Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

The BitTorrent Auto-installs

by Chris Boyd, Wayne Porter

Background: June, 2005...

Chris Boyd discovered that the first major payloads of Adware via BitTorrent forums had arrived, and were carrying Aurora as an added bonus. Aurora, created by Direct Revenue, had caused endless infections across security forums, but none of the victims had any URLs that the infections might be launching from. The reason was that the Adware vendors had partnered with a P2P distribution company to push their software through BitTorrent channels.

The distributions were eventually pulled, due to the fact that this particular campaign had clearly spiralled out of control - though there would be a few more "BitTorrent campaigns" nothing would follow on the same scale or ambition. However, the stage was set for more BitTorrent madness. It was just a question of when, and how...

Present Day:

The first Rootkit in Instant Messaging land was discovered, and upon more investigation, was traced back to a group operating out of the Middle-East, using the Rootkits to power their Globe-spanning Botnet.?Information was passed to the FBI and other Federal Authorities, and the group behind this attack were monitored.

As the investigations into the Middle-East based rootkit group continued, we discovered that they were auto-installing what appeared to be a "tampered with" version of BitTorrent onto infected end-user's PCs. MD5 signatures did not match up to valid versions of BitTorrent, though as BitTorrent is open source and there are numerous clients out there, it is impossible to say if every version has been looked at. Below is a small snapshot of some of the files auto-installed:

BitTorrent files

Auto-installing without permission is not a typical behaviour for BitTorrent!

What is BitTorrent?

BitTorrent is both protocol (and name) of the peer-to-peer (P2P) file distribution application, which makes it possible to distribute files without the corresponding massive consumption in bandwidth and server?resources.


It is hard to say at this point - they abandoned this tactic shortly after, for more experiments with recompiled Rootkits
such as variants of the FURootkit and a number of other infections.

What we do know, is that on a number of infected machines, they downloaded .AVI files of movies onto the compromised boxes. The slightly odd collection of films were various Disney cartoons and the Mr Bean movie. No more?films were installed onto PCs after this - however the technique (and, we must assume) the tampered-with versions of BitTorrent are still at large.

We have not seen this kind of attack initiated before - and for now, you would need to have been infected with the lockx.exe rootkit for the group to channel these movie files (and install the BitTorrent client) onto the PC. Nonetheless, it is clear that this tactic could be employed for far more devious means, and (no doubt) more and more hacking groups will try to manipulate this technology for their own ends in 2006. The potential for trouble with groups such as the RIAA where (what they will see as) pirated material is stored on the compromised PC is clear?- will they be interested in whether or not the individual had been hacked at the outset? Or can we expect to see even more aggressive legal angles pursued in future? Time will tell...

Unless otherwise noted this article is Copyright © 2021 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts
Notice: Undefined index: version in /data/www/spywareguide/magpierss/rss_parse.inc on line 228
  • A Year In Security
  • Youtube Comment Bot Spams In Waves
  • VGA Awards Trailers Used As Bait For Spam Offers
  • Fake Visa Electronic Report Serves Up Zbot Data Stealer
  • Banned Console Owners Beat The System - With Stickers
  • Spot The Hack
  • The Futility Of EULAs
  • Auto Whaler Spears Phishers
  • Fake Porn Grabbers Snag Nothing But Malware
  • Console DDoS Botnets - A Thriving Industry
  • Recent Modifications
    2021-8-24  Adult Networks/Services
    2017-2-10  Adult Hosts
    2016-3-30  CoolWebSearch
    2015-9-29  Malicious URLS
    2015-5-19  Dialers
    2015-1-5  Email Threats
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.