The BitTorrent Auto-installs
by Chris Boyd, Wayne Porter
Background: June, 2005...
Chris Boyd discovered that the first major payloads of Adware via BitTorrent forums had arrived, and were carrying Aurora as an added bonus. Aurora, created by Direct Revenue, had caused endless infections across security forums, but none of the victims had any URLs that the infections might be launching from. The reason was that the Adware vendors had partnered with a P2P distribution company to push their software through BitTorrent channels.
The distributions were eventually pulled, due to the fact that this particular campaign had clearly spiralled out of control - though there would be a few more "BitTorrent campaigns" nothing would follow on the same scale or ambition. However, the stage was set for more BitTorrent madness. It was just a question of when, and how...
The first Rootkit in Instant Messaging land was discovered, and upon more investigation, was traced back to a group operating out of the Middle-East, using the Rootkits to power their Globe-spanning Botnet.?Information was passed to the FBI and other Federal Authorities, and the group behind this attack were monitored.
As the investigations into the Middle-East based rootkit group continued, we discovered that they were auto-installing what appeared to be a "tampered with" version of BitTorrent onto infected end-user's PCs. MD5 signatures did not match up to valid versions of BitTorrent, though as BitTorrent is open source and there are numerous clients out there, it is impossible to say if every version has been looked at. Below is a small snapshot of some of the files auto-installed:
Auto-installing without permission is not a typical behaviour for BitTorrent!
What is BitTorrent?
BitTorrent is both protocol (and name) of the peer-to-peer (P2P) file distribution application, which makes it possible to distribute files without the corresponding massive consumption in bandwidth and server?resources.
It is hard to say at this point - they abandoned this tactic shortly after, for more experiments with recompiled Rootkits
such as variants of the FURootkit and a number of other infections.
What we do know, is that on a number of infected machines, they downloaded .AVI files of movies onto the compromised boxes. The slightly odd collection of films were various Disney cartoons and the Mr Bean movie. No more?films were installed onto PCs after this - however the technique (and, we must assume) the tampered-with versions of BitTorrent are still at large.
We have not seen this kind of attack initiated before - and for now, you would need to have been infected with the lockx.exe rootkit for the group to channel these movie files (and install the BitTorrent client) onto the PC. Nonetheless, it is clear that this tactic could be employed for far more devious means, and (no doubt) more and more hacking groups will try to manipulate this technology for their own ends in 2006. The potential for trouble with groups such as the RIAA where (what they will see as) pirated material is stored on the compromised PC is clear?- will they be interested in whether or not the individual had been hacked at the outset? Or can we expect to see even more aggressive legal angles pursued in future? Time will tell...
noted this article is Copyright © 2019
by FaceTime Communications, Inc. This article may not be resold,
reprinted, or redistributed for compensation of any kind without
prior written permission from FaceTime
Communications, Inc. For reprint or media inquires please contact
us with the phrase "Spyware
Guide Articles" in the subject line and we will by happy
to assist you. Links to this article from other websites are appreciated
and encouraged. Users are also encouraged to utilize our RSS
system to provide unique content and extracts for their site.
Read other articles (back to