I Seriously Almost Just Got Hacked...

Поделиться
HTML-код
  • Опубликовано: 27 дек 2024

Комментарии • 1 тыс.

  • @ThioJoe
    @ThioJoe  Год назад +1263

    Big 🅱️ruh moment

    • @gandu_ambassador
      @gandu_ambassador Год назад +5

      yo im seventh

    • @isaackingvideos
      @isaackingvideos Год назад +11

      Bruh I’m first not [Dam RUclips refresh]

    • @projectjabir4805
      @projectjabir4805 Год назад +8

      Just show case your pc instead of using it. Then you'll never get any viruses.😂

    • @WiluckGD
      @WiluckGD Год назад +2

      yeah massive bruh moment

    • @sizanbelike
      @sizanbelike Год назад +8

      Certified 🅱️rah moment

  • @dungeonseeker3087
    @dungeonseeker3087 Год назад +477

    From the scammers point of view, it must be frustrating that one of the first batch of victims just happened to be someone who was able to identify the signs and get the thing listed in public databases.

    • @qkzalswns
      @qkzalswns Год назад +91

      Imagine working on a virus for hours and days even just for one of your first victims to be him. Reported it to his antivirus developer, even multiple AV devs, made a video about it and showed how to protect yourself from this RAT, but also many others. If I was behind this virus, I'd probably be in depression if I wasn't already xD

    • @tranhanna7524
      @tranhanna7524 Год назад

      @@qkzalswns He doesn't need to. He just need the virus to run on a few dozens computers, steal some CC info, some crypto wallet keys and wallah he has good ROI.

    • @observer_noble
      @observer_noble Год назад +6

      @@qkzalswns he was never our first victim lol we got loads

    • @Only_Sleep
      @Only_Sleep Год назад +27

      @@qkzalswns the person running it probably didn’t work on it at all. Since it has marketing, it’s probably being sold off to people.
      The scammer is definitely slamming their keyboard over having their money wasted though

    • @OmarTheAtheistAziz
      @OmarTheAtheistAziz Год назад +2

      Lol “batch” like their some food or something…or at least thats the picture i get

  • @Felttipfuzzywuzzyflyguy
    @Felttipfuzzywuzzyflyguy Год назад +1083

    It's only paranoia until you're right. And it's never paranoia to begin with because this stuff happens all the time.

    • @Twinrehz
      @Twinrehz Год назад +20

      Just because you're not paranoid, that doesn't mean they're not out to get you!

    • @TD-er
      @TD-er Год назад +3

      Absolutely!
      @ThioJoe Can you also describe your rules for AppLocker in the description text?
      I have been scrolling over and over through the video, which is good for the 'view time' of course, but it would be more practical to also have some kind of overview.

    • @jirehla-ab1671
      @jirehla-ab1671 Год назад

      ​@@Twinrehzhow abt using pirated software & activating office windows using batch files?

    • @encycl07pedia-
      @encycl07pedia- Год назад

      "this stuff happens all the time"
      I haven't run into a virus since around 2005. It's just user error to download and run files without verifying them. It's yet another reason you should code things yourself instead of importing libraries for everything.

    • @anon_y_mousse
      @anon_y_mousse Год назад +2

      @@jirehla-ab1671 Why do that when you can use LibreOffice for free.

  • @Alex-Defatte
    @Alex-Defatte Год назад +82

    A error message about a invalid character on any download should be a HUGE red flag. I would never think to tell people this.
    Thank you for your service!

  • @GodofToast
    @GodofToast Год назад +517

    This is a reminder that no one is entirely safe from hacks and scams

    • @KobrokoHere
      @KobrokoHere Год назад +5

      K

    • @crisnmaryfam7344
      @crisnmaryfam7344 Год назад +27

      The moment you think you know everything, You know nothing.

    • @GodofToast
      @GodofToast Год назад +3

      @@crisnmaryfam7344 absolutely

    • @aiexzs
      @aiexzs Год назад +2

      @@KobrokoHere K

    • @micosstar
      @micosstar Год назад

      @@GodofToast absolutely

  • @WolfspiritMagic
    @WolfspiritMagic Год назад +266

    The problem is that even if there is no "init.ps1" file the package can be dangerous. And even worse when you compile it into your own software it can also be spreading with your application. Nowerdays also analyzers and stuff can be installed via nuget package and run alongside visual studio. You don't even need to start your app for the code to execute.

    • @raven4k998
      @raven4k998 Год назад +4

      you seen thiojoe is kind of sketchy as he got virus attacked🤣🤣🤣

    • @jimmlmao
      @jimmlmao Год назад +8

      the malicious code can also be injected in the designer if you are using winforms

    • @LiEnby
      @LiEnby Год назад

      If it adds winform or wpf controls then displaying them in the designer will execute it .

    • @karappo_kun
      @karappo_kun 4 месяца назад

      I think that's what they call supply chain attack.

    • @cewla3348
      @cewla3348 4 месяца назад

      @@raven4k998 like how nobody is immune to propagnada, nobody is immune to viruses.

  • @daddio9344
    @daddio9344 Год назад +29

    I'm a coder and had a Security+ certification in a prior life - and I'm blown away by how many new things I learned from this video. I've been a big fan of your channel for a while, but - wow - this video is truly outstanding. I know I'll be using it as a how-to reference repeatedly and recommending it to as many people as I can.

    • @ThioJoe
      @ThioJoe  Год назад +8

      Glad it was helpful, thanks! 🙏

  • @b4ttlemast0r
    @b4ttlemast0r Год назад +45

    The fact that they were able to fake having this many downloads is the scary bit, I would have thought it's legit too. That should definitely be fixed.

    • @fireteamomega2343
      @fireteamomega2343 7 месяцев назад +1

      Yeah sounds like they also found an SQL exploit

    • @Aakash-pc7kz
      @Aakash-pc7kz 2 месяца назад

      Same. I thought it might have been a false flag after looking at that in the video too lol

  • @tciddados
    @tciddados Год назад +139

    I like how Smart App Control was mentioned as "easier for most people" when it requires you to nuke your windows install. I feel like for most people they'd rather figure out how to do the AppLocker stuff.

    • @thebritishindian1
      @thebritishindian1 Год назад +24

      Plus reinstalling windows is a multi-day job when you have to reinstall all of the open source apps, utilities, chrome extensions etc… It’s something I only do when I upgrade the OS. Also, I found that when I install security suites, file Explorer starts hanging, so I use Windows Defender now. I’m not happy about that, but I am super careful and scan downloads with virustotal.

    • @hardVatsuki
      @hardVatsuki Год назад +1

      @@thebritishindian1 some of the apps have portable version, like browsers, it saves a tons of time when I reinstall the windows.

    • @TheShizzlemop
      @TheShizzlemop Год назад +5

      i think he means for most "light" or "casual" users, people who only browse the web, use social media, emails, gaming etc. much easier to just download a game and a few programs again from a list than to get all of your programs and dependencies and settings, directories etc back how you had them.

    • @erikhicks07
      @erikhicks07 Год назад +6

      Microsoft didn't enable this by default because they knew it would inevitably lock people out of a lot of apps, possibly even their own

    • @encycl07pedia-
      @encycl07pedia- Год назад

      lol. Why do people still use Windows by choice in 2023? If you want a secure Windows version, use Windows 8/8.1 RT or Windows Phone. They're not very useful in terms of additional applications, but at least you can't run 99.9999999% of malware on them. Or just don't be pit stew.
      I stopped using Windows back in 2017. The spyware telemetry doesn't feel like a big deal until you use a metered connection and Win10 uses half a GB of data in 15 minutes without your knowledge or consent.

  • @MeOnStuff
    @MeOnStuff Год назад +23

    One thing that really stands out to me about the download numbers at 2:00 is that all four packages have almost exactly the same number of downloads, which for four disparate packages claiming to have downloads in the hundreds of thousands is very suspicious. They couldn't even be bothered to add some randomness to how many fake downloads they botted.

    • @qkzalswns
      @qkzalswns Год назад +5

      And it would be believable if the numbers were similar for only Discord and Xbox plugins as they are both for gaming. But I am not sure how OpenAI, Discord, Xbox and VRChat would be used almost exact same number of times like they can all fit in a single project made by everyone who used them. Even if the plugins were all logical to work together, 200k projects using ALL of them? And I am not sure that many people would use the Discors plugin with Xbox and OpenAI.

    • @encycl07pedia-
      @encycl07pedia- Год назад +1

      @@qkzalswns Discord isn't for gaming...

  • @sharkieislive
    @sharkieislive Год назад +342

    such moments makes us feel proud that we are so much into tech and security XD

    • @KobrokoHere
      @KobrokoHere Год назад

      K

    • @apache937
      @apache937 Год назад +14

      if u werent then u wouldnt be installing packages with nuget anyways

    • @whohan779
      @whohan779 Год назад +3

      Well, Nuget is rather sketchy still compared to official Winget (all packages basically screened by Microsoft-related entities). Inbuilt Windows tools even do singature checks for trusted issuers (which you would only expect from most Linux distros or official stores). Though, of course Chocolatey & Nuget have many more packages available.

    • @GrigRP
      @GrigRP Год назад

      Good morning sir

  • @dansanger5340
    @dansanger5340 Год назад +66

    One insidious variation of these software supply chain attacks is when the bad guys buy out publishers (who are often just lone developers) of established and popular packages and then replace the legitimate package with a malware version. Developers who have used the package for years would have no idea what was going on because as far as they know they're just downloading the latest version of a trusted package.

    • @erikhicks07
      @erikhicks07 Год назад +9

      True. It's really an ethical responsibility of the original developer to give advanced notice of such.

    • @encycl07pedia-
      @encycl07pedia- Год назад +4

      1. If it ain't broke, don't fix it.
      2. Stop using other people's code and write it yourself. A big reason why software now is full of buggy messes is because people just include every library on the planet. The npm left-pad debacle shows just how pointless many of these imports are.

    • @edwardmacnab354
      @edwardmacnab354 6 месяцев назад

      the internet is a joke

  • @thejoman9011
    @thejoman9011 Год назад +51

    glad you got out of being hacked, thanks for detailing it and making people aware of the fact that even the best of us can make mistakes

  • @ionamygdalon2263
    @ionamygdalon2263 Год назад +74

    Very interesting piece of malware. Thank you for providing details for using App Locker. Keep up with the awesome uploads!

  • @AcIdBARRY
    @AcIdBARRY Год назад +197

    i wouldve liked to see windows defender tested against this virus

  • @bo0sted
    @bo0sted Год назад +10

    Its crazy how a program as big and reputable as Visual Studio has such a glaring security oversight. Even though I primarily use Linux (arch btw kekw) I'm still looking forward to seeing your App locker setup video! Ty for teaching me something new as always!

  • @Gastell0
    @Gastell0 Год назад +21

    8:17 - MZ is well known magic number for all executables in Windows, so it tried to make an exe file
    You can make a context menu option to add something into AppLocker exceptions with a tiny bit of scripting

    • @aeghohloechu5022
      @aeghohloechu5022 Год назад

      You will still need to find the exact file, and that seems to be the most tedious part, considering you need to go through the event log

  • @phoenixjamiexera
    @phoenixjamiexera Год назад +12

    By the way Thio, you're my #1 place to get news on tech and stuff. (Your old flat earther rant video was also hilarious lol)

  • @MiltonGrimshaw
    @MiltonGrimshaw Год назад +13

    Thanks Joe that was a nice technical video, and in your usual way you spoke clearly for those less technical, whilst giving us techy people info too 10/10 :)

    • @kamisarma
      @kamisarma Год назад

      Doubt it would work. From what I saw on TPSC yt channel, it's not that good. Offline it barely detects anything.

  • @phuket2753
    @phuket2753 Год назад +2

    Thank you for the video. I also use Bitdefender on 4 PCs that I only access through Microsoft Desktop Remote (gaming and Stable Diffusion). Your video got me to wake up, do scans, and review the recommendations like "autoplay media", etc. I guess unless you are always active, you are a noob with security.
    So again, thank you, I really appreciate what you do.

  • @uzer_zero
    @uzer_zero Год назад +11

    Nice work!
    A (possibly MORE) valuable test - at least for a lot of folks - might be to see what Windows Defender does with this thing, and stuff like it.

    • @redyau_
      @redyau_ Год назад

      Yes! I was/am under the impression from videos in the pasz years that paying for security software often makes things _worse_ than what Windows already offers. Is that still true?

    • @qkzalswns
      @qkzalswns Год назад

      ​@@redyau_So at home I used to have antivirus, even tried multiple of them. But every single time an AV would find something suspicious and pop up the notification, so would the defender. Last time I reinstalled Windows I haven't even bothered to get or pay for AV. Been using online Defender since and had no problems. And yes, it has stopped multiple malicious .exe files. I also have it set up so that most of my folders aren't accessible without a pop up asking for the permission. So basically no app can download anything into Documents, Music, Videos, Desktop, directly on the C disk, Windows folder or anywhere else except in Downloads. And it also asks for admin permission to run everything all the time except Web browser. Yes, it is kinda annoying to have admin access prompt show up everytime I open Photoshop but that way no .exe files can be run without permission.

  • @fmo94jos8v3
    @fmo94jos8v3 Год назад +8

    There is a reason they use plugins. So the initial file sent / downloaded / executed is small in size (say 50KB instead of 15MB) the idea is get the foot in the door, execute the stub file, and the stub file goes to get the full size files and executes them.

  • @royalcanadianbearforce9841
    @royalcanadianbearforce9841 Год назад +12

    As a Win 10 LTSC user for work - Would love to see the video for app locker if its supported! We've effectively blacklisted Win 11 until its matured a bit more.

  • @taakelur
    @taakelur Год назад +29

    I think myself fairly capable regarding security, but I learnt a lot here. Thanks, Thio!

  • @mathiasdeweerdt1400
    @mathiasdeweerdt1400 Год назад +12

    I honestly dont understand how microsoft manages nuget so poorly.
    1) Why allow cyrillic characters in the first place?
    2) No quality control on the packages?
    ...
    This seems to be straight up negligent from microsoft.

    • @LiEnby
      @LiEnby Год назад +1

      What if the library is just streight up in the cryillic language?

    • @eggi4443
      @eggi4443 9 месяцев назад +3

      what do you mean "why"? languages exist bruh

  • @jeanshortswag
    @jeanshortswag Год назад +2

    As an IT worker, I'm very thankful for your videos. I gain a lot of education from the channel that I don't anywhere else. Looking forward to seeing the video on App Locker down the line. We do have this implemented at my company, but we're fairly new to it so I'd love to hear more about it's potential and how it can be better utilized.

    • @qkzalswns
      @qkzalswns Год назад

      These situations like his aren't something that happens to everyone so seeing it from him means that I've learned something g I probably otherwise never would.

  • @HeIsHarsh
    @HeIsHarsh Год назад +12

    How TF is this allowed on the visual studio plugin page?

  • @ericesev
    @ericesev Год назад +4

    Windows: the only mainstream OS to provide no isolation between applications. Once one runs, it has access to everything.
    Good video and great explanations on how to properly use/configure AppLocker.

    • @capability-snob
      @capability-snob Год назад

      Secure OS engineer here! You could say this about all of the major operating systems. MacOS does have the App Sandbox, which is a true capability sandbox, but it doesn't tell the user about how safe they are, and it has some interesting holes around file type groups that have been exploitable in Microsoft office. Linux really has nothing usable in that space - don't install apps you don't completely trust on Linux.

    • @ericesev
      @ericesev Год назад

      @@capability-snob Linux has AppArmor & SELinux, but both are basically unused so +1 for having nothing usable.
      I jumped ship to ChromeOS about 9 years ago after reading their security design docs. I'm a malware analysis engineer and CrOS keeps me safe enough. Just frustrating to see folks continue to be attacked by stuff like this and not seeing OS vendors work toward improving the situation.
      What do you use?

  • @IzzyIkigai
    @IzzyIkigai Год назад +16

    The biggest problem with checking for signed executables is that EV code signing certs are only given to companies. If you're a small indie FOSS developer/group without an incorporated entity you're basically shit outta luck. And with smart app control, given how much data they force you to send to them, is, in my european opinion, not really a good alternative and will not work anyways in many cases. For my PC e.g. it just tells me I have to do a clean install(because... it's not turned on. which i'd venture a guess is the same for everyone who upgraded from an older windows version) which is like... Uh.. No?! I already did that once, and thanks to windows being so horrible when it comes to reinstalling it took me forever to properly set everything up again(having to re-download multiple 100+GB apps again on an 80Mb/s line is PAIN) and I'm still having issues thanks to MS p much ignoring some issues with more advanced security features(which they pushed so hard for on W11) not being able to turned on or not properly reporting that they are turned on..

    • @qkzalswns
      @qkzalswns Год назад

      Agreed! In our school, all computers are connected to the main school server from which admin is controlling our internet access as well as other stuff like our Google Suite (or however it is called, I believe it is Workspace) for our email and domain management. Something similar to what he has showed in the video is set up there too. Our website access is controlled but also what files can and cannot be run. As we have programming as a school subject, stuff like this happens to us to so we cannot run any .exe or .dll files without admin permission. Our teachers computer cannot overwrite the rule set by network admin. Teacher can only add new rules with some limitations. So when we make a program, it obviously isn't signed by Microsoft or any big company so in order to run it we need our network admjn to approve the program. We suggest adding the folder where any files would be runnable but the school did not agree. I just got an idea that we could as for such a thing on our teachers computer. That way he would have the control over which files will be stored in the folder. However, one class made a little program for calculating something school's finance department needed. As they were about to show their program to the principal and Head of IT in front of multiple Computer Science and Programming teachers, the program did not run because it was not signed by a known company and it was only allowed to run on IT Classroom computers. Once again, it was resolved later as it got approved for the whole network, but it was kinda embarrassing for the studens who made it.
      Also, it would be veeery appreciated if Microsoft enabled OneDrive to store our Windows settings like WiFi passwords, lightmode/darkmode and blue light settings, etc., like every phone does, so when I log into my Microsoft account on my new laptop I don't have to set everything up ONE BY ONE setting every single time I switch my laptop. Also the synchronisation of those settings between my laptop and PC would be very nice, thank you Microsoft.

  • @kimxgamer
    @kimxgamer Год назад +2

    Wow thats crazy because it so happen that one of my school projects requires me to code on visual studio, thanks for the head up!

  • @SteltekOne
    @SteltekOne Год назад +10

    That first batch file is indeed weird. The fact that it starts with MZ indicates that it's really an EXE file, so it's strange that it wouldn't run after being renamed to EXE.

    • @zwz.zdenek
      @zwz.zdenek Год назад +2

      Many other Windows files start with MZ. Libraries, drivers, even some fonts. There could be a DLL intended for sideloading with a popular executable, such as explorer.exe.

    • @LiEnby
      @LiEnby Год назад

      You can actually start a process with any file extension using the CreateProcess API function

  • @GYTCommnts
    @GYTCommnts Год назад +2

    Whoa! Thank you very much! I didn't pay serious attention to app locker. I will from now on. Seems like a hassle, but a life saver at the same time. The problem with MS "automated" options without exeptions is if you would like to run something that MS don't want you to. For example, an old version of Office could be blocked for "security reasons" for being "outdated", even if you only would use it locally. I've seen this behaviour in some antiviruses that block certain web sites because of "reasons" (that have nothing to do to security)...

  • @downundarob
    @downundarob Год назад +7

    Possibly of even more concern is that 8 hours later some of the more common AVs (Avast, AVG, Trend, Kaspersky, F-Secure) are still not flagging the a file and only doing somewhat better on the first file.

  • @jongeduard
    @jongeduard Год назад +1

    Thanks for this awareness! Being a developer or other kind of technical user you have the advantage of understanding things faster then regular users, but this shows we still need to be aware and careful.
    Note that this same issue is not just important for the DotNet developers, but also for those who rely on other package managers like those of Node, Python, Ruby or even Rust.

  • @byteafterlife
    @byteafterlife 8 месяцев назад +4

    7:45 "The big daddy malware" got me😂

  • @jc̈
    @jc̈ Год назад +5

    5:34 I think this was a bit misleading.. I wouldn't call it extremely rare. There are plenty of blackmarket shops selling signing services and EV certificates for less than $100. It's uncommon to see in day-to-day malware but in highly-specialized and targeted attacks it's pretty common.

    • @schwingedeshaehers
      @schwingedeshaehers Год назад

      If it is less than 100$ why don't use it for normal malware?

    • @jc̈
      @jc̈ Год назад +1

      @@schwingedeshaehers Regular malware is distributed frequently, higher distribution is more likely to get noticed/analyzed. Certificates are more likely to get revoked.

    • @Exachad
      @Exachad Год назад +1

      You definitely can't get EV for under $100

    • @schwingedeshaehers
      @schwingedeshaehers Год назад

      @@jc̈ but even then. You only have to look when your Certificate is revoked, and then remove it/make a new one.

    • @anti-cheat
      @anti-cheat Год назад

      @@Exachad Check HF, you can’t get the certificate but you can submit an executable to get signed for ~75 USD.

  • @raresandrei7205
    @raresandrei7205 Год назад +4

    That's was unexpected. I always trusted visual studio with what It does in the background and also expected that packages get verified before posted.

  • @crisnmaryfam7344
    @crisnmaryfam7344 Год назад +1

    5:20 the actual valuable information " I dont wanna get into it" Just trust it because I do.

  • @yusinwu
    @yusinwu Год назад +9

    Congrats 3 million!
    Is there someway to disable this Visual Studio leagacy feature of automatically running the tools/init.ps1 script?

    • @I.____.....__...__
      @I.____.....__...__ Год назад +3

      You can ask Microsoft to fix their code, but they have a history of intentionally ignoring user feedback. 😒 (Just like all companies.)

  • @onehitpick9758
    @onehitpick9758 Год назад +1

    Visual Studio itself is quite alarming with all the extensions from all over the place which are readily added. There are dozens of options available for a given capability, and just finding which one is useful is a chore. Verifying validity and non-maliciousness is yet another major chore. A plain, uninfectable editor and a command-line debugger still work just fine.

  • @platoh
    @platoh Год назад +13

    The real package was the friends we found along the way.

  • @doge151.
    @doge151. Год назад

    honeslty its nice that you share your experience so others dont meet the same fate instead of just being satly about it and posting on social media like other people would do.

  • @JaenEngineering
    @JaenEngineering Год назад +16

    IIRC, wasnt the first "virus" actually a screensaver? Pretty sure it was made as a prank, that would turn off someone screen after a set period of inactivity giving the impression of a fault. Later on it was found that it could help prevent burn in on old CRT so rebranded as a screensaver.

    • @CheddarVG
      @CheddarVG Год назад +1

      Something tells me screensavers wouldn't exist without that virus

    • @Cooe.
      @Cooe. Год назад

      No. Viruses long predate screensavers. The first virus was more thought experiment than anything else and the payload was merely text iirc.

  • @sean.grogan
    @sean.grogan Год назад +1

    The last time I fell for a scam, I got a spoofed email from a collegue asking for my help.
    Unfortunately for the scammer, my collegue's office was right next to mine so I just walked over to see what help he needed.
    That was my reminder I am not immune from falling for a scam

  • @Ribbldeck
    @Ribbldeck Год назад +2

    Congrats on 3 Million!!!

  • @tylerferguson6271
    @tylerferguson6271 Год назад

    Thanks so much for this video! I'm a sysadmin and have AppLocker applied to my SMB. I'll be adding your deny rules to my policy, right now we've just been relying on the implicit deny and I've been allowing things by path (yes, I know, hash like you do is much better but I'm applying these policies to over 100 users/computers I can't manually add each new hash every time a Teams update or whatever drops, that's way too much work.) Also, if you didn't know AppLocker has previously only been available via Local Group Policy and Intune CSP unless you had Windows Enterprise. If you wanted to apply it to an organization using Windows Pro, you had to use Intune, the ADMX policies for Group Policy Management on DCs existed but they didn't do anything unless you had Windows 10/11 Enterprise licenses on your workstations. I've noticed recently that my AppLocker policy is being applied via GPO, I was using it just to write the policy and export to an XML file to copy/paste into the Intune AppLocker CSP configuration profile I created. However it seems to be working via GPO now, so apparently Microsoft changed the requirements and it will now work with Windows Pro licenses via Group Policy Management on an AD domain.
    If you're (I mean @ThioJoe or anyone nerdly enough to have read all that above) you might also be interested in an NDR, NG Firewall (why are Fortigates with SFP+ ports so expensive? I want to run one at home), and SIEM. Stay safe. The Internet is a crazy place these days. Kinda bummed I didn't get to enjoy the days when a sysadmin's primary concern was uptime.

  • @charginginprogresss
    @charginginprogresss Год назад +3

    Smart App Control is not on "a fresh install of windows"
    What is needed is you to allow them to gather optional diagnostic data when you select those options in the OOBE.
    If you select "only mandatory diagnostic data" the option is already grayed out on a fresh install by default.
    And yeah there's also the thing about "if you disable it you cannot re enable it"

  • @D.von.N
    @D.von.N 8 месяцев назад

    I normally very dislike the too extreme facial expressions in the thumbnails (even more if produced by the AI), but this one, man, this one fits! It was genius.

  • @chaindead
    @chaindead Год назад +7

    Lesson? Never download anything ever.

    • @bgtubber
      @bgtubber Год назад +3

      Not even more RAM?

    • @KeinNiemand
      @KeinNiemand Год назад

      Then your stuck with no sofware outside of what comes with windows, or old stuff on phsical media

  • @Jdbye
    @Jdbye Год назад +1

    I actually had a similar experience myself, once, where my own carelessness would've gotten me infected with malware. The thing that saved me was Comodo Firewall, though I've since stopped using that firewall, the reason being it would prompt you for permission any time an application did anything that had potential to be malicious. Such as dropping an executable file into appdata, running an executable file, and much more, but the prompts were quite annoying on a day to day basis and that was the only time they ever actually did any good.

  • @futuza
    @futuza Год назад +3

    I had not even thought of package installer/stores/extension managers like NuGet or VSCode extensions as being a good way to distribute malware payloads. Better research any package before you install, to make sure it's really something you can trust and actually coming from the source you think it is.

    • @386enhanced
      @386enhanced Год назад

      I heard it some months ago and since then, I compare the VS NuGet result to the original NuGet from the original GitHub repo

  • @Izdl_
    @Izdl_ Год назад +2

    Congrats on 3 mil!!!

  • @twocows360
    @twocows360 Год назад +6

    to make things a bit easier on yourself, could you make a "whitelist folder" where you could just drop a file that failed to run already to bypass applocker? i mean in theory, malware could take advantage of that too, but that'd have to be a pretty targeted attack.

    • @aeghohloechu5022
      @aeghohloechu5022 Год назад +11

      The issue is when you have a trusted app that can download other executables like in this case.
      You would most likely mark it's download folder as trusted.
      If it downloads a malicious software, it will also be put in the same folder.
      Now you have an untrusted file in a trusted folder.

    • @qkzalswns
      @qkzalswns Год назад

      ​@@aeghohloechu5022this is why in our school in IT Classroom we aren't allowed to run any .exe files. Our teacher has one folder that can run any .exe file so we send our files via network to him and he runs the program in the folder. If it was made as an exam then that's it. But if we made it for use in school like one class that made a program for our school's finance department, then our Web admin has to approve it.

    • @undefinedchannel9916
      @undefinedchannel9916 Год назад

      @@qkzalswns this definitely won’t work for larger schools.

    • @LiEnby
      @LiEnby Год назад

      ​@@qkzalswnsalot of the time you can take advantage of the rundll32 program to execute arbitary code on locked down devices btw.
      As applocker doesn't effect DLLs

  • @justanothergamer256
    @justanothergamer256 Год назад +2

    I just sent this to all devs I know that use VS, n told them to watch at least the first 4 minutes, cuz this is definitely something I could have fallen for.

  • @respectmathias
    @respectmathias Год назад +7

    Honestly, now I'm worried too cause I do the exact same thing by looking at most downloades

  • @talkashie
    @talkashie Год назад

    Scary stuff. Thanks for including the VirusTotal links! They are very interesting to look at.

  • @xozeintk8093
    @xozeintk8093 Год назад +6

    How could someone can hack you🤦‍♂
    You Are Thio!🔥🔥

  • @johnbowles4754
    @johnbowles4754 Год назад

    I'm glad to know that I'm not the only paranoid person in the world 😊
    Keep up the great work 👍

  • @Inspirator_AG112
    @Inspirator_AG112 Год назад +18

    The fact that ThioJoe, a *technology RUclipsr,* narrowly dodged a scam...

    • @CattopyTheWeb
      @CattopyTheWeb Год назад +4

      Don't forget LinusTechTips also got hacked in the past

    • @Dumb_Killjoy
      @Dumb_Killjoy Год назад +1

      ​@@CattopyTheWebTwice if I'm remembering correctly

    • @Inspirator_AG112
      @Inspirator_AG112 Год назад +2

      @@Dumb_Killjoy:
      I knew that one time, but twice?

    • @pikacringe
      @pikacringe Год назад +3

      Someordinarygamers too

    • @Dumb_Killjoy
      @Dumb_Killjoy Год назад +1

      @Inspirator_AG112 The LTT Twitter got hacked around 6 or 7 years ago. I think that's why Linus has his own personal Twitter, since the intrusion came from SIM jacking his phone number.

  • @MayaPosch
    @MayaPosch Год назад +2

    The big issue with NuGet and kin is the same as with NPM and other code snippet repositories in that basically anyone can upload files to them. This is quite different from distro-specific repositories where you first need to gain the trust of maintainers to even get permission for uploading. This is why I feel a lot more comfortable getting development libraries from the Arch repos even on Windows (via MSYS2). While I also use MSVS and the package managers, those are subject to a lot more auditing and sanity checks, exactly because of the much higher risk factor.

  • @timothyt.82
    @timothyt.82 Год назад +4

    I use Ubuntu (a Linux based operating system), and I have two programs I make sure to install.
    ufw is an uncomplicated firewall for Linux distributions that does exactly what it says in the name. Linux doesn't usually come with a firewall depending on which distribution you use, so always make sure you have it installed with sudo ufw enable to both verify installation and enable your firewall if it isn't already.
    clamav is an antivirus built to work in Linux. Antivirus programs usually don't work in a Linux environment because of the architecture differences from their primary target audience: Windows users. You also don't technically need an av due to the lack of conventional malware for Linux Desktop users. However, it's better to be safe than sorry.

    • @schwingedeshaehers
      @schwingedeshaehers Год назад +1

      Also, it has a different approach to rights on a system

    • @Ghfvhvfg
      @Ghfvhvfg Год назад

      Linux was built for security from the start, if you are bored enough von can Look at almost everything running on your system Windows had a other history so they never had it from the start.

  • @EnejJohhem
    @EnejJohhem Год назад +2

    We need a detailed applocker video

  • @Korbin0815
    @Korbin0815 Год назад +4

    I'm used to SRP and didn't look at AppLocker when it came around since it seemed to be the same. Looking forward to your video about it.

    • @ThioJoe
      @ThioJoe  Год назад +2

      I think SRP is being deprecated actually

    • @danyal_assi
      @danyal_assi Год назад

      @@ThioJoe o

  • @XEROXAYUKI
    @XEROXAYUKI Год назад +2

    Its funny how every packages on the site has exact 284k downloads. Could have been a councidence. But it was already sus from start.

  • @ivirius.parody
    @ivirius.parody Год назад +3

    THIO'S FACE IN THE THUMBNAIL THO _💀💀💀_

  • @crobinso2010
    @crobinso2010 Год назад +5

    NuGet sounds like something to just stay away from!

    • @I.____.....__...__
      @I.____.....__...__ Год назад +1

      That's like saying the Windows Store, App Store, Google Play Store are things to stay away from because sometimes malware makes it onto them. (Then again…)

  • @terawattyear
    @terawattyear Год назад +1

    Excellent, useful video. I really appreciate your work in building these vids and bringing them to us.

  • @dfgaJK
    @dfgaJK Год назад +3

    Would windows defender have been sufficient? Would it have stopped it?

  • @BabusGameRoom
    @BabusGameRoom Год назад

    In some of your videos, like the tips and tricks ones, I know everything that's going on. (Still enjoy watching them, because occasionally there is something new for me!)
    In this video, I had no idea about almost any of this, beyond how to install NuGet packages...and that's the scary part!

  • @NinjaRunningWild
    @NinjaRunningWild Год назад +5

    I’m surprised that Microsoft doesn’t vet these extensions. Maybe I shouldn’t be… Why don’t you open the created file in HXD & the batch file in Programmer’s Notepad?

    • @hostgrady
      @hostgrady Год назад +2

      Most of these programming package managers don't sadly because it's all community uploads unlike say Winget or Linux package managers where a few trusted community members/company employees vet the packages and then upload them.
      pip and node suffer from these issues all the time and when a project gets hacked it can be really bad if some people have their settings to use the latest version of a package instead of a specific version.

    • @NinjaRunningWild
      @NinjaRunningWild Год назад

      @@hostgradyYeah, but that’s no excuse for MS to not be green-flagging valid extensions & red-flagging invalid ones. They shouldn’t be allowing them to just be posted without oversight.

    • @hostgrady
      @hostgrady Год назад

      @@NinjaRunningWild yeah they also run npm which is what nodejs uses, they're really terrible with it

  • @NomadOutdoorAdventures
    @NomadOutdoorAdventures Год назад +1

    I’ve been using bit defender for many years already a couple of years ago I got hacked by scammers, taking over my RUclips channel and bit defender did not protect me at the time. It finally detected it the behaviours being inappropriate and blocked it, but not before it was too late. They had already stolen my cookies so they could log into my channel.

  • @JustPyroYT
    @JustPyroYT Год назад +6

    Congrats on 3 Million Subscribers! 🎉

  • @ericesev
    @ericesev Год назад

    You're brave! In terms of risk, I'd consider my development environment at the top. For me, it's a completely separate system with no password manager and no access to commit to code repos. I use Code Server as the IDE for my development environment. That way it is seamless to access from my primary laptop/desktop.
    The SSH key needed for pushing committs to Github is on a Yubikey, on my primary machine. When I need to push code I ssh to the development environment and use ssh-agent forwarding. The private key never leaves my Yubikey and can only be activated with a physical press.

  • @the_red_gamer
    @the_red_gamer Год назад +5

    Imagine if now he is actually an ai clone of him pretending that he almost got hacked

    • @mozneda
      @mozneda Год назад

      was wondering the same

  • @retro_vhs
    @retro_vhs Год назад

    These are the kind of videos I live for! Very informational.

  • @7Saints78
    @7Saints78 Год назад +5

    This is why Hackers shouldn't target Tech RUclipsrs
    Not only are they unsuccessful, their entire strategy is made publicly known.

    • @cameron7374
      @cameron7374 Год назад +1

      It being publicly known doesn't mean all of the millions (if not billions) of potential victims automatically know about it.

  • @Nedrozak
    @Nedrozak Год назад

    Thank you for this informative video. I consider myself a poweruser but have never even heard of AppLocker. I enabled it as soon as I finished the video.
    Looking forward to your video about AppLocker!

  • @mbdg6810
    @mbdg6810 Год назад +2

    What a unique way to almost get hacked

    • @qkzalswns
      @qkzalswns Год назад

      Was thinking the same.

  • @kotara124
    @kotara124 Год назад +2

    The SeroXen rat also has rookits, making it very hard to remove the malware.

  • @BigBossultrastealth
    @BigBossultrastealth Год назад +1

    this is an insanely good ad

  • @C1rnobyl
    @C1rnobyl 10 месяцев назад +1

    At least Visual Studio didn't add the execution bypass policy to the Powershell command line!

  • @Homurro
    @Homurro Год назад +3

    Does packages in store never get reviewed before posted?

    • @ThioJoe
      @ThioJoe  Год назад +5

      I think they get a basic scan but nothing to stop them from fetching a remote virus

    • @GandhiTheDerg
      @GandhiTheDerg Год назад +1

      @@ThioJoe As always.
      You'd think the page hosts would start scanning scripts, especially autorun scripts, for commands that download files and automatically sandbox and test what is downloaded from them.
      Play store has the exact same issue, because they do not test for Files downloaded by the game, only the files they host themselves appearently

  • @OcteractSG
    @OcteractSG Год назад +1

    Windows blocks PowerShell scripts I write myself. Can’t stand that OS.

  • @jesusvillagomez5499
    @jesusvillagomez5499 Год назад +3

    how common does this happen?

    • @ThioJoe
      @ThioJoe  Год назад +3

      No clue

    • @VaiCaDep0893
      @VaiCaDep0893 Год назад

      @@ThioJoe Do you know an app that I can use to protect myself on Android?

    • @elnkr2603
      @elnkr2603 Год назад +1

      ​@@VaiCaDep0893 it's called "don't install/run suspicious apps". If you only get your stuff from the Play Store and other trustworthy sources like F-Droid you shouldn't have any problems.

    • @VaiCaDep0893
      @VaiCaDep0893 Год назад

      @@elnkr2603 I know, but at least suggest me an app

    • @AkinaJVS
      @AkinaJVS Год назад +2

      ​@@elnkr2603even Play Store has some sketchy shit published to, i worked at phone technical assist for 6 months and out of countless adware ridden android phones, not one had "unknown install sources" allowed, all of it was downloaded from the play store and then when already installed had many techniques to hide the app from the menu and giving themselves permissions

  • @irvingchies1626
    @irvingchies1626 Год назад +1

    I've said it many times before and gonna say it again, "needs physical access" is not a thing, as soon as you have it in your system it can run, and you can download it inadvertently from ANYWHERE

  • @Datboii2344
    @Datboii2344 Год назад +14

    You know for someone who is a tech master you seem to get into trouble alot

    • @NinjaRunningWild
      @NinjaRunningWild Год назад +6

      The more you do, the more potential trouble you run into.

    • @ThioJoe
      @ThioJoe  Год назад +2

      That’s my secret, I’m not a tech master

    • @danyal_assi
      @danyal_assi Год назад

      What secret?

  • @IMAGE_NT_HEADERS
    @IMAGE_NT_HEADERS Год назад +1

    Another thing you gotta look out for is VS projects downloaded from the internet running custom build steps. I know VS warns about it, but most ppl are so accustomed to just clicking through the dialog

  • @KleMih
    @KleMih Год назад +6

    Question really is if windows defender would detect it...
    But obviously since bitdefender is sponsor, you wont test for it...

  • @lpoki8897
    @lpoki8897 Год назад

    This is so vindicating.
    I've had to say no so many times to users wondering "Why can't I just install Spotify myself?", it only takes one bad download and I have so much more work.
    I have been thinking about scenarios exactly like this with the Cyrillic letters.

  • @swaggamesph3342
    @swaggamesph3342 Год назад +1

    Thank you for you service!🖖

  • @Marfig
    @Marfig Год назад +1

    Interestingly enough, I was just thinking about this very thing a few days ago as I was going through my Android phone Play Store looking for an OpenAI app. I noticed a very large number of purported AI apps in the store. Many try to imitate (through the logo or name) an official OpenAI app. It looked odd to me, and after a very quick research, I realized that OpenAI doesn't yet have an official Android app. They only offer one for iOS. I ended up not downloading anything to my phone. And my thought was was AI functionality can very easily turn into a vector for scams and even malware. And here you are with one example of the latter!

  • @zardecil9419
    @zardecil9419 Год назад

    Most people think they'll never be phished, hacked, etc... until they are.
    Don't get cocky.

  • @cawliss5193
    @cawliss5193 Год назад +1

    It may be a pain to add a hash exception to a file, but cleaning up an infected system is a much bigger pain.

  • @nonavailable4000
    @nonavailable4000 Год назад +1

    You wouldn't even run it on a separate test computer to show us ( the viewers ) the possible extent of its damage and if it would be removable after a real infection .

  • @HeliosBeats
    @HeliosBeats Год назад

    2:04 It's also suspicious how all those packages just happened to be download exactly at around 284k times, as if a script was ran for a similar amount of times to repeatedly and artificially raise the download count. Another potential give away was the grammar mistakes in the package description such as "A official" instead of "An official/the official"

  • @-zerocool-
    @-zerocool- Год назад

    Ive just swapped from Kaspersky to Bitdefender on Windows and Android devices, Ive always hated the UI ever since the beginning, but the latest UI is great and I am loving Bitdefender.

  • @rookiegamer1234
    @rookiegamer1234 Год назад

    Wow I always thought when something looks official and without any grammatical mistakes it's safe. I guess I have to find new ways of detecting viruses myself. I'm glad you're safe and thank you for providing us with this info, it helps a lot.

    • @thenickstrikebetter
      @thenickstrikebetter Год назад +2

      To be fair it said "a official" when it should be "an official"

    • @rookiegamer1234
      @rookiegamer1234 Год назад

      I don't mind when someone makes gramatical mistake. I sometimes download from places where there are gramatical places as well. What I do first tho is check rating on website and check if website itself is secure, i have plenty of websites that have proven themselves to me. But even in google play store or official places can someitmes contain a virus as almost everyone can upload whatever they want.@@thenickstrikebetter

  • @robertpassat001
    @robertpassat001 Год назад +1

    this is the first time i wanted an sponsor

  • @erikhicks07
    @erikhicks07 Год назад +1

    This reminds me of 'protestware' where well-known legit repository apps suddenly go rogue with code to do malicious damage to users in target countries etc. (Russia for example)

  • @liquidalloy
    @liquidalloy Год назад

    You're on a whole different level Joe haha. Genius man