cws youtube problem

[kryptkat]

when i tried to watch a video pyoutube displayed this message. "it is restricted playback on certain sites" underneath a link "watch on pyoutube" when i opened the link it came back to the same dang page. arrgh. so i downloaded the page as text. opened it. as the file type identifier it had "cws" but wotsit says .cws is " MgForex/ForexNews Charts workspace (*.CWS) and single charts (*.CHA)" meow.

i believe the file is a shockwaveflash variant. that should contain a link to the real video. the link to the other swf file did not work on wotsit.

what is pyoutube doing now ? more info on the cws please. or the only thing i can think of is

CoolWebSearch - Wikipedia, the free encyclopedia spyware.

[Driver]

CoolWebSearch is considered to be quite an old malware now - you don't really hear of it much in the anti-malware community nowadays. It never used a file extension of .cws, so it's unlikely to be relevant anyway.
In its day, it was quite vicious: http://www.pieter-arntz.info/cwschronicles.html. A utility called CWShredder routinely dealt with it, and was updated as each new variant appeared. Again, you hardly ever hear of this utility nowadays.

But it raises a point: if the video you're trying to watch demands you download a codec you've never heard of before, then chances are it'll contain (or be) malware.

[jeffcobb]

Now that almost anyone (on any platform) can play YouTube stuff, the YouTube PTB might be trying to set up a private reserve of exclusivity so that only approved "partner" sites can play some or all of the videos. What might be a hack is what we Linux folks have had to do for a long time with IE-only websites: spoof your address to be one on the approved list. In the IE case it was more about fibbing to the other end that we were running IE (when there was no good technical reason for the limitation). How to suss out what an approved address is is a task for after more coffee. One test might be to test one that fails in pyoutube in a browser; if that works then the address limitation may not be in play and it may be a case of spoofing what you are using to view the video with. IOW make pyoutube seem like it is a browser to the other end. You could use something like tcpdump or wire shark on Linux to capture the data stream when using a browser; we had to do that when we were trying to write a slim driver to interact with Facebook (major PITA to log onto back in the day) do trap what data/commands were being sent back and forth when using a browser...

[kryptkat]

thank you for the responses i highly appreciate them.

let me explain a little better <i hope> of what i did or tried. ok like looked like a normal youtube.com link like YouTube - Broadcast Yourself. . before when i clicked a link like that it would play the video. bring it up first then press ">" play button and it would play. now same type link i just get error messages.

or before i would just send a request for the video with out clicking the link. the file would down load. with notepad i would open it and they file type header would be "flv" so with the file then saved as a dot flv ".flv" extension. i would use an flv player to watch the video. <from this computer after it was downloaded> and not streaming <live>. usually the file type header <the first few characters in the file> would match the file extension <dot file extention> ie .flv

now when i send the request for the .flv file only .... i get the file that contains the cws in the first few characters in the file. some links will try to change out your player <the embedded swf player in the browser> as i have seen before. usually they can be spotted with links that contain "?&player=" something like that in the links. which i avoid and request the server the flv file directly with one of several progs that i have that is capable of receiving a file to disk. when i now send the request for the flv file i get the cws file instead of the flv file. now pretty much any video i try to get i get the same cws file type.

here is the youtube page source view. part of it. some info removed.

Code:

   <!DOCTYPE html>
<html lang="en" dir="abc">
<!-- machid: abcd123abcd -->
<head>
				<script>
			var yt = yt || {};
			yt.timing = yt.timing || {};
			yt.timing.cookieName = 'VISITOR_INFO1_LIVE';
			yt.timing.timer = {};
				yt.timing.experiment = '312513';
				yt.timing.wff = true;
			yt.timing.tick = function(label) {
				yt.timing.timer[label] = new Date().getTime();
			};
		
			yt.timing.tick('start');
			
			try {
				yt.timing.pt = window.gtbExternal && window.gtbExternal.pageT() ||
							window.external && window.external.pageT;
			} catch(e) {}
			if (navigator.userAgent.toLowerCase().indexOf('chrome') > -1) {
				yt.timing.pt = window.chrome && window.chrome.csi && Math.floor(window.chrome.csi().pageT);
			}
		</script>

		<script>
			var yt = yt || {};
			yt.preload = {};
			yt.preload.start = function() {
				var img = new Image();
				yt.preload.videoConnection = img;
				img.onload = img.onerror = function () {
					delete yt.preload.videoConnection;
				};
				img.src = ...
				img = null;
			};
			yt.preload.start();
		</script>

		<title>
		YouTube
				
	</title>

				<link id="www-core-css" rel="stylesheet" href="http://s.ytimg.com/yt/cssbin/www-core-vfl331573.css">

ok have not seen the timing thing before. here it is again.

Code:

		<script>
		var gYouTubePlayerReady = false;
		if (!window['onYouTubePlayerReady']) {
			window['onYouTubePlayerReady'] = function() {
				gYouTubePlayerReady = true;
			};
		}
	</script>
				<script>
			if (window.yt.timing) {
				yt.timing.tick('ct');
			}
		</script>

this is from a page containing a video. but it displays outdated browser error. again with the timing script

Code:

 		</div>

	<!-- end contenttop section -->
	<div id="watch-video-container">
		<div id="watch-video" class="deprecated-browser ">
					<script>
			if (window.yt.timing) {
				yt.timing.tick('bf');
			}
		</script>

			<div id="watch-player" class="flash-player">
						
	<style type="text/css">
#browser-upgrade-box .upgrade-message {
			font-size: 14px;
			width: 300px;
		}
#browser-upgrade-box .upgrade-message a {
			/* Override link properties because of translation */
			text-decoration: none !important;
			color: black !important;
			border-bottom: 0 !important;
			cursor: text;
		}
#browser-upgrade-box .browser-links {
			float: right;
			text-align: center;
			width: 545px;
			padding-bottom: 1px;
		}
#browser-upgrade-box .browser-link img {
			background-image: url(http://s.ytimg.com/yt/img/browsers-vfl.jpg);
			width: 145px;
			height: 50px;
			margin-left: 8px;
			margin-bottom: 8px;
		}
#browser-upgrade-box .chrome-link {
			background-position: 0 -100px;
		}
#browser-upgrade-box .ie8-link {
			background-position: 0 0;
		}
#browser-upgrade-box .firefox-link {
			background-position: 0 -50px;
		}
#browser-upgrade-box .safari-link {
			background-position: 0 -150px;
		}
#browser-upgrade-box .opera-link {
			background-position: 0 -200px;
		}
#browser-upgrade-outer-box .yt-alert-content {
			width: 90%;
			margin: 3px 10px;

and so on.... you get the idea. above code if from a users page containing the video. the video never starts or is never downloaded. if a request is made for the video only <in the browser window url> it never downloads and will not allow the source to be viewed. one of the other programs that usually gets the flv file now gets a cws file instead of the flv file.

huge security risk

sometimes i get an "upgrade" error message. best i can tell the new player for the browsers use
"yt.timing.tick('ct');" a timing tick to check for the new player. this is what i think the cws file does. and contains the true flv file name and location. this is a security risk because cws could load any malware on to your computer with out your knowledge. or permission. still working on it. when it does not recieve the "tick" it then displays an error message.i believe they "youtube" is trying to force everyone to upgrade to the new player. problem is that most new ware requires the computers to have the service pack 2 installed. and the "upgraded player" is not backwards compatable. plus the old browser player plays flv files fine. what they did was put a loader on to the computer instead of sending the flv file. that in it self is a trust violation. still working on it and researching. but any suggestions would help.

installing service pack 2 is out of the question. it is a 900 mb file and i only connect at less than 46k with dial up. ugg! ....money.... more to the point void of ....money....

[kryptkat]

Local Shared Object - Wikipedia, the free encyclopedia

H.264/MPEG-4 AVC - Wikipedia, the free encyclopedia

Adobe Flash Player - Wikipedia, the free encyclopedia

YouTube - Wikipedia, the free encyclopedia

ActionScript - Wikipedia, the free encyclopedia

LSOs can be used by web sites to collect information on how people navigate those web sites even if people believe they've restricted the data collection.[4] More than half of the internet's top websites use LSOs to track users and store information about them.[5] There is relatively little public awareness of LSOs, and they can usually not be deleted by the cookie privacy controls in a web browser.[5] This may lead a web user to believe a computer is cleared of tracking objects, when it is not.[5]

at the main site i get "you are using a browser we no longer support .... update browser" error popup in same page. they are trying to force a browser upgrade.

here get the cws file for your self. request the file and save content to .txt file.
YouTube - Mel Bartholomew - Introducing Square Foot Gardening
open text file and you should see the first three characters of 'c' 'w' 's'.

ok quick review of what was....

wwwdotyoutubedotcomslashwatchquestionmarkequalsalf afileidentifierabcd123abcd request is made youtube server sends back .flv file. browser examines first three letters in file as "flv" and loads flash player and playes video. it may also store a pie or lso or flash cookie on your computer.

downloading video for smooth play back.
watch as many times as want with out wasting band width
some good info and videos

now it sends cws file instead of video file. this is why i do not think it is only a flash player plug in upgrade that is needed. the new browsers may respond to the cws file like activex controls. the other pages say that only one site can read the pies or lso or flash cookies but that is not true. if you can read one lso from one website another website can read any of the lsos or flash objects. i believe the cws file to be a loader meaning that it can load anything on to your computer too.

inorder to spoof or reverse engineer what is going on you have to have a working copy or working model or info of what goes on. the other option is to find out what the cws file does exactly. researching and reading.

[jeffcobb]

Great detective work Kat! Keep going...I know folks are going to find this useful...

[kryptkat]

i thought it might be compiled script so i put it in the turbo debugger 32 and it said that it was not a 32 bit program. then taking a close look at the cws file in a hex editor i found what looks like escape sequence codes back slash with three numbers. several of them. i ran it through caesar to see if there was anything interesting. nothing.

if i can reverse engineer exactly what it does and how it works i then could write a plug in for the browsers to make it backwards compatible.

i do not know if it is actually useful.... i just want to watch videos and get it working.