Users Feel Guilty: Measurement of Illegal Software Installation Guide Videos on YouTube for Malware Distribution

Rei Yamagishi,Shota Fujii,Tatsuya Mori
2024-07-23
Abstract:This study introduces and examines a sophisticated malware distribution technique that exploits popular video sharing platforms. In this attack, threat actors distribute malware through deceptive content that promises free versions of premium software and game cheats. Throughout this paper, we call this attack MalTube. MalTube is particularly insidious because it exploits the guilt feelings of users for engaging in potentially illegal activity, making them less likely to report the infection or ask for a help. To investigate this emerging threat, we developed video platform exploitation reconnaissance VIPER, a novel monitoring system designed to detect, monitor, and analyze MalTube activity at scale. Over a four-month data collection period, VIPER processed and analyzed 14,363 videos, 8,671 associated channels, and 1,269 unique fully qualified domain names associated with malware downloads. Our findings reveal that MalTube attackers primarily target young gamers, using the lure of free software and game cheats as infection vectors. The attackers employ various sophisticated social engineering techniques to maximize user engagement and ensure successful malware propagation. These techniques include the strategic use of platform-specific features such as trending keywords, emoticons, and eye-catching thumbnails. These tactics closely mimic legitimate content creation strategies while providing detailed instructions for malware infection. Based on our in-depth analysis, we propose a set of robust detection and mitigation strategies that exploit the invariant characteristics of MalTube videos, offering the potential for automated threat detection and prevention.
Cryptography and Security
What problem does this paper attempt to address?
### What problems does this paper attempt to solve? This paper aims to systematically study and analyze a new type of malware distribution technology called **MalTube**. MalTube uses popular video - sharing platforms (such as YouTube) to spread malware, luring users to download free versions of premium software or game - cheating tools through deceptive content. This type of attack is particularly insidious because it takes advantage of users' guilt about participating in potentially illegal activities, making them less likely to report infections or seek help. Specifically, the paper attempts to solve the following key problems: 1. **What is the target user group?** - Researchers attempt to determine the main target user group of MalTube attacks. By analyzing video topics and types of illegal software, researchers find that attackers mainly target young gamers, especially those interested in free software and game - cheating tools. For example, game platforms such as Roblox, Valorant, and Fortnite are the focus of attacks. 2. **What are the characteristics of channels related to MalTube?** - Researchers analyze the characteristics of channels that post MalTube videos, including the time of channel creation, activity level, and social engineering techniques. The results show that most channels post a small number of videos in a short period, and many channels were created more than a year ago and may have been stolen by attackers for posting malicious videos. 3. **What are the characteristics of MalTube videos?** - Researchers analyze in detail the content, presentation methods, and interaction metrics of MalTube videos to understand how these videos are optimized to attract and retain viewers' attention. Videos usually contain multilingual keywords, emojis, and eye - catching thumbnails to improve search visibility and user engagement. 4. **What is the infrastructure that supports MalTube operations?** - Researchers track the URLs promoted in the videos, map the attackers' network structure, and reveal the Web domains, hosting services, and back - end systems used to distribute and control malware. This helps to understand the operational mechanisms and technical means behind the attacks. To solve these problems, researchers develop a monitoring system called **VIPER** for detecting, monitoring, and analyzing MalTube activities. Through four - month data collection and analysis of 14,363 videos, 8,671 related channels, and 1,269 unique fully qualified domain names (FQDNs), researchers propose a series of detection and mitigation strategies against MalTube threats. ### Summary The core problem of this paper is to reveal the ecosystem of MalTube attacks, the attackers' target user groups, and the deception techniques they use through systematic research and analysis, and to propose effective countermeasures to protect users from such malware.