YouTube Decoy Targets Syrian Activists With MalwareBy: Drew Bowling - March 15, 2012
Syrian activists, beware: in addition to avoiding arrest and murder, now the Syrian government is trying to attack activists with a fake YouTube site that’s infecting Windows machines with malware. The YouTube decoy attempted to get Syrian activists to visit by hosting videos related to the opposition movement but, really, it’s like a small bulb dangling from the antena of an angler fish.
Once users have visited the page, they’re asked for their YouTube log-in info in order to leave comments but in addition from sponging up your personal account info, it installs some nasty malware disguised as an update to Adobe Flash Player. It should also be noted with much gravity that if you did enter your YouTube log-in on this page, you just handed over the keys to your Google account and all services associated therein. Doubleplusungood.
The Electronic Frontier Foundation provided the following screenshot of the Fakey YouTube. Although the decoy site has already been taken down, the EFF advises people to be on the lookout for similar traps.
I’ve included below some closer screen captures of pertinent regions of the webpage. I know it’s easy to slip into the habit of assuming that the site you’re visiting is the same old website you’ve always visited, but typosquatting is a growing problem and now that authoritarian governments are taking a page out of scummy internet scammers, it’s all the more important to double-check the URL of the website whenever you visit it, especially if you detect that something is the slightest bit awry or unfamiliar.
(Just a note: if you ever end up at a site with the word “wankbook” in the URL and you aren’t actively trying to visit a site with the word “wankbook” in the URL or title, you should probably leave that site. For many reasons.)
Additionally, if you’re ever asked to install software, be mindful of the request and verify that you aren’t on a malicious site waiting to infect your computer with some nasty malware.
This low-blow from the Syrian government isn’t only a means to prevent members of the opposition from broadcasting and finding updates about what’s happening in the country via YouTube, but it’s doubly evil because it’s siphoning users information while also punishing them with computer-crippling malware.
The following are instructions from the EFF’s website find out if you may have been infected by the malware.
To see if you have been infected, look for the following files:
These files are “system files” and will not be visible by default. To change your settings to make system files visible in Windows 7, Start–>Control Panel–>Appearance and Personalization–>Show hidden files and folders, then select the radio button called Show Hidden Files, Folders, and Drives. Remove the checkbox labeled “Hide extensions for known file types.” Remove the checkbox labeled “Hide protected operating system files.”
C:\Documents and Settings\Administrator\Local Settings\Temp\sysglobl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mscordbc.exe
On Windows 7 systems, you can find them here:
If you have definitely been infected, though, you may be left with one really inconvenient choice in order to purge your computer of the malware: re-install Windows. If anybody has happened across similar malware sites like the Syrian government’s YouTube fake-out, feel free to share info in the comments below to let others know what to watch out for.