mailto: blog -at- heyrick -dot- eu
Virus? Rootkit? Or bad joke?
I was idly looking at stuff on YouTube when a little alert box popped up saying:
Your computer is f***ed. You can thank <name> for this devastation.
Only, without the profanity-edit. At least, that's how I remembered it. Zero-day attack? Avast didn't notice anything. SuperAntiSpyware only picked up a few tracking cookies that were probably BeefTACO fakes. HitManPro gave a clean bill of health, and ComboFix only deleted my old Notepad (called "notepadx.exe" as the real Notepad.exe is actually MetaPad).
Anybody come across something like this?
I know it is notoriously difficult to detect a rootkit from within the infected machine, and I still cannot be 100% certain; however it seems odd that such a message would pop up. What kind of stealthy crim advertises their presence?!?
It also seems odd that such a thing might use YouTube as a vector. Videos are reencoded, possibly because of the issues surrounding Flash. In addition, the website layout is fairly minimal and well controlled. Hiding something there, I'd have thought, would be difficult. And it would need to reside within YouTube itself, else NoScript would have blocked it.
So my current thinking is it is most likely that somebody, somehow, managed to get a message to pop up. But I only have 50% confidence in that. Nothing seems amiss, but that could well be the point... Or... Maybe it was a genuine attack designed to kill the MBR and destroy the partitioning information, only my computer uses the EFI system, not MBR... Who can say? It's been through a power cycle so I know that much is alright.
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
|Rob O'Donnell, 5th July 2010, 16:04|
It's an XSS scripting vulnerability in YouTube Comments. Should be fixed now. And I thought you ran with NoScript?
Oh, and you really should read El Reg before you panic :-)
|Rick, 5th July 2010, 16:21|
So it was just some dopey scripting message? Phew!
I do run with NoScript, but YouTube has permission - kinda doesn't work well without! Luckily if the payload (if any?) was off-site, it will have been blocked.
I *did* read El Reg, but note the article referred was posted at 9am, about three hours after my scans were completed, and some 16-odd hours after this b.log posting.
Useful, anyway, to prompt me to give my system the once over. Not what I planned to do on a Sunday, but never mind.
Thanks, Rob, for the quick response.
|Rob, 5th July 2010, 17:53|
Ah, the blog post only popped up in my RSS reader shortly before I posted! Never thought to check the relative times..
|Rick, 5th July 2010, 18:43|
After leaving the scanning active through the night, I had two matches - with the development folder for Alarm containing a file called "AlDelay.exe" which is apparently infected by "Win32:Dropper-CLB [Trj]".
This is actually a generic virus warning, with AlDelay scoring in the heuristics. I wiped the file (just in case), but AlDelay is actually a program that waits for 15 seconds before running Alarm proper - this being an attempt to get Alarm to show up correctly on the system tray [this is a known bug in XP - see http://winhlp.com/node/16]. Avast thought it was trojan-like. Fair dues. ☺
Other than that, all checked out okay. Phew!
List all b.log entries
Return to the site index
PS: Don't try to be clever.
It's a simple substring match.
Last read at 18:31 on 2020/09/30.
© 2010 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.