Malware in Google Ads: Fake OBS, VLC, Notepad++

About the tools and techniques shown in the video: Noobs, don't go deleting random padding in windows files, it will mess up the address locations and cause them to crash, this is a technique for downsizing malware to scan online, don't use it on system files without a clear understanding what you are doing. :)
Edit: Adding this here since some people have posted in our discord after messing things up by doing the above.

This has been an issue with Google for years now. I think at this point, they need to be considered complicit in it to some degree.

A friend once tried to set up minecraft mods on their mac, and ended up installing some malware from a fishing site. They searched for the right thing, but the top result was an ad. For someone who isn't too computer savvy, it's a pretty easy trap to fall for.

I hate that hackers instead of doing the work and putting their effort in getting a job with their skillset decide to want to rob people of what they worked for instead.

This is why I've installed ad blockers on all computers in my family. My mom is smart and fairly tech savvy for someone her age, but she could easily still fall for something like this.

this is really embarrassing for google for allowing this to happen

7:28 Sadly a LOT of the people (and the main ones that falls for this) don't know what the domain of whatever they are trying to download is supposed to be (or even what a domain is for that matter)

2:13 IMO online scanners should give a warning when a file is too large for scanning and instruct the user to scan it with their preferred antivirus/antimalware program

browsing the internet without adblock is best avoided for a whole host of reasons at this point, even if the ads don't bother you personally

I think Google should be liable of all the damages that’s have been caused by their negligence in allowing false, scammer advertisers use their platform in an official capacity.

I like that you are very technical and show these things.
The best security channel on TH-cam unarguably.

I don’t think Google is going to start doing the bare minimum checks until enough people start avoiding ads because of the known risk.

google has been off their shit for years now, stopped using their engine and their browser a couple years ago, also always use and ad block

Google ads can basically lead to any type of malware, from a simple phishing site to a ransomware

I think that cybersecurity vendors should add generic detection patterns for these zerobyte bloated malware, as this technique gets more and more common nowadays in order to evade analysis and identification.

Just as a reminder, always vet the sources of your software. Only get downloads from the original author's site that you go directly to manually or through a verified legit link.
There is always a small chance that even the author's site has been hacked and have some of the downloads tampered with, but that is extremely rare, and far less likely compared to getting downloads from a sponsored link or random referral.

Thanks for posting this video!!!! Often times, I'll read comments from people stating if you "simply" stay away from "sketchy" or "questionable" sites, you can protect yourself from malware. Or they will state if you're "careful" in how you navigate the internet, you can protect yourself from malware. This video shows how people who actually DO those suggested things (don't visit "sketchy" sites, etc) can still be exposed to malware. Videos like these are very helpful and useful!!!!

On one hand I expect a virus scanner to do a quick check for long sequences of the same byte, then create a temporary copy with that stripped out. Basically automatically doing what you just did.
However, on the other hand, these malicious people would start adding random values instead of just 0s.

2 Questions:
- Does this Malware require admin access?
- Would Malwarebytes detect it as a threat?

The software that you used to analyze the .exe is new to me! So useful! Thanks for bringing this content to us.

I guess this is just one more reason to never click on the ads on search engines, but go down to the actual search results (which I always done anyway, the notion of ads taking the place of search results always been stupid to me, even in a world where malware wouldn't exist)

Most anti-virus have an option to scan entire files, but "not recommended" is often written beside it. Not sure why... it's probably performance intensive.

If you are not a person who can tell legitimate ads from scams and malware, you should have an adblocker. I use an adblocker no matter what because of the BS ad layout on most sites bloating my screen and using up all my bandwidth.

I almost falled for this scam when i wanted to download blender if it wasnt for the slowness of the download i wouldn't notice

This is why an ad blocker is a must have when using the internet.

I love the deep dives you do! I like too see how everything works. Stay safe everyone

Never trust Google search ads.

Awesome! Thank you very much for being out there!

This is why I always run an adblocker, and NEVER click on any ad that gets through.

Great info. Subbed as I just found your site. Thanks from the Philippines.

I don't think I have ever clicked on an ad. If I see something in an ad that's interesting, I'll start a new tab and do my own searching for it.

And this is not only going with Google Ads. I have found a lot of ads on social media, such as Facebook, TH-cam and Twitter, all of them claiming to be legitimate software. Obviously, they are malware, and they use the same oversized files to trick AV's and online scanners. I've been collecting most of them on a VirusTotal collection. It started (for me) around September 2022. Right now (January 2023) some of the malicious ads from those sites stopped showing up (for me, again). However, the pages distributing those ads are still working (some of them uploading the malicious files to MEGA, DropBox or even Google Drive). "Tech giants" really need to do something about this, but I don't know if they will because they are making clear that "making money is more important than people's security or privacy, no matter the situation". That or use an ad blocker (funny because they don't want users to block ads, mfckrs).
EDIT: Link to the collection on VT here for those who requested it. www.virustotal.com/gui/collection/03b112798aea1a4ba6e4c8174a1c964f41caf6b25af54dca97e7b8b3e44d37ee

Using an Ad-Blocker like ublock origin or adguard is better or else one should use brave browser's aggressive mode to block ads & trackers.

This is also kinda a problem of windows too, for not having a good modern store or centralized software repository install app

Before getting an adblocker, I had trained myself to completely ignore the ads, I always skipped over the top result and clicked on the second one

Very thankful for this video, I saw a really weird Google ad today actually and was wondering what was up with it. Had a bogus prefix on the HTML address and I was immediately suspicious. I assumed it was some sort of scam but didn't think it would be as complex as this.

Not too long ago I actually fell victim to one of these trying to get AMD drivers while in a rush, it installed a few exes etc after I foolishly ran a MSI that it gave me. But thankfully I went ahead and got rid of most of the junk myself and ran Tron / Rouge Killer.
Then boom few days later I got a warning someone tried to get into my google account lol.

Thank you for this video. I learned quite a bit. What do you use for your VM environment? Are there any free VM services out there?

When you talk about the problem of a file being too big, I suppose that's only related to the AV automatically scanning it as soon as it's downloaded, correct? So, if I right-click one of those files after I download it and manually scan it with my AV, will it be caught? Also, will an AV flag a file just due to "padding"?

This is difficult because some legit open source program sites look INCREDIBLY sus, and some fake sites look incredibly normal. Ads in Google search can be helpful and no matter how tech savvy you are, as humans we don’t have the energy to be ever vigilant and will a some point relax and rely on lived experience and accidentally click on something like this.

This is exactly why I use ad blockers.

This is EXACTLY why I block as many Google Ads as possable.... It's been a issue for years....

Thanks for this informative video. Looking forward to the next ones.

I am so glad, plenty of these programs have self updaters, so once installed no more manual download needed.

Can you highlight which AV do bother searching through entire file? I'd at least like the option to enable further resources

OMG thank goodness I never got scammed from these fake websites ! Thanks for telling us you're the best man!👍

Oh and thank you for a great video! I had no idea about this problem. Also its basically a great advertisement for using adblocks.

Would you be able to provide a link the the HxD editor you used in the video? Would love to get one to try and find any files on my PC that maybe using black space.

Great, thanks for this information. I don't have the full knowledge to do that padding deletions so I will ignore that section of the video. But will keep an eye out for fictitious websites claiming to be someone they are not.
Do you find these hacker problems in other search engines???
Also any hackers claiming to be popular apps or software put in their title link that they are Official website for that product???
Take care.

I remember back in a past life when I was an IT security type person. You could pack a zip file that appeared to be small but would lock up a computer when it was expanded. I can't recall how we did it but yeah, old school local memory attack for a single PC

I'm not surprised about this. It's noticeable that google has fired groups of people that manage the ads because the google ads I get are weird and uncomfortable.

Virustotal no longer has size limits. Now it computes the hash in local without having to upload the file, and then checks if the hash already exists on its database. I just checked it, and not only Virustotal has let me scan the file, it was already marked as very suspicious (14 malware detections at the time I'm posting this comment).

did they fix it because I am on the site and it does not say add next to it or .net or porjuct instead of project

I got caught by this too. Not entirely sure of the source as it was on a brand new PC where I was reloading everything. I'm pretty certain that I used the right sites for Notepad++ and VLC but I noticed that the first sites returned weren't always the legitimate ones. That's a problem. I think it was driver site though. Thanks very much for you explanation.
I've raised the issue with Google because the first things the hackers did were -- 1. Turn off my MFA, 2 Put a mail rule into Gmail that sent everything from google to trash. I'd have thought those would be very obvious signs that Google should have picked up on before allowing them to raise an ad campaign. My bank also allowed four transactions of increasing value in the same day from a new merchant - they should also have picked up on this as very obvious fraud, so I'll be having words with them too.
Interesting that these companies are all about AI these days but clearly aren't using enough AI in their detection.

some ways to deal with large files is .
1. remove the padding like you are doing (not everyone will think to do that).
2. have the online scanners bite the bullet and take the large files and take a hit to performance.
3. online scanners take a page from many cloud apps like adobe and download the app and execute it via the web site and run the code on the user's end.

Very interesting. Thank you for information. You fully deserved the Abo. 😉👍🏻

The ones that really get novices are searches for popular websites like Facebook and Ebay that can also return ads that point to illegitimate sites. I've even seen searches for 'google' return scam ads which is pretty ridiculous.

and people look at me like I'm breaking the law when I tell them I run ad-blockers

I'm using pfsense with pfblocker ng, will these kind of sites get immediately listed and updated in pfblocker ? Would be nice to know which feeds to activate to get this kind of protection, maybe the OP can do a subject on it ?

Thanks you so much for sharing such a precious info.

I guess, people asking you, but which AV you are using/can recommend? Ty

So, I noticed you were saying online scanners, but what about regular antivirus that runs on your machine? Do those scan the whole exe file, or skips it the same if there's padding?

I use a few Adblockers, to keep my internet use free of annoying adverts, and so far they seem to kill adverts so I am ad free to watch films etc., without being annoyed by them, which has worked for some years now. I watch TV series on YT, because I can enjoy them without the being riddled with adverts.

I downloaded OBS from Microsoft store, had to download WinRAR and Notepad++ from Google, I scanned both of them no issues at all.

excelent content! congratulations... please continue 🤓🤠

Also google: Let do a update to remove ad-blockers.

This is why I never click on the "sponsored" results. I always scroll down to click on the actual resutl.

Do actual installed AV clients also skip padding to save on time/resources like this? Are there AVs that will actually scan 100% of the file even at the cost of extensive scan times?

Obvious question: do consumer AV have options to scan large files? If so, which ones?

Thinking about whether this exploit affects Mac users. Clearly, using Safari or another browser, I can click on a Google ad, be redirected to a malware-serving site, and get an attempt to download malware on my Mac.
With Gatekeeper either set to allow only downloads from the App Store or downloads from the App Store or identified developers, it would seem that a malware-serving web site would fail to download anything.
Is that right?

Something similar happened to me:
Recently, after building my new pc and downloading some games, I decided to download MSI afterburnen (from a fake site) to see its performance. After running it, I realized that it was a virus so I decided to do a factory reset to my pc. After that everything seemed normal, until I got a notification in Gmail (a week after downloading it) saying that there has been suspicious activity in my account. I checked what happened and it turns out that my Microsoft account, Steam and all the accounts I had on the computer had been stolen. I was only able to recover a few. .-.

Thank you for helpful and informative video.

Thank you Brave, Guardio, and uBlock Origin

Do you have windows Defender disabled on your test system? or does it defender not detect this either?

This is happening a lot. I went to search for a video editing program and the top 3 links were ads pretending to be someone else on a sketchy website. They didn't want me to install a .exe instead a .ISO file. I'm not sure why

So glad I came across this!

This is why adblocker should be packed with the browser itself these days. But yeah, don't think that Google is willing to do that for Chrome

Quick Question, Do I need Guardio while having ublock origin?

It's extremely anti-productive too, I ran a case printing business and tried to use google ads to advertise. Although I was completely honest, google told me I was "circumventing systems", and then put me in a endless loop of bots to answer my appeals.
My business relied on these ads so eventually I had to shut down, whilst they let the actual malicious, clearly faked ads roam and harm people.
Glad it was brought to light, good video. Google massively mis-treats small businesses. I don't believe small businesses deserve an easier time just for being small, but I definitely can't stand behind actively shutting down small businesses in the name of protecting - just to let obvious malware in anyway.

One of signs of suspicious file should be difference between compressed and uncompressed file size. File with lots of padding should compress more than 90 percent. EXE never compresses that well

Imagine not having adblock on your browser in 2023.

The fact that Google has not taken the proper precautions to address this threat by verifying if these advertisements are valid is disconcerting. It is false advertising and it severely damages the already low reputation of Google. There is no reason at all to use this search engine anymore, let alone recommend it over the alternatives. Their reverse image search no longer works, their search results are bias, even for topics you would not consider political, and now searching for certain applications on the official websites is a risk due to false ads and link misdirection.

Could you make a video about virus/malware on a video file, if its possible for an haker to put a virus on a mkv or mp4 video file and how to detect that? Thanks for the great jop!

So what would you say would be the cut-off filesize where VirusTotal is unreliable? 50mb? 75?

I installed k7 free trail version for my laptop, it is working good for both my laptop and mobile. and thanks for your video.

Are there any plugins that can check the age of a domain and block file transfers if it is new?

Thanks for sharing this information.

What's the name of the text editor you are using?

What is the hex-editor that you used?

can you check the new asus armoury crate upgrades or packages to see if its malware

Thank you for showing the steps for removal of padding. Very simple, handy and made me go "oh! duh".
Yeah, not catching me regularly downloading installers off any website.
I have Pacman, and if you couldn't tell, I use Arch, BTW.

Good lesson. When you search, don't click on the ad link, scroll down.

Thank You For The Warning!!!

Is it safe to use the iPhone vlc app to transport files between my pc and phone

Hi i have watch many of your videos so can you make a video about avast secure browser vs chrome

A Great reason why we NEED Adblockers and why we DON'T NEED Manifest V3

Great video as usual

I'm not a expert, but is it because of the 0's in the file the zip-file becomes so smal?
normally i look at the size of the zip file to see if the title makes any sense (may have already saved myself from 3 ransomware attacks)

Where did you get the hex editor?

That's why i always try to find for example: "OBS reviev" on youtube. If video and the creator are legitimate i look for a link to a oficial website in the description. Then I download the file and triple check with for example kaspersky. I also recommend checking coments under the videos. Stay safe.