Can You Get a Virus from YouTube or Facebook?

Status
Not open for further replies.

jakeny

Baseband Member
Messages
89
Location
United States
What's up everyone?

Just wondering if it's possible to get a computer virus from watching a video on YouTube or even just using a program like Facebook (two of my most used sites).

I recently had several computers get messed up, because I visited porno sites and caught some nasty viruses and will not be doing that ever again.

But what about "mainstream" sites like a YouTube of FB? Are those safe?
 
Short version: yes you can get a virus from any website, including youtube and facebook.

Detailed version:
There are a huge number of ways in which you can get infected with malware (a virus is a specific type of malware, see https://en.wikipedia.org/wiki/Malware for more details on this).

To maintain anything resembling a short (but still worth getting a drink now...) answer to this question, I'll stick to the ones that affects most people - not necessarily the most sophisticated.

Drive-by-downloads

Specifically to answer the scenario posed in the question, facebook/youtube are themselves rarely compromised. However, they do show a lot of advertisements (since that's how they earn revenue) and these ads are by nature dynamic. This leads to issues where the advert can link to a malicious website, or even dynamically download javascript to your browser which can then run whatever code it chooses to either exploit your machine directly or download malware.

There is a lot more which could be said here, but I think the most important one for most people to understand is email security, therefore see below for details on how this is the most common vector for malware infection.

Phishing email

The number one infection mechanism is still via phishing email campaigns. Phishing is a malicious form of spam. There are lots of different types of spam which range from simple advertising 'annoying' spam, to heavily targeted spear-phishing email.(https://en.wikipedia.org/wiki/Phishing)
These emails typically contain one or more of the following active malicious elements:
a) attachments
b) URLs (hyperlinks)
c) embedded javascript and images

a) Attachments are fairly self-explanatory, however a common misconception is that they are only malicious if their file-extension is .exe - THIS IS NOT TRUE. The most common form of malicious attachments are .pdf, .doc, .xls, .zip and .rar

The first three are document formats which, when opened, rely on exploiting a vulnerability within the associated software package (typically Microsoft Office or Adobe PDF Reader). Zip and Rar are archiving formats for compressing data such that it is more efficient to send large volumes of data over networks such as the internet.

Another very common technique which all malware authors take advantage of is a default Windows setting: 'hide file extensions for known file types'. What this means is that because Windows knows what to do with a .exe file, it will transform a filename of 'cool-picture.jpg.exe' into 'cool-picture.jpg', making the user think they're looking at a picture. The obvious giveaway with this is that Windows also knows what to do with a .jpg file, so if it were really a .jpg then the filename would simply be 'cool-picture' (assuming this default is left on, see below for instructions on disabling this)

b) URLs, unlike attachments, can be used for two motives. As with attachments they can be used to directly install malware on your machine by sending you straight to a malicious or compromised website.

More commonly nowadays they are attempting to steal user credentials for other online services. It is important to remember that excluding intellectual property theft and government/political disruption, all malware is after money. Therefore, in this scenario it is a lot easier to send a million people an email appearing to be from Paypal (including the 'From:' field as this is configurable by the sender to say whatever they want) giving you some reason (they vary) as to why they need you to 'prove your account is active' and thus provide your credentials. To some people, who don't have paypal, this is obvious spam. But phishing emails of this sort range from obvious forgeries (bad grammar, spelling etc, no customer identifiable information e.g. name/account number) to very advanced and accurate imposters, using logos, signatures and real templates they've obtained from the target company (Paypal) to convince as many people to click the link and provide their details as possible.

c) embedded javascript and images can also be used to target your personal information and/or install malware on your machine. As with URLs, images can be links to other websites (it's important to remember that the text displayed by the link does not have to match what the link points to - if you hover over it WITHOUT clicking it, then the status bar at the bottom of your browser will show you what it really points to) or, more dangerously, automatically load remote content from another website in your email. This content doesn't have to be a picture at all and could be a direct download link for a piece of malware or even just a 'check-in' address to identify all users who've opened the spam email at all and not just deleted it. They can then use this information to perform more targeted attacks aimed at gathering additional information as required. Embedded javascript is able to do any of these scenarios directly, without the need to have the user render an image or click a link - but more email clients (e.g. Outlook, Thunderbird) mark email containing javascript natively as suspicious, therefore as always there is a trade-off for the spam author between using the most direct route to exploitation vs. probability of being detected.


Mitigation - If you read nothing else in this post, read this bit!

1) Don't click links in emails
2) Don't click attachments in emails
3) Disable images in emails, either from untrusted senders or completely
4) Disable 'hide file extensions for known file types' (in XP, other guides are available via google) by following these steps

If you are not expecting attachments/urls/images but you know the sender, ask them through another channel whether they sent it to you and what it's for. If their email has been compromised then it may have genuinely come from their account, but it wasn't them which did it - that way you help them know they're infected too!

Hopefully that will help more people understand how the bad guys work and therefore help them protect themselves. Safe-surfing to all!

Michael,
 
Yes you can, Even though you are on Facebook which is https page which means the page is secure you can still get viruses but not all the pages are such as games & apps. This is the same for YouTube but I don't think they use https only if you are logged in with a Google account.
 
Yes indeed, if you are using Internet without implementing proper security measure then there are high chances that you will end up with a virus infection in your system. As mentioned above, most of the time social media, websites are used by hackers/spammers to fulfill their bad motives. As a user most of us are not an expert in technical terms, so most of the time we are unaware of such infection and end up having corrupted data/leaked personal data. Hence it is important to apply proper security measure in your computer before getting connected to a network. Follow basic safety measures and do keep strong virus protection software such as Immunet Plus, Kaspersky, Bitdefender, Avast, Avira, Norton etc in your system.
 
Yes indeed, if you are using Internet without implementing proper security measure then there are high chances that you will end up with a virus infection in your system. As mentioned above, most of the time social media, websites are used by hackers/spammers to fulfill their bad motives. As a user most of us are not an expert in technical terms, so most of the time we are unaware of such infection and end up having corrupted data/leaked personal data. Hence it is important to apply proper security measure in your computer before getting connected to a network. Follow basic safety measures and do keep strong virus protection software such as Immunet Plus, Kaspersky, Bitdefender, Avast, Avira, Norton etc in your system.


I wouldn't be using Norton as that is resource hog and will slow your computer down.
 
Short version: yes you can get a virus from any website, including youtube and facebook.

Detailed version:
There are a huge number of ways in which you can get infected with malware (a virus is a specific type of malware, see https://en.wikipedia.org/wiki/Malware for more details on this).

To maintain anything resembling a short (but still worth getting a drink now...) answer to this question, I'll stick to the ones that affects most people - not necessarily the most sophisticated.

Drive-by-downloads

Specifically to answer the scenario posed in the question, facebook/youtube are themselves rarely compromised. However, they do show a lot of advertisements (since that's how they earn revenue) and these ads are by nature dynamic. This leads to issues where the advert can link to a malicious website, or even dynamically download javascript to your browser which can then run whatever code it chooses to either exploit your machine directly or download malware.

There is a lot more which could be said here, but I think the most important one for most people to understand is email security, therefore see below for details on how this is the most common vector for malware infection.

Phishing email

The number one infection mechanism is still via phishing email campaigns. Phishing is a malicious form of spam. There are lots of different types of spam which range from simple advertising 'annoying' spam, to heavily targeted spear-phishing email.(https://en.wikipedia.org/wiki/Phishing)
These emails typically contain one or more of the following active malicious elements:
a) attachments
b) URLs (hyperlinks)
c) embedded javascript and images

a) Attachments are fairly self-explanatory, however a common misconception is that they are only malicious if their file-extension is .exe - THIS IS NOT TRUE. The most common form of malicious attachments are .pdf, .doc, .xls, .zip and .rar

The first three are document formats which, when opened, rely on exploiting a vulnerability within the associated software package (typically Microsoft Office or Adobe PDF Reader). Zip and Rar are archiving formats for compressing data such that it is more efficient to send large volumes of data over networks such as the internet.

Another very common technique which all malware authors take advantage of is a default Windows setting: 'hide file extensions for known file types'. What this means is that because Windows knows what to do with a .exe file, it will transform a filename of 'cool-picture.jpg.exe' into 'cool-picture.jpg', making the user think they're looking at a picture. The obvious giveaway with this is that Windows also knows what to do with a .jpg file, so if it were really a .jpg then the filename would simply be 'cool-picture' (assuming this default is left on, see below for instructions on disabling this)

b) URLs, unlike attachments, can be used for two motives. As with attachments they can be used to directly install malware on your machine by sending you straight to a malicious or compromised website.

More commonly nowadays they are attempting to steal user credentials for other online services. It is important to remember that excluding intellectual property theft and government/political disruption, all malware is after money. Therefore, in this scenario it is a lot easier to send a million people an email appearing to be from Paypal (including the 'From:' field as this is configurable by the sender to say whatever they want) giving you some reason (they vary) as to why they need you to 'prove your account is active' and thus provide your credentials. To some people, who don't have paypal, this is obvious spam. But phishing emails of this sort range from obvious forgeries (bad grammar, spelling etc, no customer identifiable information e.g. name/account number) to very advanced and accurate imposters, using logos, signatures and real templates they've obtained from the target company (Paypal) to convince as many people to click the link and provide their details as possible.

c) embedded javascript and images can also be used to target your personal information and/or install malware on your machine. As with URLs, images can be links to other websites (it's important to remember that the text displayed by the link does not have to match what the link points to - if you hover over it WITHOUT clicking it, then the status bar at the bottom of your browser will show you what it really points to) or, more dangerously, automatically load remote content from another website in your email. This content doesn't have to be a picture at all and could be a direct download link for a piece of malware or even just a 'check-in' address to identify all users who've opened the spam email at all and not just deleted it. They can then use this information to perform more targeted attacks aimed at gathering additional information as required. Embedded javascript is able to do any of these scenarios directly, without the need to have the user render an image or click a link - but more email clients (e.g. Outlook, Thunderbird) mark email containing javascript natively as suspicious, therefore as always there is a trade-off for the spam author between using the most direct route to exploitation vs. probability of being detected.


Mitigation - If you read nothing else in this post, read this bit!

1) Don't click links in emails
2) Don't click attachments in emails
3) Disable images in emails, either from untrusted senders or completely
4) Disable 'hide file extensions for known file types' (in XP, other guides are available via google) by following these steps

If you are not expecting attachments/urls/images but you know the sender, ask them through another channel whether they sent it to you and what it's for. If their email has been compromised then it may have genuinely come from their account, but it wasn't them which did it - that way you help them know they're infected too!

Hopefully that will help more people understand how the bad guys work and therefore help them protect themselves. Safe-surfing to all!

Michael,

Holy smokes dude, this was awesome! I printed this thing out and highlighted some stuff to remind me. Seriously, bro, great job explaining!
 
Holy smokes dude, this was awesome! I printed this thing out and highlighted some stuff to remind me. Seriously, bro, great job explaining!

Thanks, glad its useful for others - no point me knowing this stuff if I don't inform people about it. I could go on for some lengths about a plethora of topics in this area, but I'm not sure of the best medium to do it in. This is what I hope to address with my website. The crucial bit is not to make the detail too time-specific such that it is out of date before I've even published it. I think there are general security behaviours (such as those mentioned previously) which would really improve everyone's internet security, so that's what I'm focusing on.
 
Drive-by-downloads

Specifically to answer the scenario posed in the question, facebook/youtube are themselves rarely compromised. However, they do show a lot of advertisements (since that's how they earn revenue) and these ads are by nature dynamic. This leads to issues where the advert can link to a malicious website, or even dynamically download javascript to your browser which can then run whatever code it chooses to either exploit your machine directly or download malware.

Hi michaelm:

I have a quick question about this red colored part. Did you mean that you can actually catch a virus or malware from a site like Facebook or Youtube by simply being on a page with ads? ....Even if I don't click that ad....are you saying that some ads can literally just start running some malicious code on your computer from simply having seen that ad (again, without clicking it)?

I ask, because I wanted to play chess and scrabble on Facebook and sometimes there are ads (but I never click them). And, similarly, sometimes when I watch YouTube videos there are ads, but I never click on them either.

Thanks so much!!!
 
Hi michaelm:

Did you mean that you can actually catch a virus or malware from a site like Facebook or Youtube by simply being on a page with ads? ....Even if I don't click that ad....are you saying that some ads can literally just start running some malicious code on your computer from simply having seen that ad (again, without clicking it)?

Partly yes, partly no. You should be careful to differentiate between virus, malware and "malicious code" though.

A virus, by definition, requires user interaction to actually execute (e.g. an attachment on an email must be opened, simply viewing the email does not result in infection) - hence you cannot get a virus (directly) by simply viewing an ad on a page.

Malware is a very generic term, and a virus is a type of malware along with trojans, worms, ransomware and rootkits (not an exhaustive list) and the same rule applies to these in terms of direct infection from an ad.

Malicious code is another category altogether. Often on web pages this is javascript, flash or other technology which is executed in the end-user's browser, rather than something like php which is executed server-side. Since ad's are almost always dynamically retrieved from a third-party, in these scenarios the website doesn't know what content you're being served. The following explains this in more detail:

1) You request a page from the first-party site (i.e. youtube/facebook)
2) The first-party site responds and includes references to a third-party which is the ad provider (e.g. doubleclick.net)
3) You the request the object(s) from the third-party site as required
4) If the third-party provider has been compromised (or are themselves malicious) then the actual content of what they reply with is untrusted
5) This content can be malicious javascript/flash etc. which can either exploit a known vulnerability in software installed on your computer (browser, adobe flash player etc.) or even make a subsequent connection to a more persistent malicious domain and retrieve an executable file - this can be any form of malware mentioned previously

However, there is in fact a technique to minimise the risk to the end-user which Google use extensively and Facebook partially (that I'm aware of). Google docs and search actually obtain the third-party content dynamically themselves on your behalf. This is then analysed in a rudimentary fashion and, if deemed safe, sent by Google to the end-user. This way the end-user never has to connect to a third-party directly and doesn't present the aforementioned opportunity for exploitation. Facebook does a similar thing by requiring ad companies to submit their ads to facebook, with associated keywords for their target audience, which facebook then delivers to it's users. This again avoids direct third-party connections being created.

So ironically Youtube (assuming Google applies the technique above to this service also) and Facebook ads probably aren't as likely to be malicious as others', but still best avoided using firefox plugins like noscript, adblockplus and ghostery.

As you can see, there is rarely a 'yes/no' answer in these areas, which is why it is so difficult for security software to protect people who don't understand how to browse the web safely and what should/shouldn't happen when you're passively reading a webpage.

Apologies for the essay response, but I try to avoid over-simplifying an answer to the extent that it leaves the audience with the wrong impression.
 
Hello,

How are you doing? Referring to Youtube music, I think I still need some more data about the threats of malware. So, if I log into Youtube with a Google account, I will fine to play music there? Or, generally fine? I always run Norton Anti-virus and while I pick up maybe 30 threats, none are too serious. One of my family members is concerned, though about playing the music. Your thoughts? Thanks.


Short version: yes you can get a virus from any website, including youtube and facebook.

Detailed version:
There are a huge number of ways in which you can get infected with malware (a virus is a specific type of malware, see https://en.wikipedia.org/wiki/Malware for more details on this).

To maintain anything resembling a short (but still worth getting a drink now...) answer to this question, I'll stick to the ones that affects most people - not necessarily the most sophisticated.

Drive-by-downloads

Specifically to answer the scenario posed in the question, facebook/youtube are themselves rarely compromised. However, they do show a lot of advertisements (since that's how they earn revenue) and these ads are by nature dynamic. This leads to issues where the advert can link to a malicious website, or even dynamically download javascript to your browser which can then run whatever code it chooses to either exploit your machine directly or download malware.

There is a lot more which could be said here, but I think the most important one for most people to understand is email security, therefore see below for details on how this is the most common vector for malware infection.

Phishing email

The number one infection mechanism is still via phishing email campaigns. Phishing is a malicious form of spam. There are lots of different types of spam which range from simple advertising 'annoying' spam, to heavily targeted spear-phishing email.(https://en.wikipedia.org/wiki/Phishing)
These emails typically contain one or more of the following active malicious elements:
a) attachments
b) URLs (hyperlinks)
c) embedded javascript and images

a) Attachments are fairly self-explanatory, however a common misconception is that they are only malicious if their file-extension is .exe - THIS IS NOT TRUE. The most common form of malicious attachments are .pdf, .doc, .xls, .zip and .rar

The first three are document formats which, when opened, rely on exploiting a vulnerability within the associated software package (typically Microsoft Office or Adobe PDF Reader). Zip and Rar are archiving formats for compressing data such that it is more efficient to send large volumes of data over networks such as the internet.

Another very common technique which all malware authors take advantage of is a default Windows setting: 'hide file extensions for known file types'. What this means is that because Windows knows what to do with a .exe file, it will transform a filename of 'cool-picture.jpg.exe' into 'cool-picture.jpg', making the user think they're looking at a picture. The obvious giveaway with this is that Windows also knows what to do with a .jpg file, so if it were really a .jpg then the filename would simply be 'cool-picture' (assuming this default is left on, see below for instructions on disabling this)

b) URLs, unlike attachments, can be used for two motives. As with attachments they can be used to directly install malware on your machine by sending you straight to a malicious or compromised website.

More commonly nowadays they are attempting to steal user credentials for other online services. It is important to remember that excluding intellectual property theft and government/political disruption, all malware is after money. Therefore, in this scenario it is a lot easier to send a million people an email appearing to be from Paypal (including the 'From:' field as this is configurable by the sender to say whatever they want) giving you some reason (they vary) as to why they need you to 'prove your account is active' and thus provide your credentials. To some people, who don't have paypal, this is obvious spam. But phishing emails of this sort range from obvious forgeries (bad grammar, spelling etc, no customer identifiable information e.g. name/account number) to very advanced and accurate imposters, using logos, signatures and real templates they've obtained from the target company (Paypal) to convince as many people to click the link and provide their details as possible.

c) embedded javascript and images can also be used to target your personal information and/or install malware on your machine. As with URLs, images can be links to other websites (it's important to remember that the text displayed by the link does not have to match what the link points to - if you hover over it WITHOUT clicking it, then the status bar at the bottom of your browser will show you what it really points to) or, more dangerously, automatically load remote content from another website in your email. This content doesn't have to be a picture at all and could be a direct download link for a piece of malware or even just a 'check-in' address to identify all users who've opened the spam email at all and not just deleted it. They can then use this information to perform more targeted attacks aimed at gathering additional information as required. Embedded javascript is able to do any of these scenarios directly, without the need to have the user render an image or click a link - but more email clients (e.g. Outlook, Thunderbird) mark email containing javascript natively as suspicious, therefore as always there is a trade-off for the spam author between using the most direct route to exploitation vs. probability of being detected.


Mitigation - If you read nothing else in this post, read this bit!

1) Don't click links in emails
2) Don't click attachments in emails
3) Disable images in emails, either from untrusted senders or completely
4) Disable 'hide file extensions for known file types' (in XP, other guides are available via google) by following these steps

If you are not expecting attachments/urls/images but you know the sender, ask them through another channel whether they sent it to you and what it's for. If their email has been compromised then it may have genuinely come from their account, but it wasn't them which did it - that way you help them know they're infected too!

Hopefully that will help more people understand how the bad guys work and therefore help them protect themselves. Safe-surfing to all!

Michael,
 
Status
Not open for further replies.
Back
Top Bottom