Who's got a hate-on for youtubedown?

In the last 8 hours, I've had 300,000 (!) downloads of youtubedown, from 65,000 unique IPs, mostly in Mexico, Japan and Brazil, all with the same fake-assed user agent, "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36".

Is there some botnet that tries to install youtubedown as a part of its exploit? Or what?

Why would you even do this? What is going on? If this is an attempted DDoS against me in particular, it doesn't even make sense!

Previously, previously.

Tags: , , , , , ,

29 Responses:

  1. Perry Metzger says:

    At least you can block based on the user agent string. Stupid crud like this often isn't that easy to shrug off.

    And yah, I never cease to be amazed at the weird things that happen on the internet. For example, I regularly have automated attempts to subscribe large numbers of non-existent addresses to some mailing lists I run. (These fail because no one can reply to the magic cookie that gets generated by the subscribe request.) I have no idea what motivates this -- it isn't a denial of service, and it seemingly serves no other purpose either. I could name several other weird, inexplicable automated interactions that simply make no sense even though they're clearly attacks of some sort.

    • jwz says:

      The reason we will be unable to fight Skynet is that its motivations will be completely incomprehensible, not nearly so prosaic as "destroy all humans".

  2. halibetlector says:

    Maybe somebody's trying to use a botnet to download all of youtube.

  3. patrick says:

    Feral bots.

  4. hmp says:

    Why do you think that's a fake user agent? I think that's Chrome 41.0.2226.0.

    • jwz says:

      You are wrong because it does not include the word "Chrome" anywhere.

    • Phil says:

      The fact that they are all identical suggests fakery. It seems unlikely that 300,000 legitimate users happened all be using the exact same browser.

    • MattyJ says:

      Questioning jwz about browser knowledge is second only to questioning Marc Andreessen about browser knowledge, as far as mistakes go.

  5. MrMoontower says:

    Maybe they think that by downloading it sufficiently many times, they'll use it all up.

  6. Daniel Marsh says:

    Could it be that the botnet pretends to watch Youtube videos in order to participate in ad revenue sharing or some-such? Or to trigger some sort of metric within Youtube that judges video popularity and thus suggests a certain channel's videos on the main Youtube page?

    • Nate says:

      This seems plausible to me. Someone's install script happens to directly reference your site, and they launched a bunch of VMs that went to install youtubedown before trying to use it to increase the number of views on some videos they want to promote.

      You should do the equivalent of a script Goatse, feeding them a custom youtubedown that only plays Rickroll videos or whatever despite the command line args.

      http://ascii.textfiles.com/archives/1011

    • margaret says:

      point it at a video you sell advertising on. make it about a 1/10 second clip to maximize plays.

    • Louis says:

      Do the video downloads count as watching the video? I would expect that the viewer engine in the browser sends some Javascript data to their tracking server ("User xyz started watching video. Paused the video. Skipped to 4:32. Watched the video until the end"), instead of relying on what bits actually got downloaded.

      Maybe it's a fancy ransomware that disables the internet, but wants to show their users a video of how to pay the ransom, so they need to download the video beforehand.

  7. nooj says:

    No, they're trying to download "youtube-urns." "You, too, Burns!" They're cheering for you, sir!

  8. Adam says:

    Creativity challenge: what would be the most fun to change the script to do, assuming that the bots runs the script after download?

    Who would have thought, a botnet taken over youtubedown...

  9. Christof says:

    Just pretend it is really popular software and sell it to someone.

  10. JR says:

    The thing I can't get past is the "download YTD" step. If someone wanted to include YTD in their software why not just roll it in at build-time?

    - Could it be an app that is just YTD re-packaged/re-branded with an ad frame?
    - Could it be handling large file transfers using YouTube for free hosting, and hiding something in the MP4s that are hosted? (But why use a site as tightly-controlled as YouTube? Why not some backwater porn site? And wouldn't any steganographic content be mangled by YouTube's conversion / transcoding?)
    - I like Daniel Marsh's idea, but why use YTD and not just script a browser action using Selenium or similar?

    • James says:

      Maybe they want to be sure they're on a net where YTD isn't blocked, as I imagine that could be a corporate/school filtering thing that would frustrate botnet operation, while downloading YTD might not raise any red flags.

    • William says:

      YTD is frequently updated, the bot needs to make sure it gets the latest one so it will actually work.

      YTD - another cool hack weaponized in support of fraud.

    • freiheit says:

      Maybe it's a Docker or similar kind of "container" thing. With that, you don't distribute a giant binary image, you distribute a tiny makefile-esque thing (that probably pulls in a host of other makefile-esque things recursively) and build the container from that every time. (there's other bits, but that's the real heart of the distributed images). When you watch that particular sausage being made, it installs Ubuntu or Debian or CentOS, and then proceeds to install all the other things.

      If somebody were distributing a Docker image that did some sort of something with YTD, each build of a container from the image would download YTD.

  11. db48x says:

    Sorry, I just really, really needed to watch a video.

  12. Gabriel says:

    Pasted into the wrong buffer and didn't spot-check before deployment.

    I heard some malware has support phone numbers with helpful agents now- maybe if someone IDs the source you can file a bug report? They're probably more transparent than Apple.

  13. Eduardo says:

    That's very weird. The only reason I would ever do something like that is to hide a few shifty moves in the middle. Like you're probably not going to notice an actual hack of your stuff right now, you're too busy with these 300k requests to even notice it!

  • Previously