The Malware So Tricky Even Programmers Fall For It

Of note on modern Linux desktops (at least in Gnome and KDE), file managers will ask before executing files by default, so remember to keep that option enabled!

new fear unlocked: unicode period pretending to be a file extension separator

30 years experience in IT and I can honestly say that I might have fallen for it.

Plot twist: the job application is for a cybersecurity position, and their challenge is to not fall for the less obvious hacks

4:09 That malicious package has 285k downloads. I probably would have trusted it too... Although the description starts with 'A' instead of 'An', so maybe not so much.
That pdf executable is really smart.

The malicious NPM is really scary, you will get hacked even before run the code. There's a something called "preinstall script" in NPM which is will be executed when downloading the package. This is known technique for attack called "Dependency Confusion"

It's scary they are targeting software Devs they could infect thier releases

I had a scam from a "recruiter" once where they wanted me to set up an account with them and they required a password to be my last four SS number. That flagged me and they held firm after I called them out on it. I also held firm. It was a major known corp that I wanted to work for, but I still believe it was a scammer working through the resume sites.

Malware targeting Linux users? Wow, the year of the Linux desktop is truly upon us!
Though seriously, thanks for spreading the word on these scams! This could easily fool anyone

A new linux thing was a fake Exodus snap package, which asked people to input their 12-words phrase to import wallet. Then of course, the crypto got stolen.

Personally, I would not have fallen for either.
NPM, VS Code, GitHub and other similar repos are known to be vectors of malicious packages, even worse on NPM for a lot of typo-squatting packages.
If I really had to install something like that, I would probably make into a disposable virtual machine with Clam-AV scanning after any install. (yes, sometimes paranoia pays off)
The second one is a lot more obvious for some reasons:
1. Many terminals, specially simpler ones are not UTF-8 (a.k.a. Unicode) piped, so listing the file would show up as file[?]pdf or file``~~pdf
2. Even if it displays correctly the name, many terminal emulators would highlight the document in the executable colors, different from the regular documents (that are usally uncolored)
3. As many other comments mention, file managers typically warn against executing files that are not generated by known compilers
4. In many file managers, the thumbnail would be absent, wrong or use the thumbnail of the language of the file
5. The options in "open with" would be devoid of any PDF reader

You can see the +x as a different color on cli so 😉

On Linux, most file managers don't actually use extensions to determine file type like on Windows. They use something called "magic bytes" which are present at the very beginning of a file and associates files to a particular program(s). So it should be obviouse that it wasn't a PDF file regardless of extension in good file managers.

as a programmer, i can confirm that i would 110% fall for this malware.

ThioJoe, I always like the way you share your thoughts on different topics about Security, PCs, and Preventing Scams! Keep up the good work!

Well that's first time I've rewinded to hear an ad ever I think

Thanks for the information about scamio - probably the first advertisement that I can actually use.
Really appreciate your channel and the time you spend teaching and keeping us informed !

The first thing you do when you clone an Node.js repo is install the dependencies, some devs simply won't check what the dependencies are and will install everything straight away, and for the ones who do check the top-level dependencies, the attacker company could create a completely legit package which in turn uses a dependency meant to do harm, ransom, theft and what not, making it harder to detect. The best part about NPM is that you don't even have to run the dependencies, there are plenty of ways for post-install scripts to be ran once you install your project dependencies.
How do I know that? - I'm sorry for myself, but I'm a web dev.

Couldn’t the second one also work on Mac? Because the Mac has these Unix Executables which also don’t have a File Extension. Although these will probably immediately get terminated by the typical „Dude don’t download from Internet use App Store“ Window.

Thanks for another informative video, ThioJoe! Your clear explanations and engaging style make learning fun.
Always appreciate your dedication to tackling complex topics in such an accessible way. Keep up the great work!

That Linux exploit is pretty clever.

I'm so proud of myself that I figured out that hackers can put files in zip folder to be left with executable property enabled before you said that in the video :)

Your videos always make my day. Keep shining!

As others pointed out, most file managers pop up a warning asking the user if they really want to run an executable. Also, I'd be suspicious of the file being in a zip as stated in the video, but also, PDF files always get an icon of a PDF file, or a preview of the actual document, whereas executables get another icon or just a general 'file' icon. I'd be suspicious of that immediately.
I guess the advice is as always, be very very careful with what you download and run.. Whether it's files from a zip or libraries to use.

Now even the job applications must to be made in a VM. Can't have job in this world Orvus.
Great video appreciate.

Oh it only took 30 years for hackers to discover that you can put executable files on linux by using an archive.
The no-extension trick works because linux does not check the extension to determine what to do with the file.
So jpg files are opened with the picture viewer even when they have no extension.

This is why I stay familiar with what icons go with what filetype. If a PDF does not have the icon my system uses for PDFs, I will be very suspicious and investigate, ESPECIALLY if other, known ok PDFs have their icons!

As always, thank you for the proper subtitles!

Love your videos, keep up the good work, it is very helpful

Thio, you saved me the other week! I had just watched you talking about downloaded files having a password to uncompress them, and on Facebook I came across a cool AI system to download "for free". -- I almost fell for it.
Thanx again, Thio!

Thanks for the video!

Linux has had the run as .exe option for a very long time. I'm amazed it has taken this long for some hacker to use it in such a way.

Thank you so much and I had these problems when I had a computer! I only use an IPhone now but I still enjoy watching your videos as many of the scams I understand apply to all computer based appliances!

Thank you for this Great Information.

Your videos are very helpful❤

First time I completely saw a sponsered segment. Scamio sounds really useful if it works.

Excellent video 👍 Thank you 💜

❤ This Scamio looks really cool

This is wild! I'm a Linux user, and although I'm pretty careful about where I download files from and who I trust, I can see how an unsuspecting or new Linux user could fall for this! I always say, the best antivirus is the user and his or her common sense! Be careful out there, no matter what system you're using!

As a linux user, the only reason why I wouldn't have falled for it is my setup - either I would try to open it from `vifm`, in which case it wouldn't have recognised the file and just opened it in a text editor, or I would have tried to open it from the terminal with `zathura`, in which case it would have complained about unrecognised file format.

Fortunately, the last (and only) remote coding challenge was for a known company, and I didn't have to run anything but a Groovy script, which I read first. But the second scam got me thinking that I should be more careful on things I install on my system, specially if not from the package manager. Thanks for the awareness!

I was always very sceptical about allowing unicode in filesystems, and now the reality confirms it.

Oh no... that is astoundingly devious. I think I would have fallen for it.

Great video, we have reached a level where it is very difficult to stay vigilant, just like zip files, git repositories also retain +x attribute on files. And it can lead to similar issues.

Thanks for letting us know. Usually coding challenges are done in a sandboxed online environment and don't require downloading anything, but I still might have fallen for it.

on linux the icon of pdf file and executable file are different. so user can easily identify that.

Thank you! ❤

Believe it or not but some antiviruses can scan encrypted zip files. They do so by checking the CRC32 checksum of the file and its unpacked filesize. This prevents heuristic or more generalized patterns and the like, but simple signatures work.

Hi Joe, how are you doing? thanks for the quality of your videos. Was wondering if Bitdefender scamio is available for detecting fishing in French and Spanish.

You are a life saver!

As a linux user, I will say that in my system I get a warning if something is going to execute. I am currently running a version of Arch.

Wow this video did actually teach me something I didn't know, great content! I don't know if I'd fall for the fake extension file trick, because thanks to Windows, I'm very suspicious if a PDF or ZIP file doesn't show the right icon. 🤓

I said that npm is wildlife everyday since like 5 years ago :D. Pretty sure most ppl already agreed with that but I am happy for any awareness spread on this.

Thanks - did not know that stuff.

Wow. I think they'd easily get me with both tricks. I'm not a Linux user, but NPM... I'd love to learn more about that security policies that protected you

As someone who always looks at packages that are being installed, checks file properties, and reviews source code before running anything I wouldn’t have fallen for this. When it is a binary file I will either open a hex editor or delete it without a second thought.

just swapped to linux(lmde) and didn’t knew that! thanks a lot

At least the linux one can't do that much harm since they're gonna get at most access to user space. Still plenty of room to do bad things but as long as you consider your user space to be unsafe (and you have taken measures around that) you could be fine. Protecting your user config such as your bashrc with root locks is a must to prevent this kind of attacks to work.

The reason that Linux thing works is that "running a text-file" is something that you are expected to do
My recommendation is to (in a terminal) run something like 'file sus.pdf'
It will take a look at the file and tell you about its content (and file type)
You can also do 'cat sus.pdf' but that might garble your terminal session if it's actually a pdf
One alternative is to do 'head -1 sus.pdf ', which should just give you the first line
Scripts usually start with '#!/usr/bin/bash' or something similar

This is making me long for my days in college using the keypunch machine to generate the lines of code for programs.

glad to see this channel go from lemon usb charger to something legit

Even better is when actual companies use LLMs (AI) to create packages and the LLM hallucinates dependencies. There was a research study recently where the researchers created a bunch of packages that way and then (as a test) typo-squatted a few of the hallucinated dependencies. They actually found a few large tech companies accidentally using them. In one case, the hallucinated dependency was supposed to be another package by the same company!

*Thank you.*

As the technological economy becomes harder to compete in, more genuinely skilled professionals will resort to things like scams, and so scams will start to become more skillful.

1:00 Great tool for scammers to run their schemes by until one isn't flagged a scam.

Not really a Linux specific thing, but I dislike file managers showing items not in a list with details -- that might allow you to catch something like that, too.

Thanks for sharing!
I'm a Linux user and never heard about zip hack, especially with unicode dot.. That's something new to be alerted and to warn my daughter too.
Sometimes, I saw before single files compressed in Zip and, at preview, always wondering and thinking about reason for that, usually, before zip extraction.. 😂
About executable, now I will check file properties before clicking..

Thiojoe isn’t pregnant (yet) but he always delivers!😂

Thanks for the heads-up. I am a *nix user, and did not know that 😨

I almost never use .zip in linux but thank you for this info. Never download anythng you don't already trust but always do it in a sandbox or isolated VM first .

pdf documents, i usually drag-and-drop those into a browser tab to open them... but this could 100% fool me damn

No, I did not know that execution protection is bypassed via archives. Realistically speaking archive extractors should really just remove the execution permission always. Sure it would be annoying to re-add those permissions for legitimate ones but that's still preferable to sneaky attacks getting though.

One way to test for this, is force the OS to open the file you're suspicious of in a text editor. Most of these formats aren't compatible with just being "read" from a text editor, however these files will not only be plain "English," if you're savvy you can call out the bash script.
For context, attempt to force a PDF or image into Notepad. Most files forced into notepad will look like gibberish and symbols. The malware here won't.

Best sponsor segment I've ever seen. Thanks bitdefender!

always do email access via windows hyper-v sandbox or sandbox in general,have separate emails for everything don't login at same time

Actually first noti - I think. already know it’s gonna be a bagner

ngl that had to be the most enticing ad

Things like that second one are the reason I run more and more things through the 'file' command in a Linux shell, which reads (without executing) the beginning of the file to determine the filetype, usually based on the file's magic number.

Do Linux file explorers typically have a "file type" column by default in detail view like Windows has? That is one way to catch this sort of thing. Granted these days so many people just instantly run stuff directly from the browser when it's done downloading (although I guess the zip file would still need to be opened and extracted), or even if they don't as a linux user they might just be doing some sort of CLI stuff that won't have them notice.

This Scamio does really seem like a great tool

as a somewhat familiar with the system linux user, i did not know archives would extract files with their meta + the exeuctable meta bit, so thats interesting to know

Jon, Now you got me worried. I consider myself to be a tech savvy person. If even people like you can get hacked somehow, then just what chance do I have to avoid getting hit?

I open PDFs from the command line, thus I would not have fallen for the fake PDF. I would just have gotten an error message that this is not a valid PDF file. Command line FTW!

That first technique is pretty clever

I probably wouldn't fall for this, but you never know.
Password protecting a zip is something I didn't know had that effect, but it does make sense and it now gives me an out to send files to work that don't get canned by the email protection there. previously I had to stuff around with a download service.

can you make a video about Kernel Power Failure Error - Event ID 41? There seems to be no way out from this, I tried a lot of things, but nothing is working out.

I'm a software developer, and I exclusively use Linux - no Windows for me. I thought I was immune to falling for any of those scams, but after watching this video, I've realized I need to take things more seriously. I'm aware of how these tricks work, including executables hidden in archives, but I never considered it from this perspective before. Specifically, from the perspective of scammers who lure software devs by proposing job opportunities with better salaries!

The npm example is why it’s best nowadays to do JavaScript projects in ether something like webcontainers (stackblitz) or just remote github workspaces (vscode server). That way you are never running random npm packages on your system unsandboxed.

That Linux one is quite smart, lots of different things packed into one. I totally would have fallen for this kind of stuff

btw one could also set -x on a directory level (E.g. tmp or where one downloads the files.) for all users, and AFAIK this would override the permissions on the file level.

Well now I'll be paranoid of any take home assignments

I love getting scams because it means I can prank call the scammers and have hours of free entertainment. Hearing the scammers rage and curse before being forced to shut down their scam is its own reward.

IDK about Unix Systems (MacOS/Linux) but on Windows when you change the file extension it asks you "are you sure?", so it would be that simple if you want to make sure of the file's extension

On a Mac you will get a warning telling you something along the lines of "do you really want to execute this random application from an unidentified developer that you downloaded from the internet?" (or, by default, will tell you it can't run it because it's from an unidentified developer, although you can still run it if you want, just not with a simple double click). Even if they did register as developers and sign the application, you will still get a warning the first time because it's an application downloaded from the web, so you get a heads up.

As soon as I heard the part about scamio, I went over, created an account and the web site crashed. Server error.

1:24 : Cool! Thank you!

Interesting!

Luckily, I'm safe for now, thanks to VS Code's dev containers, docker and other virtualization things I use for development. Btw, cool stuff, really handy

Clever!

I remember being able to remove the file extension of a video file on Raspbian and it still ran as a movie.