Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

The BitTorrent Auto-installs

by Chris Boyd, Wayne Porter

Background: June, 2005...

Chris Boyd discovered that the first major payloads of Adware via BitTorrent forums had arrived, and were carrying Aurora as an added bonus. Aurora, created by Direct Revenue, had caused endless infections across security forums, but none of the victims had any URLs that the infections might be launching from. The reason was that the Adware vendors had partnered with a P2P distribution company to push their software through BitTorrent channels.

The distributions were eventually pulled, due to the fact that this particular campaign had clearly spiralled out of control - though there would be a few more "BitTorrent campaigns" nothing would follow on the same scale or ambition. However, the stage was set for more BitTorrent madness. It was just a question of when, and how...

Present Day:

The first Rootkit in Instant Messaging land was discovered, and upon more investigation, was traced back to a group operating out of the Middle-East, using the Rootkits to power their Globe-spanning Botnet.?Information was passed to the FBI and other Federal Authorities, and the group behind this attack were monitored.

As the investigations into the Middle-East based rootkit group continued, we discovered that they were auto-installing what appeared to be a "tampered with" version of BitTorrent onto infected end-user's PCs. MD5 signatures did not match up to valid versions of BitTorrent, though as BitTorrent is open source and there are numerous clients out there, it is impossible to say if every version has been looked at. Below is a small snapshot of some of the files auto-installed:

BitTorrent files

Auto-installing without permission is not a typical behaviour for BitTorrent!

What is BitTorrent?

BitTorrent is both protocol (and name) of the peer-to-peer (P2P) file distribution application, which makes it possible to distribute files without the corresponding massive consumption in bandwidth and server?resources.

Intentions?

It is hard to say at this point - they abandoned this tactic shortly after, for more experiments with recompiled Rootkits
such as variants of the FURootkit and a number of other infections.

What we do know, is that on a number of infected machines, they downloaded .AVI files of movies onto the compromised boxes. The slightly odd collection of films were various Disney cartoons and the Mr Bean movie. No more?films were installed onto PCs after this - however the technique (and, we must assume) the tampered-with versions of BitTorrent are still at large.

We have not seen this kind of attack initiated before - and for now, you would need to have been infected with the lockx.exe rootkit for the group to channel these movie files (and install the BitTorrent client) onto the PC. Nonetheless, it is clear that this tactic could be employed for far more devious means, and (no doubt) more and more hacking groups will try to manipulate this technology for their own ends in 2006. The potential for trouble with groups such as the RIAA where (what they will see as) pirated material is stored on the compromised PC is clear?- will they be interested in whether or not the individual had been hacked at the outset? Or can we expect to see even more aggressive legal angles pursued in future? Time will tell...

Unless otherwise noted this article is Copyright © 2017 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts

There was an error communicating with the requested site.

Recent Modifications
2017-11-13  Adult Networks/Services
2017-2-10  Adult Hosts
2016-3-30  CoolWebSearch
2015-9-29  Malicious URLS
2015-5-19  Dialers
2015-1-5  Email Threats
2013-7-20  Date Manager
2013-4-10  BeeBus
2012-12-18  JT.Moonwalk
2012-12-18  Sadbiz
 

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

© Copyright 2007, FaceTime Communications, Inc. All rights reserved.