A few minor points: 1. The S in OBS stands for Software. 2. Always ignore all "ad" results on Google. 3. Always scroll down to actual search results. 4. Report ads that are sketchy.
Actually it’s a big issue. Yesterday I was helping my family member install OBS, and as they googled OBS, the fake advertisements have occupied the whole view. We had scroll through at least 3 fake ads before we got the actual obsproject website. Google should definitely make a human ad verification, or improve their algorithms so they’d first scan the website before promoting it.
Actually it's a big issue. Yesterday I was helping my family member install OBS, and as they googled OBS, the fake advertisements have occupied the whole view. We had scroll through at least 3 fake ads before we got the actual obsproject website. Google should definitely make a human ad verification, or improve their algorithms so they'd first scan the website before promoting it.
@@Theunicorn2012 this is why people should have adblock. not just to not see ada but also for security. so many ads are scams or malware or that kinda stuff
I remember one time Forbes ran an article about how ads were spreading malware, but insisted you turn off your adblocker to read the page/article only for their ads to also infect your computer with malware xD And some people wonder why adblock is required to viewing the web.
@@lorekeeper685 It's actually really good. It's chromium based, but it's got all these extra built in features like a free VPN, RGX which does wonders on video and images, can control how much processor power and RAM the browser uses and integrates with different social media in a sidebar. Loads of other stuff. I highly recommend it.
@@NoodlyPanda okay can you dumb it down for me What's RGX And how would the otter options effect me not much tech savvy and from turkey where info of such are either very limited or dubious
@@TuberoseKisser The largest search engine company. With literal billions of dollars at its disposal. With some of the most tech savvy employees in the world. Can't find a way to vet ads that THEY approve for their search engine. Yeah. And I'm the king of England.
It's worth noting malware authors will absolutely take steps to ensure the common AVs don't detect their stuff (they can run scans all day and tweak their malware until it's not detected) so it's not surprising Windows Defender didn't detect it. (You did go into it a bit with the mention of file padding,) All the extra files in the ZIP could be part of this attempt, though I'm not sure how it would affect things. Or it could be an attempt to randomize the hash of the file for whatever reason .
It's worth nothing malware authors will absolutely take steps to ensure the common AVs don't detect their stuff (they can run scans all day and tweak their malware until it's not detected) so it's not surprising Windows Defender didn't detect it. (You did go into it a bit witn the mention of flie padding,) All the extra flies in the ZIP could be a part of this attempt, though l'm not surw how it would affect things. Or it could be an attempt to randomize the hash of the file for whatever reason .
It should also be noted that AVs cannot scan passworded ZIPs or RARs - if you come across a passworded rar or zip with person who posted it publicly telling what the password is (or telling you in email with passworded zip attachment), the password is there for the virus to avoid detection. Don't open it under any circumstances.
I have to say I have loved this channel for a while and their is always something new to explore, keep up the great work. And please do more malware analysis
I am still surprised how Discord always chose to stay with profit after so many warnings from the industry saying they should block their CDN access from unauthorized connections to prevent payload hosting.
I am still surprised how Discord always chose to stay with profit after so many warnings from the industry saying they should block their CDN access from unauthorized connections to prevent payload hosting.
Those random files in the about folder are used to change the hash of the zip folder. Since those files can be anything, the web server can dynamically change the hash of the zip folder every time by editing the binary data of the zip file.
Seems like a half baked attempt to bypass AV signatures, even though most modern products are going to unpack the zip and signature the contents as well.
This problem is as old as internet its self, never search for the word "download". This always was a major problem with getting drivers. Search for the brand you need, then search for support/download once you are sure you're on the official page.
This is why Google should investigate each ad and not let ads be visible to the public but visible to the advertiser as if it is while they check it. Also making sure they have tge actual purchaser by having a video chat with them holding up their picture ID and the registered business license in the country it is registered. It would stop a lot of this crap with that done. Also their ID address and the location of their ip address being at least same city and country.
@@delayedplayer Thing is anything really useful for the public seems beyond the capabilities ofvGoogke since I even told them the same thing about the scam video bads we fet in RUclips. Having told them the exact idea over 10myears ago and several times a year is like talking to a wall built of dung. Yes I said a wall of dung since Google is a pike of crap at protecting the public against hackers abd scampers with their ads. In the end it proves Goigle is a profit Whore onky.
This isnt the only thing. This happened wth MSI a few weeks ago. Google ad was promoting a fake MSI afterburner that I actually ended up falling for- and it was promoting THREE of them. The top 3 links were all slightly different websites but absolute 1:1 clone with the actual one.
Seeing you utilise anyrun sandbox to manually download and install the malware was mind blowing! I'd never thought of this for the 100mb issue! Thanks for sharing
I recon when selecting the file to run in the sandbox, you could just give it a powershell script to grab and extract the file automatically from the known malicious URL (or a self-hosted ftp server if the download is no longer available).
This hit near home. I installed OBS on the 29th and I know I googled for it first.. After some panic I viewed my site history, and I see it appears I went to the correct site. I tend to naturally avoid Ads for reasons like this but but I was not sure. I also downloaded the file again from the legit site and compared it's hash to my previously downloaded version then threw my original file in virus total too for good measure. Looks like I dodged a bullet this time.
@@thenickstrikebetter i assume you downloaded from the official obsproject website. If so, you're good. This video assumes you clicked on a Google search, thinking its the official obs link. There are official programs (projects) that has "mirrors" of their official downloads, in that case... as LONG as you WERE on the official website, you downloaded the source file.
@@CarlosXPhone Before I checked, I was more worried that by trying to avoid the scam ads, I had accidentally skipped the real OBS and downloaded the fake one. Shortly after I made my original comment, I checked as best as I could. I think I'm fine.
RUclips has gotten worse in vetting their advertisers. I've reported the same ad (an ad claiming that a fruit will 'kill' diabetes) numerous times and I still see it AND it's the same advertiser.
Google has been doing things like this for years. Not just OBS, but anything you type in with an AD slap next to it. Sometimes comes out as a scam, so don't be surprised that you're dealing with a scammer problem.
the transmission mechanism of the malware kind of reminds me of the Gootloader malware which used some SEO poisoning to gets itself to as many users as possible
I wonder what was that .exe that installer dropped into Roaming folder and set as autorun in registry. Also want to see, if that link on desktop lead to that C://strange_folder for proxy .exe that runs stealer and then opens up C://ProgramFiles/OBS Studio/obs_x64.exe Or how is original executable called...
@@DimkaTsv I have looked into it a bit. They must have been swapping this file out often, as the hash I got for the zip was different than the ones Muta and John got. They must have really been swapping these binaries out quickly, as I downloaded mine a few hours before John did. It's a few layers of packed malware, eventually had to unpack it with a unpac.me. I think the `C:\Users\admin\AppData\Roaming\Hpyjpn\Ogtnuzcwp.exe ` file in Johns download is probably my `Bllfgyszs.exe`, and that exe is loads another binary into memory, and I know that one has the string to call to set the exception for the `C:/` drive. There is also a Test.exe, which I suspect has the main payload (I have confirmed it is the binary that calls out to eth0), but I am not sure where the persistence is, yet.
I fell for the fake installer with help of google ads. No windows defender warnings before or after the installation what so ever. I was even more shocked how unsuspicious the program seemed. After I installed it, I already recognised that something was odd. But no suspicious tasks were found in the task manager. I decided to reinstall windows but I wanted to do it a day later because I had something to finish. A few hours later after I abandoned my PC without me sitting infront of it I suddenly became the message on my phone that my facebook account was locked because of violation of community standards. I immediately reinstalled windows and tried to get my fb account back. After it was unlocked two days later facebook showed me what happened. The malware magically posted ISIS photos and people with guns on my profile. But locally on my own PC. Immediately changed all passwords...
This is another thing that's happening with Blender. I don't actually use Google myself, but I saw on the subreddit, people were talking about how there was a fake website promoted via ads
That happened with Blender this year, too - right when I was in a rush and sleep deprived. Learned how to remove some malware from that experience. Anti-virus and other things didn't pick up on it - I even stopped it part way because it tried to mount a drive instead of just install. It was enough to still make it hard to remove everything, even after a full restore. It ended up being malware that tries to find crypto wallet info.
@Wilve Moon Go on your history and make sure its the right link, make sure everything is spelt correctly, you didnt click on an ad and run it through an antivirus and smn like virustotal.
This happened with the AMD Radeon optimisation pack. Whenever someone downloaded it, it would download the SearchEsmia virus on your PC which is an aggressive browser hijacking malware. This happened to my other friend a few weeks ago. Virus type : Trojan
Thank you very much for notifying us, we will take this into account to avoid piracy in this matter since it affects many viruses that aggressively steal information
Thanks for this elaborate evaluation! Very informative and this is a big issue indeed. I immediately informed (warned) my stepson since he and his high school friend use OBS for different projects as well as their bands' YT channel.
Yeah, ads on google are a massive problem because it puts it as the first link most of the time, so it really sucks because I remember when I was 12, I went to watch youtube, and I was bombarded with "beautiful ads" and got in trouble for a while until I explained what happened.
Thanks a lot for bringing this up! Who would have thought... Damn scammers - and social engineering done pretty right, to be honest. GNU/Linux users are at an advantage here, unless the version in the repository is bugged.
We're at even more of an advantage if we install a package that specifically builds it on our system, though flatpak solves most security issues at the cost of easy one-click theming.
Ohh.. I saw this when trying to reinstall OBS, I thought it was a real website! I almost downloaded it but I looked closely. If you noticed, there's a difference between the actual OBS website and the scam one-- it uses a different font. The normal OBS website uses Open Sans in all parts, whereas the scam website (that I saw) used Verdana. I was lucky to spot this, or I would have downloaded the malware probably...😢
Just a comment for the algorithm ;) Great video like always :) And I found my first exploit (persistent XSS) in a probably really unknown (but important) software today and was able to report it (it should be fixed soon). Thanks for helping me achieve this with your interesting and informational videos, you are a big part of my journey in Cyber Security. Even though I am only a learnt electric engineer currently working in IT with Scada Systems. I would love to hear some of your thoughts about OT and especially Scada security. Sadly there is not a lot of information available about this topic currently but with more and more merging of OT and IT I think it is getting more and more important to have skilled people in this field for example to protect our critical infrastructure. That is why I want to go that route. Thank you for the inspiration.
fr obs is creepy af. i found out that its my keybinds on mac since when you exit it doesnt completely close it so whenever i'd type anything with r it would start recording and i have almost 100 recordings of me replying or doing something without my input
I'm slightly worried for myself, recently I downloaded OBS and I'm hoping I did go to the correct website. I'm not so intelligent with computers yet and I had no idea this was going around when I installed it. I just really hope my past self used his intuition and not destroy my PC only a month after I got it.
same i did the same thing i almost downloaded it from the same sight you can know if your obs was in a zip then its the virus one but if its the exe without the zip then your good
All you have to do is check the website name, if it has bad spelling thats a big red flag, also check that it isnt an ad. If it clears those two then youll be fine. Also dont install shady shit.
@@_Underscore_ Sadly can't, at one point I cleared cache (and I guess indirectly cleared search history) because of a streaming service website broke and I had to do that.
@@SnowMexicann Yeah, now I'm more aware. Back then (like 2 or more weeks ago) I was unaware and unsure if I downloaded the correct one, I feel like I did but have slight doubts.
I tried searching "obs download" myself on my signed in browser session and an InPrivate window tab but it seems the ad was reported enough that it got taken off the search.
admx files are group policy templates. Mainly used by enterprise/corp system admins, to configure a pc to meet the company requirements, but can be applied to any computer through GPEdit. Im wondering if the install is doing something with those
Any Run allows you to create a new task with an external link to a program that it will automatically grab from the web and place into the VM before you are presented with the GUI.
The ability for bad actors to use google ads for neffarious things is rediculous. First streamlabs using it to redirct traffic for commercial gains and now literally malware.
This happened to me when I tried to download and reinstall VLC media player as well. A popular open source video/media player. The top result was a google ads result that directed me to a spoof website that wasn't the original VLC website. I recognised the URL quickly enough and didn't enter it, but I could see how unsuspecting, first time users could be duped into downloading and installing malware.
I recently switched from Xsplit to OBS and i also had this issue where I came across a fake OBS website. I never even clicked on it, i just immediately found it suspicious that so many websites allowed you to download OBS. So I went straight to their official twitter page to find the official website lol
I had been hacked by my RUclips channel and I managed to recover it but it was because of obs studio that I was hacked on January 3. we must be careful or software that or uses on our google account.
I found actually a decent method to not get caught in these situations. If possible, go to any of the OFFICIAL project/business etc. social media and, most likely but probably not appliable to every single one of them, they will have the original website linked on their profile.
@@skore9975 but there's a way to see if it's bought or not, isn't there? Like, click on the checkmark and It shows If it's bought or If It was actually achieved or granted bcs It's an official organization.
You already know I'm here... I just want to say thank you bro for educating the public. You're low-key a undervalued hero. And two I had a new computer and got OBS and they seem to have. Just wanted to delete my files. Is that a common thing?
What do you have to do if let's say, you've installed + run this exe file? Do u just uninstall and everything is back to normal? Or do u need to do some complicated deep cleanup?
...I just downloaded OBS this weekend to try and start my dream of becoming a content creator. Thank you for justifying my ironic paranoia of all things online. (Thankfully I found the OBSproject URL first, but even then I was hesitant without even knowing about this fiasco.)
omg this happened to me in October 2022 :( the hackers went on both of my youtube accounts and posted photoshop videos to phish my subscribers.. and also during the weeks i’ve been seeing how they been trying to login to my paypal and venmo and stuff so i had to change all of my passwords and emails :(
not a fan of some ordinary gamers because he posted my command on twitter just to make a fool of me and i use to support him and even watch his videos so he does that to his viewers, his viewers then goes on to my personal business to say awful stuff about me all because of ordinary gamers
@@DaxyGamer not the point ordinary gamers is a two face.... as someone who been supporting the goof and then he tries to make me look like a fool in front of all his viewers and supporters is not cool, one day it will come out about him. karma will get him one day :)
I was hit with a fake obs on top of google results weeks ago, so they have been active a while. I noticed after clicking the installer that cmd window and weird stuff popped up and background processes that was not normal. I then proceeded to reinstall Windows...
I've seen this with other websites / software too. There was one for Microsoft Office 365 not too long ago. I am extremely careful now when using search engine to avoid all advertisement links.
John, this almost happened to me recently but with a financial app (TradingView). I was on another PC and wanted to quickly check a price chart - googling Tradingview and clicking on the 1st result gave a copy of the official page. A download started immediately but fortunately I got suspicious before opening anything
i get deep down and suspect how they hosted it and i found it..... its Ubuntu server apache server look at the 404 page it tells u its apache server but the real one have its own 404 page ... so its server running linod or home server check it and try it to brute fore the server(ssh)
Good example why Linux has far better software management. You download from a centralised (verified) repository rather than downloading random links off the web.
I think what's even scarier then the obs issue is the fake bullshit ads that makes kids think they will get a certain game for free, my friend had a nephew who infested their uncles computer with trojans and malware after installing some shitty websocket exe for a scratch fnaf game and he immediately got calls of suspicious automated purchases of bitcoin and etherium, you can blame my friends uncle for letting it happen but im just glad it got resolved.
I always do that too. Not just for security in knowing it's a good exe without any funny business, but also what if the original link is shut down and the software is no longer accessible? I've had that happen in a few cases, and having the setup file backed up has saved my bacon.
Oh! Google Ads leading to malware? What a surprise! If they'll do anything to disable adblocks then i'm willing to overpay any guy that will develop new type of adblock.
even if Google will manually review those sites before advertising them.. the scammers could change the site/the links after getting approved... so nobody from Google will check it again... so.. just be careful what sites you visit.. that's the only option
I'm curious ADML and ADMX are group policy definitions. Do their ADMX/ADML files have properly formatted group policy templates? Tons of folks run all installers elevated, and I've been railing on reddit for years against the terrible advice I see over and over. "Problem with anything? Run elevated" in OBS /r
The one thing I have to question is what is the point of having a Google Adsense account when it let's anyone pretend to be your business anyway? It should really apply to all people but really... They don't even have someone checking for fake copies of ads for companies that have their own account? I mean, I guess good on them for not showing favouritism and letting everyone be screwed equally but that's not generally what you'd expect. I'm also surprised other companies haven't caught onto this. Imagine if the Pepsi account just uploaded an ad for a fake site for Coke and then just told you not to buy Coke on it and redirected to the Pepsi site.
From bots and malware among other scammy ads increasing there is vague contracts with favoritism issues of youtube / google. Though why doesn't youtube keep up on all the scammy stuff and bots more?
This happened to me once. I clicked on the first Walmart and it lead me to a scam website saying my computer was hacked. It wasn’t actually hacked, but still annoying.
I accidently downloaded and ran one of those fake obs programs and uninstalled it once I realised and ran a scan, should I do more stuff to check if it is still an issue?
Oh, just great. Any tips on quickly determining if the OBS studio I downloaded and installed is the malicious variant? Does the malware version function as expected?
The malicious one just installs regular OBS. It embeds the regular installer into the fale exe, and launches it. I'll look a bit deeper and see if there's something to look for. Idk if John went that deep in the video yet, as I haven't watched it (I was looking at this malware with him last night, so I know what it is)
@@DataLux-iq5fl well, the installed OBS is just OBS. The installer, however, is a much bigger file and comes in a zip with an About folder. So if you have that, it's something to look at. Can also look for some of the filepaths in this video, incase the loader didn't delete them! Also check if your antivirus has an exclusion for the C drive.
Most common things I find from clients they are looking for printer drivers and they accidentally go to theses ads instead of the actual driver software
A few minor points:
1. The S in OBS stands for Software.
2. Always ignore all "ad" results on Google.
3. Always scroll down to actual search results.
4. Report ads that are sketchy.
Skip the 2, 3 and 4 by using an ad block extension or a browser which comes with an ad block.
i always do this to be safe
5. Notify OBS about this
@@Hardcore_Remixer To be more specific, use Ublock Origin.
@AwesomeAnikin3279 They're doing it wrong :)
Actually it’s a big issue. Yesterday I was helping my family member install OBS, and as they googled OBS, the fake advertisements have occupied the whole view. We had scroll through at least 3 fake ads before we got the actual obsproject website.
Google should definitely make a human ad verification, or improve their algorithms so they’d first scan the website before promoting it.
But they get paid by the malware! So why would they care?
@@moth.monster right that's why mobile game ads on youtube are always clickbait
Actually it's a big issue. Yesterday I was helping my family member install OBS, and as they googled OBS, the fake advertisements have occupied the whole view. We had scroll through at least 3 fake ads before we got the actual obsproject website.
Google should definitely make a human ad verification, or improve their algorithms so they'd first scan the website before promoting it.
@@Theunicorn2012 shut up
@@Carahato Mafia City mobile ads be like:
this is why people should have adblock. not just to not see ads but also for security. so many ads are scams or malware or that kinda stuff
this is why people should have adblock. not just to not see ada but also for security. so many ads are scams or malware or that kinda stuff
@@Theunicorn2012 cant even type properly
Until adblock is hacked itself
@@Theunicorn2012 this is why people should have adblock. not just to not see ada but also for security. so many ads are scams or malware or that kinda stuff
Malware ads are so common that there's a term for that sort of thing - malvertising.
I remember one time Forbes ran an article about how ads were spreading malware, but insisted you turn off your adblocker to read the page/article only for their ads to also infect your computer with malware xD And some people wonder why adblock is required to viewing the web.
ı use to not use itbut after using it hard to turn off cause stuff just euns better
@@lorekeeper685 Even though I'm on Opera GX I still use Adbloock, the browsers free VPN and the browsers adblock built in.
@@NoodlyPanda I don't use opera not sure if it's good
@@lorekeeper685 It's actually really good. It's chromium based, but it's got all these extra built in features like a free VPN, RGX which does wonders on video and images, can control how much processor power and RAM the browser uses and integrates with different social media in a sidebar. Loads of other stuff. I highly recommend it.
@@NoodlyPanda okay can you dumb it down for me
What's RGX
And how would the otter options effect me not much tech savvy and from turkey where info of such are either very limited or dubious
If Google is pushing these kinds of ads, I feel like that should be ground for a class action lawsuit.
I don't think they can vet every single ad.
@@TuberoseKisser The largest search engine company. With literal billions of dollars at its disposal. With some of the most tech savvy employees in the world. Can't find a way to vet ads that THEY approve for their search engine.
Yeah. And I'm the king of England.
@@TuberoseKisser they could if they wanted to, but it would be expensive so they will never do it. there's no "can" about it, only "won't".
@@OneCSeven they already have human verification, just they aren't paid anything so they don't really care
I'm sure there's something in their end user agreement that they are not responsible for this sort of thing.
It's worth noting malware authors will absolutely take steps to ensure the common AVs don't detect their stuff (they can run scans all day and tweak their malware until it's not detected) so it's not surprising Windows Defender didn't detect it. (You did go into it a bit with the mention of file padding,)
All the extra files in the ZIP could be part of this attempt, though I'm not sure how it would affect things. Or it could be an attempt to randomize the hash of the file for whatever reason .
It's worth nothing malware authors will absolutely take steps to ensure the common AVs don't detect their stuff (they can run scans all day and tweak their malware until it's not detected) so it's not surprising Windows Defender didn't detect it. (You did go into it a bit witn the mention of flie padding,)
All the extra flies in the ZIP could be a part of this attempt, though l'm not surw how it would affect things. Or it could be an attempt to randomize the hash of the file for whatever reason .
It should also be noted that AVs cannot scan passworded ZIPs or RARs - if you come across a passworded rar or zip with person who posted it publicly telling what the password is (or telling you in email with passworded zip attachment), the password is there for the virus to avoid detection. Don't open it under any circumstances.
@@Theunicorn2012 Actual bot
Thank you for the PSA! Everyone should report fake ads every time they see them. Click the 3 dots next to the result to report.
We needed this video… Beginners who wants to start streaming on Twitch needs to be aware.
good thing i got the steam ver
@@sploinkla same here
Man we're going to need verified checkmarks on websites now 💀
LMFAOO
Yes please
You can by using McAfee plugin in browser
just check the url, it’s that easy
its not like this EXISTS
I have to say I have loved this channel for a while and their is always something new to explore, keep up the great work. And please do more malware analysis
I am still surprised how Discord always chose to stay with profit after so many warnings from the industry saying they should block their CDN access from unauthorized connections to prevent payload hosting.
sounds like there partaking in Dark Patterns to me, no way there not aware of the issue
true. should require a discord authorization token to download files from cdn
@@balllord3546
Exactly. I made a post on the Discord subreddit pitching the same suggestion. Turned out they probably couldn't care less.
Says a lot about Discord as a company
I am still surprised how Discord always chose to stay with profit after so many warnings from the industry saying they should block their CDN access from unauthorized connections to prevent payload hosting.
The dots are represented as null bytes which means it is already utf16-le encoded since it is for Windows. Decoding to utf8 will remove the null bytes
@@zfutox7224 the comment got removed but you replied so it shows the number
@@brighthades5968 I removed it
The dots are represented as null bytes which means it is already utf16-le encoded since it is for Windows. Decoding to utf8 will remove the null bytes
@John Hammond, why there are so many fake comments replying on your RUclips videos with weird telephone numbers ? Have you been pwned yourself ?
@@boogieman97 bots. I called it cirno bots because they're using same number sets with cirno
Those random files in the about folder are used to change the hash of the zip folder. Since those files can be anything, the web server can dynamically change the hash of the zip folder every time by editing the binary data of the zip file.
Seems like a half baked attempt to bypass AV signatures, even though most modern products are going to unpack the zip and signature the contents as well.
This problem is as old as internet its self, never search for the word "download". This always was a major problem with getting drivers. Search for the brand you need, then search for support/download once you are sure you're on the official page.
This is why Google should investigate each ad and not let ads be visible to the public but visible to the advertiser as if it is while they check it. Also making sure they have tge actual purchaser by having a video chat with them holding up their picture ID and the registered business license in the country it is registered. It would stop a lot of this crap with that done. Also their ID address and the location of their ip address being at least same city and country.
This sounds insanely useful to put in place
@@delayedplayer Thing is anything really useful for the public seems beyond the capabilities ofvGoogke since I even told them the same thing about the scam video bads we fet in RUclips. Having told them the exact idea over 10myears ago and several times a year is like talking to a wall built of dung. Yes I said a wall of dung since Google is a pike of crap at protecting the public against hackers abd scampers with their ads. In the end it proves Goigle is a profit Whore onky.
Agreed.
if winget became remotely more common then this would be a complete nonissue.
The fact that windows has a (sort of?) functional package manager built in is nuts and I'm shocked that nobody ever talks about it.
@@meat2648 right lol not even going to lie doing research on it now
oh, ok i got it just so used to file explorer lol
But sometimes it's a real pain writing AuthorName.PackageName
Like, why can't you be like apt, rpm, npm ... 😒
@@notyoursurya Right
I thinks its scary that it is that easy to just tell windows not to scan a certain file
This isnt the only thing. This happened wth MSI a few weeks ago. Google ad was promoting a fake MSI afterburner that I actually ended up falling for- and it was promoting THREE of them. The top 3 links were all slightly different websites but absolute 1:1 clone with the actual one.
Seeing you utilise anyrun sandbox to manually download and install the malware was mind blowing! I'd never thought of this for the 100mb issue! Thanks for sharing
I recon when selecting the file to run in the sandbox, you could just give it a powershell script to grab and extract the file automatically from the known malicious URL (or a self-hosted ftp server if the download is no longer available).
Anyrun does have the possibility to create a task with an URL file too - instead of uploading a file
you can see it at 11:26
Jeezos, the bots be botting in these comments, damn!
Great video, John. Keep up the great work
This hit near home. I installed OBS on the 29th and I know I googled for it first.. After some panic I viewed my site history, and I see it appears I went to the correct site. I tend to naturally avoid Ads for reasons like this but but I was not sure. I also downloaded the file again from the legit site and compared it's hash to my previously downloaded version then threw my original file in virus total too for good measure. Looks like I dodged a bullet this time.
Yeah ima check it myself. Do you know what to do if you download the wrong one (just in case)?
@@thenickstrikebetter Uninstall the old one, and reinstall but with the official version. Always get it from the source.
@@CarlosXPhone thanks. I think I did it right the first time tho.
@@thenickstrikebetter i assume you downloaded from the official obsproject website. If so, you're good. This video assumes you clicked on a Google search, thinking its the official obs link. There are official programs (projects) that has "mirrors" of their official downloads, in that case... as LONG as you WERE on the official website, you downloaded the source file.
@@CarlosXPhone Before I checked, I was more worried that by trying to avoid the scam ads, I had accidentally skipped the real OBS and downloaded the fake one.
Shortly after I made my original comment, I checked as best as I could. I think I'm fine.
RUclips has gotten worse in vetting their advertisers. I've reported the same ad (an ad claiming that a fruit will 'kill' diabetes) numerous times and I still see it AND it's the same advertiser.
Or the straight up virus links they host
Google has been doing things like this for years. Not just OBS, but anything you type in with an AD slap next to it. Sometimes comes out as a scam, so don't be surprised that you're dealing with a scammer problem.
the transmission mechanism of the malware kind of reminds me of the Gootloader malware which used some SEO poisoning to gets itself to as many users as possible
I wonder what was that .exe that installer dropped into Roaming folder and set as autorun in registry.
Also want to see, if that link on desktop lead to that C://strange_folder for proxy .exe that runs stealer and then opens up C://ProgramFiles/OBS Studio/obs_x64.exe
Or how is original executable called...
@@DimkaTsv all above are great leads
@@DimkaTsv I have looked into it a bit. They must have been swapping this file out often, as the hash I got for the zip was different than the ones Muta and John got. They must have really been swapping these binaries out quickly, as I downloaded mine a few hours before John did. It's a few layers of packed malware, eventually had to unpack it with a unpac.me. I think the `C:\Users\admin\AppData\Roaming\Hpyjpn\Ogtnuzcwp.exe ` file in Johns download is probably my `Bllfgyszs.exe`, and that exe is loads another binary into memory, and I know that one has the string to call to set the exception for the `C:/` drive. There is also a Test.exe, which I suspect has the main payload (I have confirmed it is the binary that calls out to eth0), but I am not sure where the persistence is, yet.
@@nordgaren2358 chain calling from somewhere based on registry entry?
@@DimkaTsv like chain calling each stage?
The packing program they used is what's calling each exe, afaict.
I fell for the fake installer with help of google ads. No windows defender warnings before or after the installation what so ever. I was even more shocked how unsuspicious the program seemed. After I installed it, I already recognised that something was odd. But no suspicious tasks were found in the task manager. I decided to reinstall windows but I wanted to do it a day later because I had something to finish.
A few hours later after I abandoned my PC without me sitting infront of it I suddenly became the message on my phone that my facebook account was locked because of violation of community standards. I immediately reinstalled windows and tried to get my fb account back. After it was unlocked two days later facebook showed me what happened.
The malware magically posted ISIS photos and people with guns on my profile. But locally on my own PC. Immediately changed all passwords...
This is another thing that's happening with Blender. I don't actually use Google myself, but I saw on the subreddit, people were talking about how there was a fake website promoted via ads
That happened with Blender this year, too - right when I was in a rush and sleep deprived. Learned how to remove some malware from that experience. Anti-virus and other things didn't pick up on it - I even stopped it part way because it tried to mount a drive instead of just install. It was enough to still make it hard to remove everything, even after a full restore. It ended up being malware that tries to find crypto wallet info.
@Wilve Moon the malware I downloaded required a drive to be mounted as part of an install - the real version does not need that.
@Wilve Moon Go on your history and make sure its the right link, make sure everything is spelt correctly, you didnt click on an ad and run it through an antivirus and smn like virustotal.
Never thought I'd hear muta mentioned in John's videos 😄 Nice surprise as an enjoyer of both your channels
Both are Awsome Content Creators !
This happened with the AMD Radeon optimisation pack. Whenever someone downloaded it, it would download the SearchEsmia virus on your PC which is an aggressive browser hijacking malware. This happened to my other friend a few weeks ago. Virus type : Trojan
Thank you very much for notifying us, we will take this into account to avoid piracy in this matter since it affects many viruses that aggressively steal information
Ive also noticed an uptick in malicious ads being promoted by Google/RUclips.
Thanks for this elaborate evaluation! Very informative and this is a big issue indeed. I immediately informed (warned) my stepson since he and his high school friend use OBS for different projects as well as their bands' YT channel.
Don't know how anyone can use the Internet without an adblocker these days
Yeah, ads on google are a massive problem because it puts it as the first link most of the time, so it really sucks because I remember when I was 12, I went to watch youtube, and I was bombarded with "beautiful ads" and got in trouble for a while until I explained what happened.
Thanks a lot for bringing this up! Who would have thought... Damn scammers - and social engineering done pretty right, to be honest.
GNU/Linux users are at an advantage here, unless the version in the repository is bugged.
We're at even more of an advantage if we install a package that specifically builds it on our system, though flatpak solves most security issues at the cost of easy one-click theming.
I'm so glad I always have adblockers on so I don't see any ads like these malicious stuff
Ohh.. I saw this when trying to reinstall OBS, I thought it was a real website! I almost downloaded it but I looked closely.
If you noticed, there's a difference between the actual OBS website and the scam one-- it uses a different font. The normal OBS website uses Open Sans in all parts, whereas the scam website (that I saw) used Verdana. I was lucky to spot this, or I would have downloaded the malware probably...😢
Just a comment for the algorithm ;)
Great video like always :)
And I found my first exploit (persistent XSS) in a probably really unknown (but important) software today and was able to report it (it should be fixed soon). Thanks for helping me achieve this with your interesting and informational videos, you are a big part of my journey in Cyber Security. Even though I am only a learnt electric engineer currently working in IT with Scada Systems. I would love to hear some of your thoughts about OT and especially Scada security. Sadly there is not a lot of information available about this topic currently but with more and more merging of OT and IT I think it is getting more and more important to have skilled people in this field for example to protect our critical infrastructure. That is why I want to go that route. Thank you for the inspiration.
Google needs to face justice for scams
me and my friend actually saw that there was a fake obs and we reported it, and it disapeared afterwards almost instantly.
fr obs is creepy af. i found out that its my keybinds on mac since when you exit it doesnt completely close it so whenever i'd type anything with r it would start recording and i have almost 100 recordings of me replying or doing something without my input
I'm slightly worried for myself, recently I downloaded OBS and I'm hoping I did go to the correct website. I'm not so intelligent with computers yet and I had no idea this was going around when I installed it. I just really hope my past self used his intuition and not destroy my PC only a month after I got it.
same i did the same thing i almost downloaded it from the same sight you can know if your obs was in a zip then its the virus one but if its the exe without the zip then your good
check your browsing history (and your download history)
All you have to do is check the website name, if it has bad spelling thats a big red flag, also check that it isnt an ad. If it clears those two then youll be fine. Also dont install shady shit.
@@_Underscore_ Sadly can't, at one point I cleared cache (and I guess indirectly cleared search history) because of a streaming service website broke and I had to do that.
@@SnowMexicann Yeah, now I'm more aware. Back then (like 2 or more weeks ago) I was unaware and unsure if I downloaded the correct one, I feel like I did but have slight doubts.
I tried searching "obs download" myself on my signed in browser session and an InPrivate window tab but it seems the ad was reported enough that it got taken off the search.
Hey I didn't even know there is thing such as online malware analysis services. Thanks for video =)
Good to be up to date
This is why I never press the top picks, usually they are ads for scams
admx files are group policy templates. Mainly used by enterprise/corp system admins, to configure a pc to meet the company requirements, but can be applied to any computer through GPEdit. Im wondering if the install is doing something with those
Thanks for catching this guys
the fact that john plays scarlet instead of violet is the reason i'm subscribed to him
koraidon gang rise up
Any Run allows you to create a new task with an external link to a program that it will automatically grab from the web and place into the VM before you are presented with the GUI.
I nearly downloaded this... So glad I noticed just on time.
The ability for bad actors to use google ads for neffarious things is rediculous.
First streamlabs using it to redirct traffic for commercial gains
and now literally malware.
Absolutely fascinating. Thank you for that.
so you see an "about" folder with a bunch of .admx files (group policies) and brushed over them as "junk". nice work
This happened to me when I tried to download and reinstall VLC media player as well. A popular open source video/media player. The top result was a google ads result that directed me to a spoof website that wasn't the original VLC website. I recognised the URL quickly enough and didn't enter it, but I could see how unsuspecting, first time users could be duped into downloading and installing malware.
The ADMX files are group policy templates for Active Directory. Interesting they randomly included those.
I recently switched from Xsplit to OBS and i also had this issue where I came across a fake OBS website. I never even clicked on it, i just immediately found it suspicious that so many websites allowed you to download OBS. So I went straight to their official twitter page to find the official website lol
nice, this is one of the reasons I never use the ad links
I had been hacked by my RUclips channel and I managed to recover it but it was because of obs studio that I was hacked on January 3.
we must be careful or software that or uses on our google account.
I found actually a decent method to not get caught in these situations. If possible, go to any of the OFFICIAL project/business etc. social media and, most likely but probably not appliable to every single one of them, they will have the original website linked on their profile.
Now that anyone can buy a checkmark on Twitter, even that is somewhat risky
@@skore9975 but there's a way to see if it's bought or not, isn't there? Like, click on the checkmark and It shows If it's bought or If It was actually achieved or granted bcs It's an official organization.
1:54 what was that orange block that was blurred ??????
AAoAOoyOYYO?
You already know I'm here... I just want to say thank you bro for educating the public. You're low-key a undervalued hero. And two I had a new computer and got OBS and they seem to have. Just wanted to delete my files. Is that a common thing?
What do you have to do if let's say, you've installed + run this exe file? Do u just uninstall and everything is back to normal? Or do u need to do some complicated deep cleanup?
you have to completely reinstall windows
@@MrDratik sh1t
I love that John knows about Mutahar ❤
...I just downloaded OBS this weekend to try and start my dream of becoming a content creator. Thank you for justifying my ironic paranoia of all things online.
(Thankfully I found the OBSproject URL first, but even then I was hesitant without even knowing about this fiasco.)
omg this happened to me in October 2022 :( the hackers went on both of my youtube accounts and posted photoshop videos to phish my subscribers.. and also during the weeks i’ve been seeing how they been trying to login to my paypal and venmo and stuff so i had to change all of my passwords and emails :(
Very good information, thanks for sharing.
1:19
that's a pretty cool way to say virtual machine
not a fan of some ordinary gamers because he posted my command on twitter just to make a fool of me and i use to support him and even watch his videos so he does that to his viewers, his viewers then goes on to my personal business to say awful stuff about me all because of ordinary gamers
simply put twitter is a foolish social media
@@DaxyGamer not the point ordinary gamers is a two face.... as someone who been supporting the goof and then he tries to make me look like a fool in front of all his viewers and supporters is not cool, one day it will come out about him. karma will get him one day :)
I was hit with a fake obs on top of google results weeks ago, so they have been active a while. I noticed after clicking the installer that cmd window and weird stuff popped up and background processes that was not normal. I then proceeded to reinstall Windows...
I've seen this with other websites / software too. There was one for Microsoft Office 365 not too long ago. I am extremely careful now when using search engine to avoid all advertisement links.
John, this almost happened to me recently but with a financial app (TradingView). I was on another PC and wanted to quickly check a price chart - googling Tradingview and clicking on the 1st result gave a copy of the official page. A download started immediately but fortunately I got suspicious before opening anything
This is why advertisements have a feature to flag them to google staff
i get deep down and suspect how they hosted it and i found it..... its Ubuntu server apache server look at the 404 page it tells u its apache server but the real one have its own 404 page ... so its server running linod or home server check it and try it to brute fore the server(ssh)
Good example why Linux has far better software management. You download from a centralised (verified) repository rather than downloading random links off the web.
I think what's even scarier then the obs issue is the fake bullshit ads that makes kids think they will get a certain game for free, my friend had a nephew who infested their uncles computer with trojans and malware after installing some shitty websocket exe for a scratch fnaf game and he immediately got calls of suspicious automated purchases of bitcoin and etherium, you can blame my friends uncle for letting it happen but im just glad it got resolved.
RUclips promotes this heavily
When you realize that all the software hoarding your friends make fun of you for is actually based.
I always do that too. Not just for security in knowing it's a good exe without any funny business, but also what if the original link is shut down and the software is no longer accessible? I've had that happen in a few cases, and having the setup file backed up has saved my bacon.
@@DarkReaper1053 Same, I've hoarded a bunch of old Minecraft mods that would've become lost (or hard to find) otherwise.
Data hoarding is very based indeed. Also seeding torrents
ADMX files are XML-based files that provide registry-based settings to the Group Policy Editor.
aka its directly attacking the system registry
Oh! Google Ads leading to malware? What a surprise! If they'll do anything to disable adblocks then i'm willing to overpay any guy that will develop new type of adblock.
even if Google will manually review those sites before advertising them.. the scammers could change the site/the links after getting approved... so nobody from Google will check it again...
so.. just be careful what sites you visit.. that's the only option
Changing the link after verification should result in deverification, ad held for further review to verify again.
@@StrokeMahEgo u can leave the link the same but you can change the file .exe in your ftp 😘👌
I work in IT and I enjoy these videos. Great work!
hey you should be linking to muta's video in the description if you're referencing it like this
I'm curious ADML and ADMX are group policy definitions.
Do their ADMX/ADML files have properly formatted group policy templates?
Tons of folks run all installers elevated, and I've been railing on reddit for years against the terrible advice I see over and over. "Problem with anything? Run elevated" in OBS /r
When I search OBS download that ad doesn’t pop up on any of my computers or devices…even when I did during the other video that was mentioned…
Glad I installed OBS from the Steam store instead from the Internet otherwise my pc would be in danger.
QQ [Question]: If the user is using the password manager would that be also vulnerable??
yeah probably
fantastic work thanks !
we went from warding off scavengers from the wheat field to being fooled by anonymous wizards stealing our mario coins through the air
Ive always had a gut feeling when it came to not clicking the ads, i always made sure to click the proper link, and this is the reason why
Thank you brother
This is exactly what happened to me, I hope this does not affect anyone else that badly.
The one thing I have to question is what is the point of having a Google Adsense account when it let's anyone pretend to be your business anyway?
It should really apply to all people but really... They don't even have someone checking for fake copies of ads for companies that have their own account? I mean, I guess good on them for not showing favouritism and letting everyone be screwed equally but that's not generally what you'd expect.
I'm also surprised other companies haven't caught onto this. Imagine if the Pepsi account just uploaded an ad for a fake site for Coke and then just told you not to buy Coke on it and redirected to the Pepsi site.
Thanks, John you keep me and thousands of people safe.
From bots and malware among other scammy ads increasing there is vague contracts with favoritism issues of youtube / google. Though why doesn't youtube keep up on all the scammy stuff and bots more?
Great subject, thanks...
This happened to me once. I clicked on the first Walmart and it lead me to a scam website saying my computer was hacked. It wasn’t actually hacked, but still annoying.
I accidently downloaded and ran one of those fake obs programs and uninstalled it once I realised and ran a scan, should I do more stuff to check if it is still an issue?
Oh, just great. Any tips on quickly determining if the OBS studio I downloaded and installed is the malicious variant? Does the malware version function as expected?
The malicious one just installs regular OBS. It embeds the regular installer into the fale exe, and launches it.
I'll look a bit deeper and see if there's something to look for. Idk if John went that deep in the video yet, as I haven't watched it (I was looking at this malware with him last night, so I know what it is)
Do you have your original exe or your browser history to look at?
The malware version comes as a zip, but OBS is just an exe download.
yeah just compare file sizes from your installed binay and the one from the original source, thats the fastest way
@@nordgaren2358 might suggest to look for .dll swapping or process hollowing,
@@DataLux-iq5fl well, the installed OBS is just OBS. The installer, however, is a much bigger file and comes in a zip with an About folder.
So if you have that, it's something to look at.
Can also look for some of the filepaths in this video, incase the loader didn't delete them!
Also check if your antivirus has an exclusion for the C drive.
Most common things I find from clients they are looking for printer drivers and they accidentally go to theses ads instead of the actual driver software
I remember I almost fell for this, but just as I was going through the installer something looked off