'll be using it as a how-to reference repeatedly and recommending it to as many people as I can.
The fact that they were able to fake having this many downloads is the scary bit, I would have thought it's legit too. That should definitely be fixed.
I like how Smart App Control was mentioned as "easier for most people" when it requires you to nuke your windows install. I feel like for most people they'd rather figure out how to do the AppLocker stuff.
Plus reinstalling windows is a multi-day job when you have to reinstall all of the open source apps, utilities, chrome extensions etc… It’s something I only do when I upgrade the OS. Also, I found that when I install security suites, file Explorer starts hanging, so I use Windows Defender now. I’m not happy about that, but I am super careful and scan downloads with virustotal.
i think he means for most "light" or "casual" users, people who only browse the web, use social media, emails, gaming etc. much easier to just download a game and a few programs again from a list than to get all of your programs and dependencies and settings, directories etc back how you had them.
lol. Why do people still use Windows by choice in 2023? If you want a secure Windows version, use Windows 8/8.1 RT or Windows Phone. They're not very useful in terms of additional applications, but at least you can't run 99.9999999% of malware on them. Or just don't be pit stew. I stopped using Windows back in 2017. The spyware telemetry doesn't feel like a big deal until you use a metered connection and Win10 uses half a GB of data in 15 minutes without your knowledge or consent.
One thing that really stands out to me about the download numbers at 2:00 is that all four packages have almost exactly the same number of downloads, which for four disparate packages claiming to have downloads in the hundreds of thousands is very suspicious. They couldn't even be bothered to add some randomness to how many fake downloads they botted.
And it would be believable if the numbers were similar for only Discord and Xbox plugins as they are both for gaming. But I am not sure how OpenAI, Discord, Xbox and VRChat would be used almost exact same number of times like they can all fit in a single project made by everyone who used them. Even if the plugins were all logical to work together, 200k projects using ALL of them? And I am not sure that many people would use the Discors plugin with Xbox and OpenAI.
Well, Nuget is rather sketchy still compared to official Winget (all packages basically screened by Microsoft-related entities). Inbuilt Windows tools even do singature checks for trusted issuers (which you would only expect from most Linux distros or official stores). Though, of course Chocolatey & Nuget have many more packages available.
One insidious variation of these software supply chain attacks is when the bad guys buy out publishers (who are often just lone developers) of established and popular packages and then replace the legitimate package with a malware version. Developers who have used the package for years would have no idea what was going on because as far as they know they're just downloading the latest version of a trusted package.
1. If it ain't broke, don't fix it. 2. Stop using other people's code and write it yourself. A big reason why software now is full of buggy messes is because people just include every library on the planet. The npm left-pad debacle shows just how pointless many of these imports are.
Its crazy how a program as big and reputable as Visual Studio has such a glaring security oversight. Even though I primarily use Linux (arch btw kekw) I'm still looking forward to seeing your App locker setup video! Ty for teaching me something new as always!
8:17 - MZ is well known magic number for all executables in Windows, so it tried to make an exe file You can make a context menu option to add something into AppLocker exceptions with a tiny bit of scripting
Thanks Joe that was a nice technical video, and in your usual way you spoke clearly for those less technical, whilst giving us techy people info too 10/10 :)
Thank you for the video. I also use Bitdefender on 4 PCs that I only access through Microsoft Desktop Remote (gaming and Stable Diffusion). Your video got me to wake up, do scans, and review the recommendations like "autoplay media", etc. I guess unless you are always active, you are a noob with security. So again, thank you, I really appreciate what you do.
Nice work! A (possibly MORE) valuable test - at least for a lot of folks - might be to see what Windows Defender does with this thing, and stuff like it.
Yes! I was/am under the impression from videos in the pasz years that paying for security software often makes things _worse_ than what Windows already offers. Is that still true?
@@redyau_So at home I used to have antivirus, even tried multiple of them. But every single time an AV would find something suspicious and pop up the notification, so would the defender. Last time I reinstalled Windows I haven't even bothered to get or pay for AV. Been using online Defender since and had no problems. And yes, it has stopped multiple malicious .exe files. I also have it set up so that most of my folders aren't accessible without a pop up asking for the permission. So basically no app can download anything into Documents, Music, Videos, Desktop, directly on the C disk, Windows folder or anywhere else except in Downloads. And it also asks for admin permission to run everything all the time except Web browser. Yes, it is kinda annoying to have admin access prompt show up everytime I open Photoshop but that way no .exe files can be run without permission.
There is a reason they use plugins. So the initial file sent / downloaded / executed is small in size (say 50KB instead of 15MB) the idea is get the foot in the door, execute the stub file, and the stub file goes to get the full size files and executes them.
As a Win 10 LTSC user for work - Would love to see the video for app locker if its supported! We've effectively blacklisted Win 11 until its matured a bit more.
I honestly dont understand how microsoft manages nuget so poorly. 1) Why allow cyrillic characters in the first place? 2) No quality control on the packages? ... This seems to be straight up negligent from microsoft.
As an IT worker, I'm very thankful for your videos. I gain a lot of education from the channel that I don't anywhere else. Looking forward to seeing the video on App Locker down the line. We do have this implemented at my company, but we're fairly new to it so I'd love to hear more about it's potential and how it can be better utilized.
These situations like his aren't something that happens to everyone so seeing it from him means that I've learned something g I probably otherwise never would.
Windows: the only mainstream OS to provide no isolation between applications. Once one runs, it has access to everything. Good video and great explanations on how to properly use/configure AppLocker.
Secure OS engineer here! You could say this about all of the major operating systems. MacOS does have the App Sandbox, which is a true capability sandbox, but it doesn't tell the user about how safe they are, and it has some interesting holes around file type groups that have been exploitable in Microsoft office. Linux really has nothing usable in that space - don't install apps you don't completely trust on Linux.
@@capability-snob Linux has AppArmor & SELinux, but both are basically unused so +1 for having nothing usable. I jumped ship to ChromeOS about 9 years ago after reading their security design docs. I'm a malware analysis engineer and CrOS keeps me safe enough. Just frustrating to see folks continue to be attacked by stuff like this and not seeing OS vendors work toward improving the situation. What do you use?
The biggest problem with checking for signed executables is that EV code signing certs are only given to companies. If you're a small indie FOSS developer/group without an incorporated entity you're basically shit outta luck. And with smart app control, given how much data they force you to send to them, is, in my european opinion, not really a good alternative and will not work anyways in many cases. For my PC e.g. it just tells me I have to do a clean install(because... it's not turned on. which i'd venture a guess is the same for everyone who upgraded from an older windows version) which is like... Uh.. No?! I already did that once, and thanks to windows being so horrible when it comes to reinstalling it took me forever to properly set everything up again(having to re-download multiple 100+GB apps again on an 80Mb/s line is PAIN) and I'm still having issues thanks to MS p much ignoring some issues with more advanced security features(which they pushed so hard for on W11) not being able to turned on or not properly reporting that they are turned on..
Agreed! In our school, all computers are connected to the main school server from which admin is controlling our internet access as well as other stuff like our Google Suite (or however it is called, I believe it is Workspace) for our email and domain management. Something similar to what he has showed in the video is set up there too. Our website access is controlled but also what files can and cannot be run. As we have programming as a school subject, stuff like this happens to us to so we cannot run any .exe or .dll files without admin permission. Our teachers computer cannot overwrite the rule set by network admin. Teacher can only add new rules with some limitations. So when we make a program, it obviously isn't signed by Microsoft or any big company so in order to run it we need our network admjn to approve the program. We suggest adding the folder where any files would be runnable but the school did not agree. I just got an idea that we could as for such a thing on our teachers computer. That way he would have the control over which files will be stored in the folder. However, one class made a little program for calculating something school's finance department needed. As they were about to show their program to the principal and Head of IT in front of multiple Computer Science and Programming teachers, the program did not run because it was not signed by a known company and it was only allowed to run on IT Classroom computers. Once again, it was resolved later as it got approved for the whole network, but it was kinda embarrassing for the studens who made it. Also, it would be veeery appreciated if Microsoft enabled OneDrive to store our Windows settings like WiFi passwords, lightmode/darkmode and blue light settings, etc., like every phone does, so when I log into my Microsoft account on my new laptop I don't have to set everything up ONE BY ONE setting every single time I switch my laptop. Also the synchronisation of those settings between my laptop and PC would be very nice, thank you Microsoft.
That first batch file is indeed weird. The fact that it starts with MZ indicates that it's really an EXE file, so it's strange that it wouldn't run after being renamed to EXE.
Many other Windows files start with MZ. Libraries, drivers, even some fonts. There could be a DLL intended for sideloading with a popular executable, such as explorer.exe.
Whoa! Thank you very much! I didn't pay serious attention to app locker. I will from now on. Seems like a hassle, but a life saver at the same time. The problem with MS "automated" options without exeptions is if you would like to run something that MS don't want you to. For example, an old version of Office could be blocked for "security reasons" for being "outdated", even if you only would use it locally. I've seen this behaviour in some antiviruses that block certain web sites because of "reasons" (that have nothing to do to security)...
Possibly of even more concern is that 8 hours later some of the more common AVs (Avast, AVG, Trend, Kaspersky, F-Secure) are still not flagging the a file and only doing somewhat better on the first file.
Thanks for this awareness! Being a developer or other kind of technical user you have the advantage of understanding things faster then regular users, but this shows we still need to be aware and careful. Note that this same issue is not just important for the DotNet developers, but also for those who rely on other package managers like those of Node, Python, Ruby or even Rust.
5:34 I think this was a bit misleading.. I wouldn't call it extremely rare. There are plenty of blackmarket shops selling signing services and EV certificates for less than $100. It's uncommon to see in day-to-day malware but in highly-specialized and targeted attacks it's pretty common.
@@schwingedeshaehers Regular malware is distributed frequently, higher distribution is more likely to get noticed/analyzed. Certificates are more likely to get revoked.
Visual Studio itself is quite alarming with all the extensions from all over the place which are readily added. There are dozens of options available for a given capability, and just finding which one is useful is a chore. Verifying validity and non-maliciousness is yet another major chore. A plain, uninfectable editor and a command-line debugger still work just fine.
honeslty its nice that you share your experience so others dont meet the same fate instead of just being satly about it and posting on social media like other people would do.
IIRC, wasnt the first "virus" actually a screensaver? Pretty sure it was made as a prank, that would turn off someone screen after a set period of inactivity giving the impression of a fault. Later on it was found that it could help prevent burn in on old CRT so rebranded as a screensaver.
The last time I fell for a scam, I got a spoofed email from a collegue asking for my help. Unfortunately for the scammer, my collegue's office was right next to mine so I just walked over to see what help he needed. That was my reminder I am not immune from falling for a scam
Thanks so much for this video! I'm a sysadmin and have AppLocker applied to my SMB. I'll be adding your deny rules to my policy, right now we've just been relying on the implicit deny and I've been allowing things by path (yes, I know, hash like you do is much better but I'm applying these policies to over 100 users/computers I can't manually add each new hash every time a Teams update or whatever drops, that's way too much work.) Also, if you didn't know AppLocker has previously only been available via Local Group Policy and Intune CSP unless you had Windows Enterprise. If you wanted to apply it to an organization using Windows Pro, you had to use Intune, the ADMX policies for Group Policy Management on DCs existed but they didn't do anything unless you had Windows 10/11 Enterprise licenses on your workstations. I've noticed recently that my AppLocker policy is being applied via GPO, I was using it just to write the policy and export to an XML file to copy/paste into the Intune AppLocker CSP configuration profile I created. However it seems to be working via GPO now, so apparently Microsoft changed the requirements and it will now work with Windows Pro licenses via Group Policy Management on an AD domain. If you're (I mean @ThioJoe or anyone nerdly enough to have read all that above) you might also be interested in an NDR, NG Firewall (why are Fortigates with SFP+ ports so expensive? I want to run one at home), and SIEM. Stay safe. The Internet is a crazy place these days. Kinda bummed I didn't get to enjoy the days when a sysadmin's primary concern was uptime.
Smart App Control is not on "a fresh install of windows" What is needed is you to allow them to gather optional diagnostic data when you select those options in the OOBE. If you select "only mandatory diagnostic data" the option is already grayed out on a fresh install by default. And yeah there's also the thing about "if you disable it you cannot re enable it"
I normally very dislike the too extreme facial expressions in the thumbnails (even more if produced by the AI), but this one, man, this one fits! It was genius.
I actually had a similar experience myself, once, where my own carelessness would've gotten me infected with malware. The thing that saved me was Comodo Firewall, though I've since stopped using that firewall, the reason being it would prompt you for permission any time an application did anything that had potential to be malicious. Such as dropping an executable file into appdata, running an executable file, and much more, but the prompts were quite annoying on a day to day basis and that was the only time they ever actually did any good.
I had not even thought of package installer/stores/extension managers like NuGet or VSCode extensions as being a good way to distribute malware payloads. Better research any package before you install, to make sure it's really something you can trust and actually coming from the source you think it is.
to make things a bit easier on yourself, could you make a "whitelist folder" where you could just drop a file that failed to run already to bypass applocker? i mean in theory, malware could take advantage of that too, but that'd have to be a pretty targeted attack.
The issue is when you have a trusted app that can download other executables like in this case. You would most likely mark it's download folder as trusted. If it downloads a malicious software, it will also be put in the same folder. Now you have an untrusted file in a trusted folder.
@@aeghohloechu5022this is why in our school in IT Classroom we aren't allowed to run any .exe files. Our teacher has one folder that can run any .exe file so we send our files via network to him and he runs the program in the folder. If it was made as an exam then that's it. But if we made it for use in school like one class that made a program for our school's finance department, then our Web admin has to approve it.
@@qkzalswnsalot of the time you can take advantage of the rundll32 program to execute arbitary code on locked down devices btw. As applocker doesn't effect DLLs
I just sent this to all devs I know that use VS, n told them to watch at least the first 4 minutes, cuz this is definitely something I could have fallen for.
@Inspirator_AG112 The LTT Twitter got hacked around 6 or 7 years ago. I think that's why Linus has his own personal Twitter, since the intrusion came from SIM jacking his phone number.
The big issue with NuGet and kin is the same as with NPM and other code snippet repositories in that basically anyone can upload files to them. This is quite different from distro-specific repositories where you first need to gain the trust of maintainers to even get permission for uploading. This is why I feel a lot more comfortable getting development libraries from the Arch repos even on Windows (via MSYS2). While I also use MSVS and the package managers, those are subject to a lot more auditing and sanity checks, exactly because of the much higher risk factor.
I use Ubuntu (a Linux based operating system), and I have two programs I make sure to install. ufw is an uncomplicated firewall for Linux distributions that does exactly what it says in the name. Linux doesn't usually come with a firewall depending on which distribution you use, so always make sure you have it installed with sudo ufw enable to both verify installation and enable your firewall if it isn't already. clamav is an antivirus built to work in Linux. Antivirus programs usually don't work in a Linux environment because of the architecture differences from their primary target audience: Windows users. You also don't technically need an av due to the lack of conventional malware for Linux Desktop users. However, it's better to be safe than sorry.
Linux was built for security from the start, if you are bored enough von can Look at almost everything running on your system Windows had a other history so they never had it from the start.
That's like saying the Windows Store, App Store, Google Play Store are things to stay away from because sometimes malware makes it onto them. (Then again…)
In some of your videos, like the tips and tricks ones, I know everything that's going on. (Still enjoy watching them, because occasionally there is something new for me!) In this video, I had no idea about almost any of this, beyond how to install NuGet packages...and that's the scary part!
I’m surprised that Microsoft doesn’t vet these extensions. Maybe I shouldn’t be… Why don’t you open the created file in HXD & the batch file in Programmer’s Notepad?
Most of these programming package managers don't sadly because it's all community uploads unlike say Winget or Linux package managers where a few trusted community members/company employees vet the packages and then upload them. pip and node suffer from these issues all the time and when a project gets hacked it can be really bad if some people have their settings to use the latest version of a package instead of a specific version.
@@hostgradyYeah, but that’s no excuse for MS to not be green-flagging valid extensions & red-flagging invalid ones. They shouldn’t be allowing them to just be posted without oversight.
I’ve been using bit defender for many years already a couple of years ago I got hacked by scammers, taking over my RUclips channel and bit defender did not protect me at the time. It finally detected it the behaviours being inappropriate and blocked it, but not before it was too late. They had already stolen my cookies so they could log into my channel.
You're brave! In terms of risk, I'd consider my development environment at the top. For me, it's a completely separate system with no password manager and no access to commit to code repos. I use Code Server as the IDE for my development environment. That way it is seamless to access from my primary laptop/desktop. The SSH key needed for pushing committs to Github is on a Yubikey, on my primary machine. When I need to push code I ssh to the development environment and use ssh-agent forwarding. The private key never leaves my Yubikey and can only be activated with a physical press.
Thank you for this informative video. I consider myself a poweruser but have never even heard of AppLocker. I enabled it as soon as I finished the video. Looking forward to your video about AppLocker!
@@ThioJoe As always. You'd think the page hosts would start scanning scripts, especially autorun scripts, for commands that download files and automatically sandbox and test what is downloaded from them. Play store has the exact same issue, because they do not test for Files downloaded by the game, only the files they host themselves appearently
@@VaiCaDep0893 it's called "don't install/run suspicious apps". If you only get your stuff from the Play Store and other trustworthy sources like F-Droid you shouldn't have any problems.
@@elnkr2603even Play Store has some sketchy shit published to, i worked at phone technical assist for 6 months and out of countless adware ridden android phones, not one had "unknown install sources" allowed, all of it was downloaded from the play store and then when already installed had many techniques to hide the app from the menu and giving themselves permissions
I've said it many times before and gonna say it again, "needs physical access" is not a thing, as soon as you have it in your system it can run, and you can download it inadvertently from ANYWHERE
Another thing you gotta look out for is VS projects downloaded from the internet running custom build steps. I know VS warns about it, but most ppl are so accustomed to just clicking through the dialog
This is so vindicating. I've had to say no so many times to users wondering "Why can't I just install Spotify myself?", it only takes one bad download and I have so much more work. I have been thinking about scenarios exactly like this with the Cyrillic letters.
Interestingly enough, I was just thinking about this very thing a few days ago as I was going through my Android phone Play Store looking for an OpenAI app. I noticed a very large number of purported AI apps in the store. Many try to imitate (through the logo or name) an official OpenAI app. It looked odd to me, and after a very quick research, I realized that OpenAI doesn't yet have an official Android app. They only offer one for iOS. I ended up not downloading anything to my phone. And my thought was was AI functionality can very easily turn into a vector for scams and even malware. And here you are with one example of the latter!
You wouldn't even run it on a separate test computer to show us ( the viewers ) the possible extent of its damage and if it would be removable after a real infection .
2:04 It's also suspicious how all those packages just happened to be download exactly at around 284k times, as if a script was ran for a similar amount of times to repeatedly and artificially raise the download count. Another potential give away was the grammar mistakes in the package description such as "A official" instead of "An official/the official"
Ive just swapped from Kaspersky to Bitdefender on Windows and Android devices, Ive always hated the UI ever since the beginning, but the latest UI is great and I am loving Bitdefender.
Wow I always thought when something looks official and without any grammatical mistakes it's safe. I guess I have to find new ways of detecting viruses myself. I'm glad you're safe and thank you for providing us with this info, it helps a lot.
I don't mind when someone makes gramatical mistake. I sometimes download from places where there are gramatical places as well. What I do first tho is check rating on website and check if website itself is secure, i have plenty of websites that have proven themselves to me. But even in google play store or official places can someitmes contain a virus as almost everyone can upload whatever they want.@@thenickstrikebetter
This reminds me of 'protestware' where well-known legit repository apps suddenly go rogue with code to do malicious damage to users in target countries etc. (Russia for example)
Big 🅱️ruh moment
yo im seventh
Bruh I’m first not [Dam RUclips refresh]
Just show case your pc instead of using it. Then you'll never get any viruses.😂
yeah massive bruh moment
Certified 🅱️rah moment
From the scammers point of view, it must be frustrating that one of the first batch of victims just happened to be someone who was able to identify the signs and get the thing listed in public databases.
Imagine working on a virus for hours and days even just for one of your first victims to be him. Reported it to his antivirus developer, even multiple AV devs, made a video about it and showed how to protect yourself from this RAT, but also many others. If I was behind this virus, I'd probably be in depression if I wasn't already xD
@@qkzalswns He doesn't need to. He just need the virus to run on a few dozens computers, steal some CC info, some crypto wallet keys and wallah he has good ROI.
@@qkzalswns he was never our first victim lol we got loads
@@qkzalswns the person running it probably didn’t work on it at all. Since it has marketing, it’s probably being sold off to people.
The scammer is definitely slamming their keyboard over having their money wasted though
Lol “batch” like their some food or something…or at least thats the picture i get
It's only paranoia until you're right. And it's never paranoia to begin with because this stuff happens all the time.
Just because you're not paranoid, that doesn't mean they're not out to get you!
Absolutely!
@ThioJoe Can you also describe your rules for AppLocker in the description text?
I have been scrolling over and over through the video, which is good for the 'view time' of course, but it would be more practical to also have some kind of overview.
@@Twinrehzhow abt using pirated software & activating office windows using batch files?
"this stuff happens all the time"
I haven't run into a virus since around 2005. It's just user error to download and run files without verifying them. It's yet another reason you should code things yourself instead of importing libraries for everything.
@@jirehla-ab1671 Why do that when you can use LibreOffice for free.
A error message about a invalid character on any download should be a HUGE red flag. I would never think to tell people this.
Thank you for your service!
This is a reminder that no one is entirely safe from hacks and scams
K
The moment you think you know everything, You know nothing.
@@crisnmaryfam7344 absolutely
@@KobrokoHere K
@@GodofToast absolutely
The problem is that even if there is no "init.ps1" file the package can be dangerous. And even worse when you compile it into your own software it can also be spreading with your application. Nowerdays also analyzers and stuff can be installed via nuget package and run alongside visual studio. You don't even need to start your app for the code to execute.
you seen thiojoe is kind of sketchy as he got virus attacked🤣🤣🤣
the malicious code can also be injected in the designer if you are using winforms
If it adds winform or wpf controls then displaying them in the designer will execute it .
I think that's what they call supply chain attack.
@@raven4k998 like how nobody is immune to propagnada, nobody is immune to viruses.
I'm a coder and had a Security+ certification in a prior life - and I'm blown away by how many new things I learned from this video. I've been a big fan of your channel for a while, but - wow - this video is truly outstanding. I know I'll be using it as a how-to reference repeatedly and recommending it to as many people as I can.
Glad it was helpful, thanks! 🙏
The fact that they were able to fake having this many downloads is the scary bit, I would have thought it's legit too. That should definitely be fixed.
Yeah sounds like they also found an SQL exploit
Same. I thought it might have been a false flag after looking at that in the video too lol
I like how Smart App Control was mentioned as "easier for most people" when it requires you to nuke your windows install. I feel like for most people they'd rather figure out how to do the AppLocker stuff.
Plus reinstalling windows is a multi-day job when you have to reinstall all of the open source apps, utilities, chrome extensions etc… It’s something I only do when I upgrade the OS. Also, I found that when I install security suites, file Explorer starts hanging, so I use Windows Defender now. I’m not happy about that, but I am super careful and scan downloads with virustotal.
@@thebritishindian1 some of the apps have portable version, like browsers, it saves a tons of time when I reinstall the windows.
i think he means for most "light" or "casual" users, people who only browse the web, use social media, emails, gaming etc. much easier to just download a game and a few programs again from a list than to get all of your programs and dependencies and settings, directories etc back how you had them.
Microsoft didn't enable this by default because they knew it would inevitably lock people out of a lot of apps, possibly even their own
lol. Why do people still use Windows by choice in 2023? If you want a secure Windows version, use Windows 8/8.1 RT or Windows Phone. They're not very useful in terms of additional applications, but at least you can't run 99.9999999% of malware on them. Or just don't be pit stew.
I stopped using Windows back in 2017. The spyware telemetry doesn't feel like a big deal until you use a metered connection and Win10 uses half a GB of data in 15 minutes without your knowledge or consent.
One thing that really stands out to me about the download numbers at 2:00 is that all four packages have almost exactly the same number of downloads, which for four disparate packages claiming to have downloads in the hundreds of thousands is very suspicious. They couldn't even be bothered to add some randomness to how many fake downloads they botted.
And it would be believable if the numbers were similar for only Discord and Xbox plugins as they are both for gaming. But I am not sure how OpenAI, Discord, Xbox and VRChat would be used almost exact same number of times like they can all fit in a single project made by everyone who used them. Even if the plugins were all logical to work together, 200k projects using ALL of them? And I am not sure that many people would use the Discors plugin with Xbox and OpenAI.
@@qkzalswns Discord isn't for gaming...
such moments makes us feel proud that we are so much into tech and security XD
K
if u werent then u wouldnt be installing packages with nuget anyways
Well, Nuget is rather sketchy still compared to official Winget (all packages basically screened by Microsoft-related entities). Inbuilt Windows tools even do singature checks for trusted issuers (which you would only expect from most Linux distros or official stores). Though, of course Chocolatey & Nuget have many more packages available.
Good morning sir
One insidious variation of these software supply chain attacks is when the bad guys buy out publishers (who are often just lone developers) of established and popular packages and then replace the legitimate package with a malware version. Developers who have used the package for years would have no idea what was going on because as far as they know they're just downloading the latest version of a trusted package.
True. It's really an ethical responsibility of the original developer to give advanced notice of such.
1. If it ain't broke, don't fix it.
2. Stop using other people's code and write it yourself. A big reason why software now is full of buggy messes is because people just include every library on the planet. The npm left-pad debacle shows just how pointless many of these imports are.
the internet is a joke
glad you got out of being hacked, thanks for detailing it and making people aware of the fact that even the best of us can make mistakes
Very interesting piece of malware. Thank you for providing details for using App Locker. Keep up with the awesome uploads!
K
i wouldve liked to see windows defender tested against this virus
And Kaspersky
Avast
+1
I want to see Kaspersky too
If you check virustotal, microsoft blocked it
Its crazy how a program as big and reputable as Visual Studio has such a glaring security oversight. Even though I primarily use Linux (arch btw kekw) I'm still looking forward to seeing your App locker setup video! Ty for teaching me something new as always!
8:17 - MZ is well known magic number for all executables in Windows, so it tried to make an exe file
You can make a context menu option to add something into AppLocker exceptions with a tiny bit of scripting
You will still need to find the exact file, and that seems to be the most tedious part, considering you need to go through the event log
By the way Thio, you're my #1 place to get news on tech and stuff. (Your old flat earther rant video was also hilarious lol)
Thanks Joe that was a nice technical video, and in your usual way you spoke clearly for those less technical, whilst giving us techy people info too 10/10 :)
Doubt it would work. From what I saw on TPSC yt channel, it's not that good. Offline it barely detects anything.
Thank you for the video. I also use Bitdefender on 4 PCs that I only access through Microsoft Desktop Remote (gaming and Stable Diffusion). Your video got me to wake up, do scans, and review the recommendations like "autoplay media", etc. I guess unless you are always active, you are a noob with security.
So again, thank you, I really appreciate what you do.
Nice work!
A (possibly MORE) valuable test - at least for a lot of folks - might be to see what Windows Defender does with this thing, and stuff like it.
Yes! I was/am under the impression from videos in the pasz years that paying for security software often makes things _worse_ than what Windows already offers. Is that still true?
@@redyau_So at home I used to have antivirus, even tried multiple of them. But every single time an AV would find something suspicious and pop up the notification, so would the defender. Last time I reinstalled Windows I haven't even bothered to get or pay for AV. Been using online Defender since and had no problems. And yes, it has stopped multiple malicious .exe files. I also have it set up so that most of my folders aren't accessible without a pop up asking for the permission. So basically no app can download anything into Documents, Music, Videos, Desktop, directly on the C disk, Windows folder or anywhere else except in Downloads. And it also asks for admin permission to run everything all the time except Web browser. Yes, it is kinda annoying to have admin access prompt show up everytime I open Photoshop but that way no .exe files can be run without permission.
There is a reason they use plugins. So the initial file sent / downloaded / executed is small in size (say 50KB instead of 15MB) the idea is get the foot in the door, execute the stub file, and the stub file goes to get the full size files and executes them.
As a Win 10 LTSC user for work - Would love to see the video for app locker if its supported! We've effectively blacklisted Win 11 until its matured a bit more.
I think myself fairly capable regarding security, but I learnt a lot here. Thanks, Thio!
I honestly dont understand how microsoft manages nuget so poorly.
1) Why allow cyrillic characters in the first place?
2) No quality control on the packages?
...
This seems to be straight up negligent from microsoft.
What if the library is just streight up in the cryillic language?
what do you mean "why"? languages exist bruh
As an IT worker, I'm very thankful for your videos. I gain a lot of education from the channel that I don't anywhere else. Looking forward to seeing the video on App Locker down the line. We do have this implemented at my company, but we're fairly new to it so I'd love to hear more about it's potential and how it can be better utilized.
These situations like his aren't something that happens to everyone so seeing it from him means that I've learned something g I probably otherwise never would.
How TF is this allowed on the visual studio plugin page?
Windows: the only mainstream OS to provide no isolation between applications. Once one runs, it has access to everything.
Good video and great explanations on how to properly use/configure AppLocker.
Secure OS engineer here! You could say this about all of the major operating systems. MacOS does have the App Sandbox, which is a true capability sandbox, but it doesn't tell the user about how safe they are, and it has some interesting holes around file type groups that have been exploitable in Microsoft office. Linux really has nothing usable in that space - don't install apps you don't completely trust on Linux.
@@capability-snob Linux has AppArmor & SELinux, but both are basically unused so +1 for having nothing usable.
I jumped ship to ChromeOS about 9 years ago after reading their security design docs. I'm a malware analysis engineer and CrOS keeps me safe enough. Just frustrating to see folks continue to be attacked by stuff like this and not seeing OS vendors work toward improving the situation.
What do you use?
The biggest problem with checking for signed executables is that EV code signing certs are only given to companies. If you're a small indie FOSS developer/group without an incorporated entity you're basically shit outta luck. And with smart app control, given how much data they force you to send to them, is, in my european opinion, not really a good alternative and will not work anyways in many cases. For my PC e.g. it just tells me I have to do a clean install(because... it's not turned on. which i'd venture a guess is the same for everyone who upgraded from an older windows version) which is like... Uh.. No?! I already did that once, and thanks to windows being so horrible when it comes to reinstalling it took me forever to properly set everything up again(having to re-download multiple 100+GB apps again on an 80Mb/s line is PAIN) and I'm still having issues thanks to MS p much ignoring some issues with more advanced security features(which they pushed so hard for on W11) not being able to turned on or not properly reporting that they are turned on..
Agreed! In our school, all computers are connected to the main school server from which admin is controlling our internet access as well as other stuff like our Google Suite (or however it is called, I believe it is Workspace) for our email and domain management. Something similar to what he has showed in the video is set up there too. Our website access is controlled but also what files can and cannot be run. As we have programming as a school subject, stuff like this happens to us to so we cannot run any .exe or .dll files without admin permission. Our teachers computer cannot overwrite the rule set by network admin. Teacher can only add new rules with some limitations. So when we make a program, it obviously isn't signed by Microsoft or any big company so in order to run it we need our network admjn to approve the program. We suggest adding the folder where any files would be runnable but the school did not agree. I just got an idea that we could as for such a thing on our teachers computer. That way he would have the control over which files will be stored in the folder. However, one class made a little program for calculating something school's finance department needed. As they were about to show their program to the principal and Head of IT in front of multiple Computer Science and Programming teachers, the program did not run because it was not signed by a known company and it was only allowed to run on IT Classroom computers. Once again, it was resolved later as it got approved for the whole network, but it was kinda embarrassing for the studens who made it.
Also, it would be veeery appreciated if Microsoft enabled OneDrive to store our Windows settings like WiFi passwords, lightmode/darkmode and blue light settings, etc., like every phone does, so when I log into my Microsoft account on my new laptop I don't have to set everything up ONE BY ONE setting every single time I switch my laptop. Also the synchronisation of those settings between my laptop and PC would be very nice, thank you Microsoft.
Wow thats crazy because it so happen that one of my school projects requires me to code on visual studio, thanks for the head up!
That first batch file is indeed weird. The fact that it starts with MZ indicates that it's really an EXE file, so it's strange that it wouldn't run after being renamed to EXE.
Many other Windows files start with MZ. Libraries, drivers, even some fonts. There could be a DLL intended for sideloading with a popular executable, such as explorer.exe.
You can actually start a process with any file extension using the CreateProcess API function
Whoa! Thank you very much! I didn't pay serious attention to app locker. I will from now on. Seems like a hassle, but a life saver at the same time. The problem with MS "automated" options without exeptions is if you would like to run something that MS don't want you to. For example, an old version of Office could be blocked for "security reasons" for being "outdated", even if you only would use it locally. I've seen this behaviour in some antiviruses that block certain web sites because of "reasons" (that have nothing to do to security)...
Possibly of even more concern is that 8 hours later some of the more common AVs (Avast, AVG, Trend, Kaspersky, F-Secure) are still not flagging the a file and only doing somewhat better on the first file.
I thought AVG was buried to early 2010s
Thanks for this awareness! Being a developer or other kind of technical user you have the advantage of understanding things faster then regular users, but this shows we still need to be aware and careful.
Note that this same issue is not just important for the DotNet developers, but also for those who rely on other package managers like those of Node, Python, Ruby or even Rust.
7:45 "The big daddy malware" got me😂
5:34 I think this was a bit misleading.. I wouldn't call it extremely rare. There are plenty of blackmarket shops selling signing services and EV certificates for less than $100. It's uncommon to see in day-to-day malware but in highly-specialized and targeted attacks it's pretty common.
If it is less than 100$ why don't use it for normal malware?
@@schwingedeshaehers Regular malware is distributed frequently, higher distribution is more likely to get noticed/analyzed. Certificates are more likely to get revoked.
You definitely can't get EV for under $100
@@jc̈ but even then. You only have to look when your Certificate is revoked, and then remove it/make a new one.
@@Exachad Check HF, you can’t get the certificate but you can submit an executable to get signed for ~75 USD.
That's was unexpected. I always trusted visual studio with what It does in the background and also expected that packages get verified before posted.
5:20 the actual valuable information " I dont wanna get into it" Just trust it because I do.
Congrats 3 million!
Is there someway to disable this Visual Studio leagacy feature of automatically running the tools/init.ps1 script?
You can ask Microsoft to fix their code, but they have a history of intentionally ignoring user feedback. 😒 (Just like all companies.)
Visual Studio itself is quite alarming with all the extensions from all over the place which are readily added. There are dozens of options available for a given capability, and just finding which one is useful is a chore. Verifying validity and non-maliciousness is yet another major chore. A plain, uninfectable editor and a command-line debugger still work just fine.
The real package was the friends we found along the way.
honeslty its nice that you share your experience so others dont meet the same fate instead of just being satly about it and posting on social media like other people would do.
IIRC, wasnt the first "virus" actually a screensaver? Pretty sure it was made as a prank, that would turn off someone screen after a set period of inactivity giving the impression of a fault. Later on it was found that it could help prevent burn in on old CRT so rebranded as a screensaver.
Something tells me screensavers wouldn't exist without that virus
No. Viruses long predate screensavers. The first virus was more thought experiment than anything else and the payload was merely text iirc.
The last time I fell for a scam, I got a spoofed email from a collegue asking for my help.
Unfortunately for the scammer, my collegue's office was right next to mine so I just walked over to see what help he needed.
That was my reminder I am not immune from falling for a scam
Congrats on 3 Million!!!
Thanks so much for this video! I'm a sysadmin and have AppLocker applied to my SMB. I'll be adding your deny rules to my policy, right now we've just been relying on the implicit deny and I've been allowing things by path (yes, I know, hash like you do is much better but I'm applying these policies to over 100 users/computers I can't manually add each new hash every time a Teams update or whatever drops, that's way too much work.) Also, if you didn't know AppLocker has previously only been available via Local Group Policy and Intune CSP unless you had Windows Enterprise. If you wanted to apply it to an organization using Windows Pro, you had to use Intune, the ADMX policies for Group Policy Management on DCs existed but they didn't do anything unless you had Windows 10/11 Enterprise licenses on your workstations. I've noticed recently that my AppLocker policy is being applied via GPO, I was using it just to write the policy and export to an XML file to copy/paste into the Intune AppLocker CSP configuration profile I created. However it seems to be working via GPO now, so apparently Microsoft changed the requirements and it will now work with Windows Pro licenses via Group Policy Management on an AD domain.
If you're (I mean @ThioJoe or anyone nerdly enough to have read all that above) you might also be interested in an NDR, NG Firewall (why are Fortigates with SFP+ ports so expensive? I want to run one at home), and SIEM. Stay safe. The Internet is a crazy place these days. Kinda bummed I didn't get to enjoy the days when a sysadmin's primary concern was uptime.
Smart App Control is not on "a fresh install of windows"
What is needed is you to allow them to gather optional diagnostic data when you select those options in the OOBE.
If you select "only mandatory diagnostic data" the option is already grayed out on a fresh install by default.
And yeah there's also the thing about "if you disable it you cannot re enable it"
I normally very dislike the too extreme facial expressions in the thumbnails (even more if produced by the AI), but this one, man, this one fits! It was genius.
Lesson? Never download anything ever.
Not even more RAM?
Then your stuck with no sofware outside of what comes with windows, or old stuff on phsical media
I actually had a similar experience myself, once, where my own carelessness would've gotten me infected with malware. The thing that saved me was Comodo Firewall, though I've since stopped using that firewall, the reason being it would prompt you for permission any time an application did anything that had potential to be malicious. Such as dropping an executable file into appdata, running an executable file, and much more, but the prompts were quite annoying on a day to day basis and that was the only time they ever actually did any good.
I had not even thought of package installer/stores/extension managers like NuGet or VSCode extensions as being a good way to distribute malware payloads. Better research any package before you install, to make sure it's really something you can trust and actually coming from the source you think it is.
I heard it some months ago and since then, I compare the VS NuGet result to the original NuGet from the original GitHub repo
Congrats on 3 mil!!!
to make things a bit easier on yourself, could you make a "whitelist folder" where you could just drop a file that failed to run already to bypass applocker? i mean in theory, malware could take advantage of that too, but that'd have to be a pretty targeted attack.
The issue is when you have a trusted app that can download other executables like in this case.
You would most likely mark it's download folder as trusted.
If it downloads a malicious software, it will also be put in the same folder.
Now you have an untrusted file in a trusted folder.
@@aeghohloechu5022this is why in our school in IT Classroom we aren't allowed to run any .exe files. Our teacher has one folder that can run any .exe file so we send our files via network to him and he runs the program in the folder. If it was made as an exam then that's it. But if we made it for use in school like one class that made a program for our school's finance department, then our Web admin has to approve it.
@@qkzalswns this definitely won’t work for larger schools.
@@qkzalswnsalot of the time you can take advantage of the rundll32 program to execute arbitary code on locked down devices btw.
As applocker doesn't effect DLLs
I just sent this to all devs I know that use VS, n told them to watch at least the first 4 minutes, cuz this is definitely something I could have fallen for.
Honestly, now I'm worried too cause I do the exact same thing by looking at most downloades
Scary stuff. Thanks for including the VirusTotal links! They are very interesting to look at.
How could someone can hack you🤦♂
You Are Thio!🔥🔥
I'm glad to know that I'm not the only paranoid person in the world 😊
Keep up the great work 👍
The fact that ThioJoe, a *technology RUclipsr,* narrowly dodged a scam...
Don't forget LinusTechTips also got hacked in the past
@@CattopyTheWebTwice if I'm remembering correctly
@@Dumb_Killjoy:
I knew that one time, but twice?
Someordinarygamers too
@Inspirator_AG112 The LTT Twitter got hacked around 6 or 7 years ago. I think that's why Linus has his own personal Twitter, since the intrusion came from SIM jacking his phone number.
The big issue with NuGet and kin is the same as with NPM and other code snippet repositories in that basically anyone can upload files to them. This is quite different from distro-specific repositories where you first need to gain the trust of maintainers to even get permission for uploading. This is why I feel a lot more comfortable getting development libraries from the Arch repos even on Windows (via MSYS2). While I also use MSVS and the package managers, those are subject to a lot more auditing and sanity checks, exactly because of the much higher risk factor.
I use Ubuntu (a Linux based operating system), and I have two programs I make sure to install.
ufw is an uncomplicated firewall for Linux distributions that does exactly what it says in the name. Linux doesn't usually come with a firewall depending on which distribution you use, so always make sure you have it installed with sudo ufw enable to both verify installation and enable your firewall if it isn't already.
clamav is an antivirus built to work in Linux. Antivirus programs usually don't work in a Linux environment because of the architecture differences from their primary target audience: Windows users. You also don't technically need an av due to the lack of conventional malware for Linux Desktop users. However, it's better to be safe than sorry.
Also, it has a different approach to rights on a system
Linux was built for security from the start, if you are bored enough von can Look at almost everything running on your system Windows had a other history so they never had it from the start.
We need a detailed applocker video
I'm used to SRP and didn't look at AppLocker when it came around since it seemed to be the same. Looking forward to your video about it.
I think SRP is being deprecated actually
@@ThioJoe o
Its funny how every packages on the site has exact 284k downloads. Could have been a councidence. But it was already sus from start.
THIO'S FACE IN THE THUMBNAIL THO _💀💀💀_
NuGet sounds like something to just stay away from!
That's like saying the Windows Store, App Store, Google Play Store are things to stay away from because sometimes malware makes it onto them. (Then again…)
Excellent, useful video. I really appreciate your work in building these vids and bringing them to us.
Would windows defender have been sufficient? Would it have stopped it?
In some of your videos, like the tips and tricks ones, I know everything that's going on. (Still enjoy watching them, because occasionally there is something new for me!)
In this video, I had no idea about almost any of this, beyond how to install NuGet packages...and that's the scary part!
I’m surprised that Microsoft doesn’t vet these extensions. Maybe I shouldn’t be… Why don’t you open the created file in HXD & the batch file in Programmer’s Notepad?
Most of these programming package managers don't sadly because it's all community uploads unlike say Winget or Linux package managers where a few trusted community members/company employees vet the packages and then upload them.
pip and node suffer from these issues all the time and when a project gets hacked it can be really bad if some people have their settings to use the latest version of a package instead of a specific version.
@@hostgradyYeah, but that’s no excuse for MS to not be green-flagging valid extensions & red-flagging invalid ones. They shouldn’t be allowing them to just be posted without oversight.
@@NinjaRunningWild yeah they also run npm which is what nodejs uses, they're really terrible with it
I’ve been using bit defender for many years already a couple of years ago I got hacked by scammers, taking over my RUclips channel and bit defender did not protect me at the time. It finally detected it the behaviours being inappropriate and blocked it, but not before it was too late. They had already stolen my cookies so they could log into my channel.
Congrats on 3 Million Subscribers! 🎉
You're brave! In terms of risk, I'd consider my development environment at the top. For me, it's a completely separate system with no password manager and no access to commit to code repos. I use Code Server as the IDE for my development environment. That way it is seamless to access from my primary laptop/desktop.
The SSH key needed for pushing committs to Github is on a Yubikey, on my primary machine. When I need to push code I ssh to the development environment and use ssh-agent forwarding. The private key never leaves my Yubikey and can only be activated with a physical press.
Imagine if now he is actually an ai clone of him pretending that he almost got hacked
was wondering the same
These are the kind of videos I live for! Very informational.
This is why Hackers shouldn't target Tech RUclipsrs
Not only are they unsuccessful, their entire strategy is made publicly known.
It being publicly known doesn't mean all of the millions (if not billions) of potential victims automatically know about it.
Thank you for this informative video. I consider myself a poweruser but have never even heard of AppLocker. I enabled it as soon as I finished the video.
Looking forward to your video about AppLocker!
What a unique way to almost get hacked
Was thinking the same.
The SeroXen rat also has rookits, making it very hard to remove the malware.
this is an insanely good ad
At least Visual Studio didn't add the execution bypass policy to the Powershell command line!
Does packages in store never get reviewed before posted?
I think they get a basic scan but nothing to stop them from fetching a remote virus
@@ThioJoe As always.
You'd think the page hosts would start scanning scripts, especially autorun scripts, for commands that download files and automatically sandbox and test what is downloaded from them.
Play store has the exact same issue, because they do not test for Files downloaded by the game, only the files they host themselves appearently
Windows blocks PowerShell scripts I write myself. Can’t stand that OS.
how common does this happen?
No clue
@@ThioJoe Do you know an app that I can use to protect myself on Android?
@@VaiCaDep0893 it's called "don't install/run suspicious apps". If you only get your stuff from the Play Store and other trustworthy sources like F-Droid you shouldn't have any problems.
@@elnkr2603 I know, but at least suggest me an app
@@elnkr2603even Play Store has some sketchy shit published to, i worked at phone technical assist for 6 months and out of countless adware ridden android phones, not one had "unknown install sources" allowed, all of it was downloaded from the play store and then when already installed had many techniques to hide the app from the menu and giving themselves permissions
I've said it many times before and gonna say it again, "needs physical access" is not a thing, as soon as you have it in your system it can run, and you can download it inadvertently from ANYWHERE
You know for someone who is a tech master you seem to get into trouble alot
The more you do, the more potential trouble you run into.
That’s my secret, I’m not a tech master
What secret?
Another thing you gotta look out for is VS projects downloaded from the internet running custom build steps. I know VS warns about it, but most ppl are so accustomed to just clicking through the dialog
Question really is if windows defender would detect it...
But obviously since bitdefender is sponsor, you wont test for it...
This is so vindicating.
I've had to say no so many times to users wondering "Why can't I just install Spotify myself?", it only takes one bad download and I have so much more work.
I have been thinking about scenarios exactly like this with the Cyrillic letters.
Thank you for you service!🖖
Interestingly enough, I was just thinking about this very thing a few days ago as I was going through my Android phone Play Store looking for an OpenAI app. I noticed a very large number of purported AI apps in the store. Many try to imitate (through the logo or name) an official OpenAI app. It looked odd to me, and after a very quick research, I realized that OpenAI doesn't yet have an official Android app. They only offer one for iOS. I ended up not downloading anything to my phone. And my thought was was AI functionality can very easily turn into a vector for scams and even malware. And here you are with one example of the latter!
Most people think they'll never be phished, hacked, etc... until they are.
Don't get cocky.
It may be a pain to add a hash exception to a file, but cleaning up an infected system is a much bigger pain.
You wouldn't even run it on a separate test computer to show us ( the viewers ) the possible extent of its damage and if it would be removable after a real infection .
2:04 It's also suspicious how all those packages just happened to be download exactly at around 284k times, as if a script was ran for a similar amount of times to repeatedly and artificially raise the download count. Another potential give away was the grammar mistakes in the package description such as "A official" instead of "An official/the official"
Ive just swapped from Kaspersky to Bitdefender on Windows and Android devices, Ive always hated the UI ever since the beginning, but the latest UI is great and I am loving Bitdefender.
Wow I always thought when something looks official and without any grammatical mistakes it's safe. I guess I have to find new ways of detecting viruses myself. I'm glad you're safe and thank you for providing us with this info, it helps a lot.
To be fair it said "a official" when it should be "an official"
I don't mind when someone makes gramatical mistake. I sometimes download from places where there are gramatical places as well. What I do first tho is check rating on website and check if website itself is secure, i have plenty of websites that have proven themselves to me. But even in google play store or official places can someitmes contain a virus as almost everyone can upload whatever they want.@@thenickstrikebetter
this is the first time i wanted an sponsor
This reminds me of 'protestware' where well-known legit repository apps suddenly go rogue with code to do malicious damage to users in target countries etc. (Russia for example)
You're on a whole different level Joe haha. Genius man