This story is over 5 years old.

The Worst YouTube Comments Ever Were Actually Used to Control Malware

Seemingly nonsense comments hide the IP addresses of the malware's command and control servers.
​Image: Michal Ludw​iczak/Shutterstock

​Sometimes, seemingly spammy nonsense YouTube comments can hide something much more meaningful, and malicious, than it could appear at first glance.

The group behind a trojan virus that targets both Windows and Mac computers, known as Janic​ab, is using seemingly nonsense YouTube comments to control the malware once it has infected a victim, according to a new blog p​ost by security firm F-Secure.

Some of the comments, for example, are posted in an empty YouTube video uploaded by someone nicknamed Gringo Baggins.


An example of a video on Youtube that the Janicab malware uses for communication. — Mikko Hypponen (@mikko)April 22, 2015

At first glance, the comments, which can also be found on a few Goo​gle Plus pages, seem like harmless spam.

"our 49741276945318th psy anniversary," reads one of them.

But those numbers actually hide the IP addresses for the command and control servers used by Janicab's operators. These servers are used to receive the data that the malware siphons off from the victims' computers. The malware is programmed to automatically connect to YouTube and convert the string of numbers into a real IP address, and then use it to send the stolen data back to the operators, according to F-Secure.

That's a neat way of hiding the IP addresses to casual observers, and a good way to make the infrastructure of your malware operation more resilient, since YouTube videos don't easily get taken down if they're not flagrantly against the terms of service. (A YouTube spokesperson did not answer to a request for comment.)

Once a trick like this is exposed though, it might be taken down fast.

"It's a trade-off, such big websites can be very reliable [command and control] channels," Joan Calvet, a researcher from anti-virus maker ESET, told Motherboard. "But at the same time they have people that will rapidly react and—hopefully—remove your page."

This is not the first time cybercriminals piggybacked on mainstream social media sites to control their malware. In 2013, researchers exp​osed a malware campaign named MiniDuke, which used fake Twitter accounts posting seemingly random strings of characters that were hiding URLs used to reach command and control servers.

In that case, Twitter promptly suspended the accounts used by the cybercriminals.