Jan 132013

Free YouTube Downloader

I noticed this morning when publishing a new WordPress post that it contained a link to “Free YouTube Downloader” that I had not placed When I investigated some more I found more Free YouTube Downloader links in various fields, attempting to hide itself by also inserting about a dozen linefeeds first so that the field looks empty unless you scroll way down.

I had just written a post last night and this rogue url was not inserted anywhere in the post. MY first I suspicion was that a virus had infected my computer or possibly my WordPress code. Microsoft Security Essentials found nothing on my computer and my WordPress virus plugin had not detected any new code.

I decided to eliminate a possibility and started up Firefox to edit the post. Interestingly, the Free YouTube Downloader rogue url was not anywhere to be seen. I went back and edited the post using Chrome and the rogue url inserted itself again.

Web Video Downloader 2.2

Having isolated the problem to the Google Chrome Browser, I turned off all the browser extensions to see if one of them was the culprit. Sure enough, the problem was gone, so I turned the extensions back on in groups till the problem reappeared then isolated it to a single extension, Web Video Downloader, which probably should have been my first guess. I have had this plugin installed for quite a while though not sure what I ever actually used it for. It is interesting that it would wait so long to deliver its malicious payload. Just remember to disable/remove the extension on each of your computers! I didn’t think about it and after fixing it on one computer found the problem occurring on my other machine. duh!

The extensions website link from the Chrome Browser Extension page reported that the extension had been removed by its author. Sure wish Chrome would let the user know when an active plugin is removed. Only thing I can assume is that this extension got updated with some bad code inserted

Here is the link that was inserted into my WordPress blog fields:
  http://download.cnet.com /Free-Youtube-Downloader-Pro/3000-2071_4-75329731.html
When I searched Google for the string “3000-2071_4-75329731” I found a number of other sites with this same link, so I am not alone.