Spyware Floods in Through BitTorrent

solareagle writes "Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma. Not any more, anti-spyware advocates warn. According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC."

Oh, the Irony!

[rueger]

I will admit to being rather conflicted. On one hand, it really irritated me to discover that the app I downloaded (for testing purposes only!) would also install spyware.

On the other hand who could I complain to? Bittorrent? Adobe? Direct Revenue?

Yes, once again Slashdot comes to the rescue! Where else can I gripe about companies that try to exploit my illegal activities!

Re:Oh, the Irony!

A lot of files are self decompressing exes that have a virus attached.
If you really want that pr0n.exe then do this:

turn off your anti-virus
download the file
open the exe with winrar
extract the pr0n payload
delete the exe and turn on your anti-virus again.

Re:Oh, the Irony!

Not only that, but it's impossible to remove. I tried Spybot-S&D, AdAware, AdAware's tool that claimed specifically to remove it, freaking Norton Antivirus (I was getting desperate), HijackThis... nothing works.

The program doesn't run nail.exe, but it runs some file with a random name like fmjqx.exe under your user ID. It initially uses very little memory but builds up as you use your machine. Kill the process and another, similarly named one takes its place instantly; the only way to stop it from spawning right away is to kill explorer.exe before killing it. Then wait a while, and a nerfed explorer.exe (one that doesn't create the desktop or do any normal explorer.exe things) comes back and starts spawning the bloody things again. I bought a new hard drive, copied my legitimately downloaded files onto it, and wiped the old one. It was maddening.

Re:Oh, the Irony!

Illegal activities? Is linux illegal? Perhaps everything at http://www.legaltorrents.com/index.htm is illegal as well?

Re:Oh, the Irony!

[AvitarX]

reboot in safe mode with command prompt and delete the file.

If you are uncomfortable with DOS then use WindowsKey+E to open an explorer window.

Re:Oh, the Irony!

[Nagatzhul]

Bittorrent, like any tool, can be used for both legal and illegal activities. It is my prefered way to get LINUX/BSD distributions, for example. Nothing illegal about that.

Re:Oh, the Irony!

[Master+of+Transhuman]

These spyware programs that use the Registry to spawn renamed multiple copies of the spyware programs are a nightmare to get rid of.

I had a client last night with the Backdoor.Agent.BA trojan which is incredibly hard to get rid of. There are plenty of varied instructions on the Net on how to detect it and find it, but the problem is deleting the DLL file. You can't delete it from the command line or from Windows - in Safe Mode or not (and of course if it's an NTFS system, DOS can't touch it - Linux with the Captive utility might be able to). Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot - by which time you're screwed.

The only way to delete it is to get a program called KillBox which will prompt for the filename, set itself to run on reboot before Windows is fully loaded, and then reboot Windows, deleting the file before Windows can lock it down.

You also have to get into the Registry and delete a key which has an invisible value which is what causes it to recreate itself.

I get my hands on the asshole who wrote this thing, he's gonna need medical life support for the rest of his life.

Re:Oh, the Irony!

[Fareq]

I don't suppose the spyware was being attached to any linux downloads...

Re:Oh, the Irony!

[Cylix]

Two points really...

DOS can delete them if you feel like paying for the NTFS dos drivers which support both read and write. (read is free).

This kind of thing really strikes me as a virus and why don't more AV programs stop it?

However, if it is listed as a program adaware cannot remove it will attempt to insert itself as the first program run to clean the system.

Yeah, it's a nightmare that I've dealt with, but why don't more AV companies recognize it as a virus rather then adware.

Re:Oh, the Irony!

[yiantsbro]

Why can't the technical community find a way to get this activity recognized/labeled as terrorism. Once that happens we see definite government intervention--many more resources for search and destroy missions.

Re:Oh, the Irony!

[lowrydr310]

I had a sypware app exibiting similar effects on my father's computer. It turned out to be a dirty Windows service that was somehow installed without consent. Deleting registry keys and related EXE/DLL files didn't do anything until I stopped the service.

Re:Oh, the Irony!

[zerocool^]

On one hand, it really irritated me to discover that the app I downloaded (for testing purposes only!) would also install spyware.

It's not just apps - I downloaded a family guy episode, unrared it, and it was an executable. 170 megs of executable, so it was probably the spyware piggybacked onto the data that was the video, but still.

I mean, I know better, and I almost clicked it. Since the only thing I download anymore is video files, I'm used to them being clean, and I'm used to sites not posting contaminated video files. If the icon hadn't been different, I may have clicked.

~Wil

Re:Oh, the Irony!

The solution is simple, get http://www.ubcd4win.com/
then boot off of it and delete the file, edit the registry offline or do what ever you need

Re:Oh, the Irony!

[ettlz]

The ordinary Linux NTFS driver can write to a file provided it sticks to the original size... shouldn't setting the offending .exe or .dll files to all 0s this way nuke any unwanted program?

Re:Oh, the Irony!

[kallisti]

You actually want the government to intervene? Haven't you been paying any attention? It would probably go something like this:

We've been attacked by EvilHackerGroup, we must defend ourselves! EvilHackerGroup has ties to, say, the FSF which is an organization with Un-American goals. The government then takes down the FSF, once they learn of SourceForge and how anyone can get a hold of the software equivilent of WMDs, they'll take that down too. They'll then say there only trying to clean out the bad elements and order will be restored any day now. In the meantime, the assets taken will be sold to companies that supported the attack and coincidentally have major financial ties to the current administration.

If you think this is far-fetched Google for Steve Jackson Games Cyperpunk.

Re:Oh, the Irony!

[Sinus0idal]

If you can't delete it from safe mode, boot up with your windows CD and delete it from the recovery console.

Re:Oh, the Irony!

[Grand+Facade]

WTF!!!!! Invisible Registry Value?????????

Who designed this crap that allows such rubbish to exist in the first place?

Why would there ever be a need for invisible values in the registry?

Is this a joke?

Re:Oh, the Irony!

[empaler]

When's the last time you had trouble with Windows spyware creeping in with your BSD torrents? ;p

Re:Oh, the Irony!

[courtarro]

and of course if it's an NTFS system, DOS can't touch it

Boot the Windows Installation CD and run the Recovery Console. This will give you read/write access to the entire Windows directory, in FAT32 or NTFS. Granted, you still can't delete a nonexistent DLL file, but it's a free way to do other file management without Windows running.

Re:Oh, the Irony!

[killjoe]

Some of this blame has to go to MS for making an operating system on which not even the administrator can delete a file. It seems like windows presumes that even it's administrators can't be trusted fully. I know that I have had situations where the OS was so confused it would not let me delete a directory no matter what I did even though it was empty, even after rebooting. One day months later I tried on a whim and it let me delete it. Strange OS windows is.

Re:Oh, the Irony!

[Zerbey]

Use the recovery console, it ignores NTFS file locks. I've had the same problem with daft things like MS Word files staying locked even in safe mode.

Re:Oh, the Irony!

[aetherspoon]

Do a google search for a program called dellater.exe - it does just what it says. It marks a file for deletion at the next reboot. Command line utility. Simple and it works.

Re:Oh, the Irony!

[KillShill]

go to safemode.

it doesn't load anything superfluous. and begin the cleanup process.

that'll get rid of most spyware that don't attack/infect/alter system files.

then run SFC (system file checker), hopefully it won't be dismantled too...

then think about not running as Administrator (even though it's virtually required).

Re:Oh, the Irony!

This is a well known bug in Windows 2000. The problem is that explorer leaves filehandles open when it shouldn't. Try the following:

1) create a directory 'foo'
2) create a file in 'foo' called bar.txt
3) delete bar.txt with explorer
4) move up the directory tree and try to delete 'foo'.

You won't be able to delete 'foo' because explorer has an open filehandle to it which it will NEVER close.

This bug has existed throughout all service patches of windows 2000. Microsoft's solution: Install XP. Bastards.

Re:Oh, the Irony!

[robertjw]

DOS can delete them if you feel like paying for the NTFS dos drivers which support both read and write. (read is free).

Another option is to us a knoppix disk and boot to Linux. There is an article at http://www.planetfez.net/engl223/archive/page2.htm l#win32 that gives steps for doing this.

Re:Oh, the Irony!

[snakecoder]

One of many methods to remove files:

I had a bunch of remote boxes that I needed to get rid of those pesky "won't go away" trojans.

Fortunately the box had cygnus

I just kicked off
while [ 1 ]
do
rm filename
done

Then I rebooted the box and the file was gone for good.

Re:Oh, the Irony!

[kabocox]

I get my hands on the asshole who wrote this thing, he's gonna need medical life support for the rest of his life.

Are you talking about the spyware writer, or the team at MS responsible for the registry?

Re:Oh, the Irony!

WTF!!!!! Invisible Registry Value????????? Who designed this crap that allows such rubbish to exist in the first place? Why would there ever be a need for invisible values in the registry? Is this a joke?

Why it's Bill of course. He is Chief Software Architec-a-tecca-a-tecca-teck ain't he?

Re:Oh, the Irony!

[SharpFang]

Well, you can anonymously tip Adobe that DirectRevenue is bundling their app with Adobe software and spreading it on BT.

Re:Oh, the Irony!

[prof666]

I've always used a VMware machine for P2P software. I take a snapshot before installing any new app, and if it contains spyware/adware...just halt the OS and roll back....and it's all gone again.

Re:Oh, the Irony!

[poningru]

Another option is to get a userfriendly linux distro and boot into that and then dont even touch windows. There is a website at http://distrowatch.com/ that gives steps for doing this.

P.S IMHO ubuntu is pretty darn userfriendly, but some people dont like others mentioning that name, so therefore I shall refer to it as the u-distro.

Re:Oh, the Irony!

[0111+1110]

Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot

I didn't think that was even possible. How do they do that? I mean even if the app writes a new dll to memory and/or disk at every boot, can you not just delete the executable (in DOS etc.) that is creating the dll?

Re:Oh, the Irony!

[cornjones]

Unfortunately, it seems as though alot of the vids are coming down as .exes (or rars containing exes). Supposedly, the .exes are just self extracting archives but I don't trust them, I generally send the .exe into winrar. If it is just an archive, winrar can extract it. If winrar can't open it I assume it is a trojan, delete it and immediately stop seeding.

YMMV

Re:Oh, the Irony!

[robertjw]

Another option is to get a userfriendly linux distro

Well, that's a given, but many people don't see it that way. I run Slackware, both at home and work, and haven't had one virus, spyware attack, trojan whatever in years.

I was just thinking of those that wanted to keep their Windows machine.

Re:Oh, the Irony!

[uhlume]

Who needs government intervention when we've got...1337 H4X0RS!!1

Anyone look at the Metrix (distributor of bittorrent spyware) web site recently?

http://www.marketingmetrixgroup.com/

Re:Oh, the Irony!

[ucblockhead]

It's part of the nature of the OS. Unix variants allow you to delete a running file. DOS variants never let you delete a running file. Windows uses this to optimize virtual memory. When you run a Windows EXE, the file itself because part of swap memory. The advantage of this over the Unix model is that you don't need set-aside swap space for the executable code itself. When a running executable is swapped out on Linux, you end up with two copies of the executable on the disk. (Or perhaps even more, if it's running more than once.)

The disadvantage is, of course, that if an executable is running, it cannot be deleted because the original on disk area the file is in is in direct use by the running program. This is not only a problem in getting rid of malware. It makes updating running software a nightmare. You can't just copy over the old version like you can on a Unix variant. Ever wonder why so many Windows apps require a reboot after install? This is one reason.

I'm sure it made sense to the Microsoft guys did it this way...it definitely reduces the amount of disk space you need. But I suspect they didn't realize how much of a pain in the ass it would make updating or maintaining Windows would be. And unfortunately, I don't see it changing as it's pretty much intrinsic to the OS.

So anyway, it's not a matter of how much they think the administrator should be trusted. They couldn't just change a "let admininistrator delete running apps" setting somewhere down there. Making that change would require a fundamental overhaul of the virtual memory system.

Re:Oh, the Irony!

[piinkfloyyd]

Another way is to use a WinPE disc, or a BartPE disc. These discs allow a computer to run an OS from the CD-ROM instead of the HDD. You can read NTFS files (as well as FAT's and encrypted), and delete/modify reg entries in addition to DIR files. Of course, prevention is the key. I use JavaCools Spyware Blaster (doesnt get rid of spyware, stops it from ever being installed in the first place), SpyBot S&D, Google ToolBar (for pop-ups), as well as killing Flash (another fav way to deliver spam/virii/trojans), and hiking security to "paranoid" levels. Surfing is somewhat impeded, but I havent been infected by ANYTHING in over a year.

Re:Oh, the Irony!

Errrm!!! Have you ever used the recovery console?? You can't even move/copy files with it.

Re:Oh, the Irony!

[SQLz]

god damn it sucks to be a windows admin.

Re:Oh, the Irony!

[psymastr]

I had one of those the other day. After cleaning up a bit with Ad-Aware I found out that it would rename the registry entries on every shutdown restart etc. So I just deleted them and pulled the plug instead of doing a normal shutdown. This did the trick.

Re:Oh, the Irony!

[psymastr]

This wouldn't work! The malware deletes the file itself and creates it again under a different name on shutdown! You can't end the malware process either, a new one with another random name appears immediately!

Re:Oh, the Irony!

[yellowbkpk]

Ya know, I've been running Windows XP for several years now and have yet to come in to an attack by spyware or malware. I just don't touch websites that look bad and I use Firefox. Is it really all that hard to teach people?!

Re:Oh, the Irony!

[Lifthrasir]

linux does the same as window. if you try to delete a running executable, the file is just marked as deleted so it doesn't show up with a directory listing. when the process terminates, the file is actually removed from disk automatically.

Re:Oh, the Irony!

[Phs2501]

Uh, Linux and other Unixes quite happily memory-map running executables. For example:

:; cat /proc/$(ps auxw | egrep '(m)utt' | awk '{print $2}')/maps
08048000-080b8000 r-xp 00000000 03:0a 171032 /usr/local/encap/mutt-1.5.9i/bin/mutt
080b8000-080be000 rw-p 0006f000 03:0a 171032 /usr/local/encap/mutt-1.5.9i/bin/mutt

What's different is that Windows has a "delete" function while Unix has an "unlink" function. In Unix, a file doesn't get truly deleted until all references to it are gone, including open file handles. Try creating a 2GB file in /tmp, writing a simple program to open it and sleep forever, then deleting it with rm. You won't get your space back until the sleeping process exits.

You can also usually crash a running process pretty easily by scribbling over its executable, proving that it's memory-mapped.

To me this makes much more sense than the Microsoft B&D method, which as you mentioned leads to a ton of "Please reboot because I couldn't touch this file" messages. If it worked like Unix, you could simply unlink the old file and (optionally) put a new one in its place without affecting currently running processes. When those processes restarted, they would use the new files.

Of course, spyware and virus authors must love the way MS does it.

Re:Oh, the Irony!

[StikyPad]

Another option is to us a knoppix disk and boot to Linux.

Except as the OP said, the DLL is created dynamically at boot time.

Although I'm not sure how that's possible. The source has to be somewhere -- likely in the registry -- it can't just magically appear. Seems like you could just do a rollback or boot with an archived registry to get rid of it.

Re:Oh, the Irony!

[xtracto]

That is why I usually get my torrents from known sources, like piratebay or torrenttyphoon search sites.

That way I can see a comment and if there is a bad torrent [fake] usually it is comented.

I think that was one of the advantages of bittorrent over other p2p protocols no?

Re:Oh, the Irony!

[robertjw]

I just don't touch websites that look bad and I use Firefox. Is it really all that hard to teach people?!

It must be. I do the same thing, my home box is a dual boot, 2k and Slackware. I run in 2k for gaming and whatever all the time. Never have any problems.

Re:Oh, the Irony!

[dunng808]

I get my hands on the asshole who wrote this thing

Actually, we have Gates and Co. to thank for their delightful little registry database that makes it all possible. Invisible values ... Why can't my bank offer that service?

Re:Oh, the Irony!

[complete+loony]

You can usually rename the file while it's running, then on next reboot it can be easily removed.

Re:Oh, the Irony!

obvious bs, i just performed the following:

- create folder 'foo' on an ntfs partition through explorer.
- create file 'bar.txt' inside 'foo' folder.
- delete file 'bar.txt' by pressing the delete key
- delete folder 'foo', either by right-clicking it in the tree column and selecting delete or navigating to 'foo' folder's parent folder and pressing the delete key while 'foo' is selected.

now the question is, why invent such a strange troll? unless you can point to a microsoft kb article which explains why my version of win2k is magical, when it's just w2k+sp4 without any additional hotfixes.

what i bet you did is open bar.txt in notepad and then attempt to delete it while notepad's open, which obviously gives you a sharing violation as there actually is an open handle involved.

Re:Oh, the Irony!

No, this was fixed in service pack 2, I think.

Re:Oh, the Irony!

[ucblockhead]

I stand corrected...I'm a Windows programmer rather than a Unix one. (Not by choice, alas, not by choice.)

Re:Oh, the Irony!

[Impy+the+Impiuos+Imp]

It still exists on my work machine, which is highly irritating.

More important is the inability to force-delete a file by, say, holding down control and dragging to the trash. Many are the times I could have cleaned up my machine were I able to do that.

I'll risk some poorly written program crashing because a file evaporated out from under it, thanks, when compared to the hell that is spyware.

Re:Oh, the Irony!

[vsprintf]

The program doesn't run nail.exe, but it runs some file with a random name like fmjqx.exe under your user ID. It initially uses very little memory but builds up as you use your machine. Kill the process and another, similarly named one takes its place instantly; the only way to stop it from spawning right away is to kill explorer.exe before killing it. Then wait a while, and a nerfed explorer.exe (one that doesn't create the desktop or do any normal explorer.exe things) comes back and starts spawning the bloody things again. I bought a new hard drive, copied my legitimately downloaded files onto it, and wiped the old one. It was maddening.

And you're still running Windows because . . . it's so much fun? .. it just works? .. you're clueless? ..

Re:Oh, the Irony!

[nolife]

I do not know the specifics to this piece of spyware but I;ve seen many pieces of spyware that run from the run section of the registry and monitor that same section and reinsert themselves if you remove it from there. One thing I have found that works create a bat file with nothing more then del c:\windows\bad_file.exe (the same bad_file.exe that gets called in the run section) and place that bat file as an entry under the runonce section of the registry. The runonce section runs before the run section and the spyware will not be able to run if you delete the inital starting mechanism, you can then remove the rest of the traces as the spyware as they will not be in use any longer as it is not running and remove the entry from the run section. Again, YMMV

Re:Oh, the Irony!

[fourtyfive]

If you have a copy of windows XP try using UBCD (It uses BartPE). It can boot a copy of windows XP straight from CD (And UBCD comes pre-setup with all the essential tools, ad-aware, ETC)... Its great for spyware removal!

Re:Oh, the Irony!

> That is why I usually get my torrents from
> known sources, like piratebay or torrenttyphoon
> search sites.

How can you trust torrenttyphoon when all of their pages have javascript spyware embedded in them, and they do evil crap like hiding the display of a link's URL in the status bar?

As far as i can tell, they're just another advertising/marketing/spyware vehicle, which are, unfortunately, far too common in the bittorrent
world.

Piratebay at least seem clean. what little advertising they do/did is up-front and open (links to poker sites for gambling morons, IIRC), and they don't embed evil javascript crap in their pages. one of the few. Perhaps the only one left since the recent purges.

Re:Oh, the Irony!

[drsmithy]

Some of this blame has to go to MS for making an operating system on which not even the administrator can delete a file. It seems like windows presumes that even it's administrators can't be trusted fully.

No, it's simply the result of a more capable permissions system.

Re:Oh, the Irony!

[drsmithy]

You also have to get into the Registry and delete a key which has an invisible value which is what causes it to recreate itself.

What is this "invisible value" you speak of ?

Re:Oh, the Irony!

[ottothecow]

It might be a nifty way to do it. I download most (all really) of my torrents on windows. I wouldnt normally expect my newest copy of some distro to have any windows spyware built in.

Re:Oh, the Irony!

[dnoyeb]

Yes, when they are disabled. Many disabled people use the internet and can have difficulties with these programs as with so many other things in life.

I have XP as well and dont have any viruses or spyware, but my visually impared mother is totally infested :( Its a monthly job for me.

I agree with you on one point. I use firefox and browse with the popup blocker off. If you popup any fucking thing I will never go to that website again.

Re:Oh, the Irony!

[The+Wallbrick]

I will admit to being conflicted...

When will you learn? You're supposed to take off that uncursed ring of conflict before you read and post on /.!

Re:Oh, the Irony!

[killjoe]

That's a ridiculus assertion to make.

I have a directory. I look at the permissions and I am allowed to delete it. I look inside that there is nothing there. I look at the list of open files and the directory is not listed there. I go to delete it and I can't.

That's lousy my friend. That's a bug. So tell me what wonderful permission is preventing me from deleting this directory?

Re:Oh, the Irony!

[drsmithy]

That's a ridiculus assertion to make.

Not when I'm responding to this:

Some of this blame has to go to MS for making an operating system on which not even the administrator can delete a file.

And not whatever you thought I was responding to.

That's lousy my friend. That's a bug. So tell me what wonderful permission is preventing me from deleting this directory?

You are describing an entirely different scenario to the one I was responding to. Check your aim next time, before you fire.

Re:Oh, the Irony!

[killjoe]

huh? I started the thread. If you were confused about the topic that's not my fault.

Re:Oh, the Irony!

[Master+of+Transhuman]

I'm familiar with the DOS NTFS product AND the use of Knoppix with the Captive utility.

I had neither with me at the time - I really need to try to do something with Bart's PE and/or Knoppix so I can easily deal with a totally bogged-down, nonresponsive NTFS machine.

I wonder if it's possible to take a thirty-day trial anti-trojan like TDS-3 and install it using Wine via a Knoppix live CD with the Captive NTFS utility and then mount and scan NTFS file systems for and remove trojans.

Right now, my Bart's PE is limited to running McAfee Stinger and some DOS-based AV's that can't handle NTFS reliably. They'll read some of the files, but not all of them and they won't clean them. It will run Ad-ware though. I need to do a Bart's or a Knoppix with more industrial-strength anti-trojan/AV/spyware cleaning tools that can handle NTFS.

Re:Oh, the Irony!

[Master+of+Transhuman]

I have Bart's PE - let me remind you this file can NOT be deleted from Windows XP, from the Windows XP command line, or from DOS. Nor does it EXIST unless you boot Windows XP normally - it doesn't exist in Safe Mode. ANY attempt to access this file gives an "Access Denied" once Windows XP has been booted. Doesn't matter if you're Administrator, either.

I have the UBCD4WIN CD and one of the latest Bart's PE. Didn't work.

According to a search of various anti-malware sites, the only thing that works is booting normally into Windows XP, but running a delete utility that kills the file before XP is fully loaded and able to lock it down. I haven't actually done it yet, so I don't know if it will work, but KillBox is the utility said to handle this sort of thing. With KillBox, you tell it the file name, it sets Windows to run it on boot, then it reboots Windows and deletes the file. Without this utility, you have to do this sort of thing manually with batch files and Registry keys.

Re:Oh, the Irony!

[Master+of+Transhuman]

That was my first reaction when I read about it.

Another case of "mad featuritis syndrome" on the part of the morons at Microsoft.

The Registry itself was a bad enough idea...

Re:Oh, the Irony!

[Master+of+Transhuman]

I'm familiar with the Recovery Console.

I have an interesting ISO I just downloaded today. Allegedly it is a bootable CD with just the Recovery Console on it.

I might try it if nothing else works.

Re:Oh, the Irony!

[Master+of+Transhuman]

No, sir!

I've seen EXACTLY this sort of thing numerous times.

A program such as the 2xExplorer file manager will not be able to delete a file which was downloaded even though the program that downloaded the file is no longer running. Most of the time the file manager has to be closed and Explorer run to delete the file.

Sometimes even Explorer can't delete it, you have to reboot to get rid of it.

Another wonderful effect is this: I installed Winamp while Administrator. I run 2xExplorer and try to move the desktop shortcut from the administrator's Desktop folder to the All Users folder (while logged on as administrator, of course.) The INSTANT I click on that shortcut, 2xExplorer crashes. No error messages, no nothing. INSTANT CRASH. NO PROGRAM except Explorer can TOUCH that file in ANY WAY without INSTANTLY crashing. Weirdest shit I've ever seen. You can't even use the COMMAND LINE to touch this file! ONLY Explorer itself can delete that file.

And while researching that on Google, I found hundreds of reports of Explorer crashing for all kinds of reasons - just try to open a folder with the wrong kind of AVI file or a corrupt zip file or something. Flakiest piece of crap in Windows.

Re:Oh, the Irony!

[Master+of+Transhuman]

Actually this is what KillBox is supposed to do and supposedly it DOES work, at least on some trojans.

In this case, I think this particular trojan uses the same filename which is stored in the invisible Registry key value. If you delete the Registry key value, then RENAME THE KEY so the running DLL can't renew it, kill the running process, then rename the key back, then run KillBox to delete the DLL on next reboot, it should work. OTOH, if there ARE multiple processes running that are checking each other, this might not work.

In any event, when I go back to this client, we'll see what works.

Re:Oh, the Irony!

[Master+of+Transhuman]

DelLater.exe is produced by the people who do the best anti-trojan product, TDS-3, so I got both of them.

Either KillBox or DelLater should do the trick, I hope, after I do a full trojan scan with TDS-3.

Re:Oh, the Irony!

[Master+of+Transhuman]

1) I ran in Safe Mode repeatedly while cleaning out the easier spyware. This DLL doesn't exist in Safe Mode. The trojan is too smart for that. There has to be a coordinated effort to strangle it via the Registry, killing the running process and then deleting the DLL on reboot.

2) I need to see if the client has been running as Admin. It's XP Home, so they can't access the Administrator account by default except in Safe Mode, but I forgot to check the regular user account to see whether it's limited or not. However, see below:

3) In any event, the real problem was the client went away and her roommate left the PC on with IE on a porn site for two weeks with no firewall and no AV. Yes, that WILL do it, given that the average time for an unpatched, unfirewalled XP to get infected is twenty minutes.

I cleaned out several hundred spyware Registry keys and files and ONE HUNDRED NINE spyware trojans were detected by AVG AV. And that was AFTER somebody had cleaned the system using Ad-Aware AND Spybot AND Norton AND Kaspersky. Running an updated Ad-Aware and Spybot and AVG found the above. Next, I get to run TDS-3 to concentrate on cleaning out any trojans that AVG didn't spot.

I just hope nobody installed a Windows rootkit on top of everything else.

She's learning an expensive lesson about computer security, that's for sure. And if I wasn't as cheap as I am, she'd be learning a LOT more expensive lesson.

I spent seven hours the other night on her machine - mostly due to the fact that until I got a handle on the situation, the machine was so unresponsive it took XP TWENTY MINUTES to shut down! I suppose it would have been easier to simply wipe it and reinstall (she does have a burner on it, so I could have saved her files if I used Bart's PE with Nero or Knoppix with K3B), but you don't know how bad it's going to be until you've been at it for four hours. And then you might as well finish it.

I figure two more hours with TDS-3 and KillBox will do it - I've already installed Ad-Aware, Spybot, SpywareBlaster, AVG, Kerio Firewall, and Stinger, so once the trojans are gone, she should stay clean as long as she updates and runs the AV and the two anti-spyware programs regularly and installs MS's patches. I may install SP2 as well. She'd been told to use FireFox already by the last guy, so with a little luck she should be okay. I have the same setup on my machine and I've been clean for two years (except lately I use Avast instead of AVG AV).

Re:Oh, the Irony!

[Master+of+Transhuman]

Well, I'm not going to install Cygwin just to delete a file.

However, I DO have some DOS versions of UNIX programs that I might try if all else fails. This IS an NTFS file system, however, so I don't think they'll work.

Re:Oh, the Irony!

[Master+of+Transhuman]

I HAVE Bart's PE AND the Windows Ultimate Boot CD which is based on Bart's PE. The DLL is not accessible from there because you haven't booted the hard drive's XP and the trojan doesn't create the file until you do and you aren't using Safe Mode. So Bart's is useless.

I've installed Ad-Aware, SpyBot, SpywareBlaster, AVG, Stinger and Kerio Firewall on the client's machine. Once I get rid of these last trojans, and install SP2, she should be reasonably safe, because she's been converted to using Firefox instead of IE. I've had the same setup for two years and never get any significant spyware. In fact, I didn't even bother with Spybot and Blaster until this past six months or so. Ad-Aware was sufficient because I wasn't running IE - up until a few months ago, I was running Opera, and now Firefox.

Re:Oh, the Irony!

[Master+of+Transhuman]

Heh, it's a laptop - so I'd have to remove the battery, too! I'm not much of a laptop guy, and I assume the client probably doesn't even know how to do that, so I didn't try it although I will keep it in mind. Given that this is Windows, I don't want to chance corrupting something in the file system doing this, either. Windows makes me paranoid about such things.

Re:Oh, the Irony!

[Master+of+Transhuman]

Yup, I've seen those bat files, too. That's what KillBox and DelLater do - they automate that process without using batch files. I'll try them first, and resort to the manual way if they don't work for some reason.

Re:Oh, the Irony!

[Master+of+Transhuman]

Won't work in this case - you have to boot the hard disk XP OS to create the DLL in the first place. To beat this trojan, you have to kill its Registry keys, kill its running process, then reboot and kill the DLL before Windows can lock it. Bart's or UBCD won't help in any of that. I have them.

Re:Oh, the Irony!

[Master+of+Transhuman]

From one of the articles I found on this particular trojan:

1. Run Regedit, and DELETE the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
N T\CurrentVersion\Windows\AppInit_DLLs

The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the
Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC. The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan).

So what you have to do is the following which worked for me (many thanks to
"acomputerpro" at the SpywareInfo.com forums!)

2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

3. Now delete the AppInit_DLLs key under the Windows2 folder.

4. Hit F5 and notice that AppInit_DLLs doesn't come back.

5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good.

6. Reboot your machine, and check the registry and make sure AppInit_DLLs is
still gone.

In my case, even removing the AppInit key value is not sufficient - the DLL still can't be removed, so I'm going to try KillBox (which has worked in some cases reported on the Net and has NOT worked in others) or DelLater, or failing that, booting into the Recovery Console and using cacls to clear the permissions to enable me to delete the DLL.

Re:Oh, the Irony!

Use BartPE, the free, Windows-based "Pre-executable" boot environtment to safely delete "undeletable" files from NTFS filesystems.

BartPE allows you to create what is essentially a Windows live cd, ala Knoppix or it's variants.

In this case, the beauty of BartPE versus other tools (at least for NTFS-based systems) is simply that you're actually using the native windows binaries to read/write the filesystem, instead of the (currently) buggy opensource NTFS tools.

Other benefits of BartPE-
* Free (as in beer)
* It, for one, welcomes our modded-sheep Overlords.
* More dirty-words per line of code (measured in the new standard, "DW/LC) than Solaris. ;-)
* Oh yeah, it's got a GUI

Hope this helps!

Re:Oh, the Irony!

[Eivind]

No, you're wrong. Infact unix happily mmaps executables and libraries.

The difference is that unix file-model is a lot more flexible than the model in dos (now largely inherited by Windows)

In Windows, a "file" is a collection of bytes with one name.

In Unix, a "file" is a collection of bytes with zero or more names.

Simply put, unix uses reference-counting, the actual blocks on disk are only freed when the last reference is gone. Thus it's unproblematic to allow deletion of an open file -- the deletion only affects the directory formerly holding a reference to the file, the file still exists because the process has a handle on it and the reference-count is thus not null.

You can try it out for yourself trivially:

• Create a large file somehow.
• start i.e. python with "python"
• open the file and get a filehandle by doing: "fp = open("filename.whatever")
• Open a different shell.
• Check how much space is free on the device.
• Delete the file. Notice it's gone from the directory.
• Check how much space is free, notice that it's not changed (i.e. the file is still taking up room)
• in python, do fp.close()
• Repeat test, notice that *now* the file is no longer taking up room.

The disadvantages of the unix-aproach you talk about don't exist, they are purely imagined and purely the result of you failing to grasp the unix file-semantics.

Re:Oh, the Irony!

[poolmeister]

Prevention is better than the cure:

1. Don't use IE for the web... or disable IE's ActiveX & 'Install on Demand'
2. Don't install malware... KNOW WHAT YOU ARE INSTALLING ON YOUR SYSTEM
3. Don't steal software... why do people use cracked versions of bloated commercial apps when there are so many decent, often superior freeware & open source packages out there? The amount of people I've come across who use cracked versions of Norton amazes me... pointless as it's sh1t software anyway.
4. Linux... I think we can all agree that Linux is gradually becoming a more viable & usable OS for the average Joe nowadays, although you actually still need some knowledge about computers and commands to use the average distro which is still too 'scary' for the average user, it's getting there though.
   Spyware, malware, viruses, piracy are thankfully still mainly dead subjects to us Linux users.
5. Future... Windows vs Linux vs OSX x86, it's gonna be fun :)

Re:Oh, the Irony!

[FauxReal]

Or you can use this free program.

Re:Oh, the Irony!

[jonadab]

> What's different is that Windows has a "delete" function while Unix
> has an "unlink" function

That depends on the filesystem. Linux will happily let you run a program that's on a FAT32 filesystem (possibly local or possibly on a disk in another computer, which may be running Windows, mounted via Samba's smbmount utility), and it will still happily let you delete it while it's still running.

Re:Oh, the Irony!

[empaler]

1. Download ISO torrent
2. Burn ISO
3. Reboot computer, install *nix/Mac OS X86
4. Who cares about $avebuck$$$! for Windows?

Re:Oh, the Irony!

[piinkfloyyd]

"...and the trojan doesn't create the file until you do..." agreed. however, if you know the name of the executable that creates the trojan in the first place, this method allows you the ability to delete the .exe, should it have attached itself to an operating system file. simply delete the offending file, and replace with a clean one. i am attempting to switch to FireFox as well, the ol' Titanic-browser is a little to "leaky" for me. and i kind of like tabbed browsing...

Re:Oh, the Irony!

[Phs2501]

That depends on the filesystem.

Good point.

Re:Oh, the Irony!

[KillShill]

the easiest and most hassle free way of protecting your systems from windows attacks is to use a router.

it blocks all of the windows related cracking attempts. it does NOTHING for spy/mal/junk/etcware though. that requires not running as admin plus the usual remedies of not running IE, having a spyware cleaning program, AV and not running just any old program that you come accross.

windows won't be attacked unpatched even in 20 years if you have a router. at least through the aforementioned means.

you can find a cheap router for 20-40 bucks, and it will be well worth every penny.

as to your situation... did you check the services list? the only reason the dll might not be found in safe mode is because a spyware service can't run in safe mode to create it. also check your device manager and check list hidden devices for any "drivers" they may have installed.

you can also use, as people have mentioned, the recovery console. also you can use a knoppix cd.

after the cleaning, run SFC to make sure no trojans or rootkits were installed. though it's probably safer after such a massive infection to just start over and reinstall.

Re:Oh, the Irony!

[psymastr]

I don't think you should worry about that. Just shut down all programs yourself and then do it. Not too much to worry about.

Re:Oh, the Irony!

[Master+of+Transhuman]

Yes, I told the client that software firewalls aren't as good as hardware firewalls. She may be springing for SBC DSL and since she has wireless, she might go for the 2Line wireless/powerline router which has a firewall in it.

I've got TDS-3 which ought to detect anything left - it's reputedly the best anti-trojan around. And I've got a couple others which are good just in case.

Good point to check for hidden drivers, I'd forgot about that. I do plan to run SFC to replace any damaged system files from the trojans or cleaning.

I'll be seeing the client tomorrow, hopefully a couple hours will finish the cleaning without having to do either a complete reinstall or a repair install. So far it doesn't look like there's too much damage - winlogon,exe seems to have a problem, hopefully SFC will fix it. The system seems pretty stable and functional now, I just have to make sure nothing's left to start importing more trojans all over again.

Doh

[christoofar]

Now I'll have to find somewhere else to download my warez and leetz crackz.

I wonder how NYC bigwigs managed to convice these companies to buy ad space... "Yes you will have very good coverage amonst 13-26 year olds... we have their attention, and HOW!"

Re:Doh

[pilgrim23]

New York Based? well this only proves my earlier thesis tha the only true solution to adware, spyware and the like is a small but very efficent, off-shore mercenary army.....

Re:Doh

[nahpets77]

I'm not sure if the problem is with the client. The article said that the adware programs are bundled with torrents. I also get the impression that the adware itself will download more stuff to your computer via BT. Not sure about that though, the article was a little vague.

Re:Doh

[Smidge204]

After reading the article, it seems that the client itself is not the vehicle for infection - it's tainted files. Which client you use is irrelevant.

=Smidge=

Re:Doh

[DrFrob]

I did RTFA, but I also didn't understand how an executable could be run if you downloaded a nonexecutable (e.g., a .mov or .avi file). Anyone catch that?

Re:Doh

[Master+of+Transhuman]

No need for an army.

One or two (very busy) assassins ought to handle it - you just need to whack the few guys who own the spyware companies.

Of course, there will always be more, so it's job security.

The REAL answer of course is to use nanotech to wipe out the thousands of morons who actually click on spam ads...

Re:Doh

[TrippTDF]

If the company is dirty on one end, they are probably dirty on the other.

Re:Doh

[nahpets77]

A self extrating archive where the adware program is embedded into the EXE. I guess you should watch out for files like "The_Matix.XviD.exe".

Re:Doh

[Badfysh]

The adware executables are normally renamed keygen.exe, so be very suspicious of apps that come bundled with keygens, especially if there is a serial in the readme or .nfo file.

Re:Doh

[iibagod]

Shhh....I'm working on that. Unfortunately, I had to leave the country due to the recent civil war, and I can not get the $10,000,000 in research money out.....

If you would like to help me recover this money....


You'll be my first beta tester.

Re:Doh

[sootman]

Not just that, but 13-26 year olds who have *proven* that they'd rather steal stuff than buy it... but surely they'll want to pay for *your* product, right? Idiots.

Re:Doh

[budgenator]

how an executable could be run if you downloaded a nonexecutable (e.g., a .mov or .avi file)
It can't but that's not what's happening, people are used to downloading ZIP files, which are often self-extracting; so double click the file, which is executable i.e. self-extracting, the custom extractor, throw up a alert-box says extracting "suzie does donkies" checkbox "I agree to terms" and ok. users never actually reads the terms which says something like I agree to install software, give my first born son ect. then the extractor installs the spyware, and then extract the .mov or .avi file for the user to watch. I'm not sure if windows even looks at the file extention anymore

Re:Doh

[Second_Infinity]

My thoughts exactly.

Re:Doh

garbage in garbage out.

Re:Doh

[robertjw]

Not just that, but 13-26 year olds who have *proven* that they'd rather steal stuff than buy it...

Of course, how does that explain Coldplay selling 740,000 copies of their new album in the first week. Who is buying these, all the damn 40 year olds? Wonder if my grandma's picked up her copy yet?

Maybe X&Y isn't out on the torrent sites yet.... nope, there it is. My favorite torrent search engine has at least 5 very active trackers. Strange, why would ANYONE purchase it, especially those evil 13-26 year olds???

Re:Doh

[ymgve]

It can't but that's not what's happening, people are used to downloading ZIP files, which are often self-extracting;

No they're not. A ZIP file is never self-exctracting, because then by definition it isn't a ZIP file anymore. (File with extension ending in .zip, containing PKZIP structure, openable by any PKZIP compatible program)

Re:Doh

I will help you get that $10 million out adn ag help! my right arm just turned into a puddle of grey goo!

Re:Doh

[MoriaOrc]

I think what the GP is trying to say is that any company who targets their advertising to people who pirate things needs to rethink some things. Of course not all 13-26 year olds pirate every new album, but advertising to the ones that you know are pirating is something of a waste of time.

The GP's statement would be just as true w/o any reference to an age group.

Re:Doh

[Com2Kid]

• Not just that, but 13-26 year olds who have *proven* that they'd rather steal stuff than buy it... but surely they'll want to pay for *your* product, right? Idiots.

Depends, even teenagers put a marginal value on their next "unit" of time trying to get some pirated piece of software to work, or the latest Video Codec to decompress the latest Hollywood flick.

Owning a legitimate copy of a product makes live much easier.

Re:Doh

[spudgun]

Ok , so open a paypal a/c for domations to "whack-a-spyware-vendor" , and every $1500 you can get another one wacked.....

Re:Doh

[Create+an+Account]

Sounds like you're talking about Executive Outcomes. Although to be honest, this job would probably better benefit a small group of enthusiastic hobbyists.

Re:Doh

[PurpleFloyd]

Well, they (or more likely, their parents) will want to pay for your product when it's the uninstaller for the adware that shows 4 popups every 2 seconds advertising "YOU MAY HAVE SPYWARE ON YOUR SYSTEM! CLICK HERE TO BUY A SPYWARE REMOVAL PROGRAM!!!"

Most of the spyware I've seen recently (and I see a fair amount among just friends and family) is either CoolWebSearch (a dark spawn of Hell of which I will not speak again) or a thinly veiled extortion tactic which charges money to buy the uninstaller - or rather, the "SPYWARE REMOVER!!!! GUARANTEED 100% ACCURATE!!!!! GET RID OF SPYWARE NOW!!!!!" Were I to meet the "humans" who install this crap via drive-by downloads and IE exploits, causing both my friends and I to lose hours upon hours of valuable time, I would do things to them which would make the Lovecraftian elder gods not only blanch but run away screaming.

Re:Doh

[Stauf]

I'm not sure if windows even looks at the file extention anymore

Oh, it does, and it even goes to great lengths so you don't have to. Try name a file something.zip.shs - all you'll see is the .zip. SHS is one of a few extensions windows always hides.

Hrm, in fact, with a .shs - you could make a file that would appear to end with .zip, but that silently installs a bunch of crapware, then puts a *real* .zip containing the files you tried to download in the tempdir and launch your associated windows app to open it. It would be completely seamless unless a) the icon was different from your usual 'unzip' app and/or b) you noticed that the file was actually opening from a different dir.

And now that I give it some more thought - you could build a shs that copies a .zip to a temp dir, installs a bunch of crapware, then deletes itself and moves the .zip from the temp dir to the directory it was executed from and executes it with the default app. If done right, the only thing that would give it away would be the file's icon.

I'm suprised noone's ever tried it.

And the day has come...

[ChrisF79]

We had to see this one coming. The spyware/adware folks are getting good at putting their "product" everywhere. It was only a matter of time before bittorrent reached critical mass and became a good target.

Re:And the day has come...

[MrAnnoyanceToYou]

Yeah, but these files have to be different in a rather uniform way. Is there the possibility that someone (bram) will figure out a way to either filter malicious content or clean it out on load?

Re:And the day has come...

[eljasbo]

it should be easy enough... Just have the BT client check for the evil bit.

Re:And the day has come...

[budgenator]

I'm more suprised it took this long for people to notice; I guessed that's why half my pron doesn't work in Linux a long time ago.

Re:And the day has come...

[tropo3050]

Well, sure, if they were trying to share a modified version of the original torrent. The article certainly gives the impression that the torret is being posioned with modified "chunks" of data which, when reassembled into the file, create adware. However, the .torrent file should specify the checksum for each part - if it is invalid, the part is thrown out and gotten from somewhere else. The same reason why checksums work in encryption is why altering the chunk and maintaining an identical checksum is theoretically possible: yeilding a functioning chunk with that same checksum would just be really, really hard. I really think that these people are creating their own torrents, enticing users to download and use that .torrent file. Since they made it, the checksums will match the pre-made chunks, because the original file contains the adware.

How long...

[AnalogDiehard]

...before someone uncovers a link between Direct Revenue LLC and the MPAA?

The MPAA cartel have been more than public about their conspiracy to poison p2p networks.

Re:How long...

[Fishstick]

> more than public

you mean less than secretive?

Re:How long...

The MPAA cartel have been more than public about their conspiracy to poison p2p networks.

You should have said "The MPAA cartel HAS been more than public about their conspiracy to poison p2p networks." The MPAA is a single group.

Re:How long...

[Aerog]

Clicking through to the aurora review, I was surprised to see that the text in the 'scan your computer' dialog box (image) looked strikingly like the text at respectcopyrights.org; a site run by our favourite Media Cartel in the whole wide world.

Re:How long...

I suppose if you want to be picky, the GP could write "the MPAA Cartel" meaning "that Cartel of which the MPAA is a prominent member" and been correct in that respect.

It would still have been "has" though, since the reference was to the group and not to the members, and the group is singular

Re:How long...

[It+doesn't+come+easy]

The MPAA poisoning p2p networks this way would lose the ability to sue over those files being shared, assuing the actual movie was attached to the adware.

Re:How long...

[shmlco]

Doesn't mean a thing. Smaller sites "borrow" images and icons from other sites all the time.

This is Dumb

[Enigma_Man]

It's not bittorrent that has the spyware, it's crappy spyware-infested clients. A client can contain other malicious code obviously (as seen in Kazaa, etc). Bittorrent itself is just a file type with special download methods. How you download it is up to you. If you don't use a crappy client, and don't run .exe files that you don't remember downloading, you're all set, jesus-h-christ, how many times does this have to be re-hashed.

-Jesse

Re:This is Dumb

[m50d]

What if they're exe files you did download, because they look to be warez games or something?

Re:This is Dumb

[Jarnis]

Then the downloader is too moronic to own a computer.

There is plenty of crap being seeded. Being able to tell crap from real, proper releases is not rocket science.

Re:This is Dumb

Apparently it hasn't been re-hashed enough times for you.

Try reading the article... It's not about torrent client software, it's about the software you download (with any client). If I am downloading software games or apps, then yeah- I pretty much HAVE TO RUN the executable, do I not? And sure it works, and it also installs spyware.

Who modded parent insightful? Just a knee-jerk reaction to complaining about the technological luddites even when the poster reveals his own ignorance?

Re:This is Dumb

[Enigma_Man]

Then that's your own damn fault for not being aware of what you're downloading, same as with any file transfer that has ever existed at any point in history for all time, and at all points in the future.

-Jesse

Re:This is Dumb

[Gnascher]

You missed the point. Your 'torrent client isn't the one installing the adware.

Adware companies are hosting up files that they've corrupted by adding in thier own files.

So when you think you're downloading a linux .iso, or something else ... you MAY be getting more than you bargained for if one of the sources of the .torrent is hosting one of these corrupted pieces.

Then, when the download is complete and is reassembled ... the spyware gets installed on your machine.

The scary bad thing here, that the article doesn't mention, is if the SpyWare community can pull this off, it should be just as easy for a Virus writer to do it.

Probably easy enough to verify your download if you can check an MD5 hash against it. But the article wasn't clear when the install happens. Is it automatic, or is user input required.

Re:This is Dumb

[Beryllium+Sphere(tm)]

>It's not bittorrent that has the spyware, it's crappy spyware-infested clients.

It's crappy spyware-infested downloads. Boyd used a standard client and found an infection in a bundle that claimed to be a TV episode. Open the archive, get a misleading license agreement, and boom.

Re:This is Dumb

[Chagrin]

Actually it is. I had one instance where the installer was rewritten to install the "Better Internet" spyware along with the application - aside from a single alert (which I cancelled to no avail) the installation was seamless.

You really need to know what to look for to avoid the sort of thing.

Re:This is Dumb

[failure-man]

BitTorrent already hashes the download with SHA1, so unless the Spyware industry has come up with some practical way to generate collisions it's not the pieces that are corrupt. It's the whole torrent.

Re:This is Dumb

[Enigma_Man]

If you are running questionable software that you downloaded BY ANY CHANNEL, not just bittorrent, you're an idiot and deserve any spyware you get. It is a re-hashing, and doesn't need to be brought up over and over.

I do admit that I did just scan the article and misread some things. It isn't about clients being full of crap, it's about downloading unknown software AND THEN RUNNING IT, WHICH IS EVEN MORE STUPID than my initial thoughts, because it actually requires the user to run the malware; the same problem that has plagued idiots in businesses who click on everything in their e-mail for years.

-Jesse

Re:This is Dumb

[NightSpots]

You really need to know what to look for to avoid the sort of thing.

Actually, you really need to not use the internet to avoid the sort of thing.

A smart user can go for a long time without getting infected, but even the best users will pick up crap from time to time.

P2P, porn sites, warez sites, and silly AIM addons (great for the office chicks, not so much fun for the nice IT folk who allowed them to run AIM and then had to clean up the mess) are all great ways to pick up spy/ad/malware.

Re:This is Dumb

[Enigma_Man]

Yes, that was my mistake, I mis-scanned the article. This is actually an even more retarded article about running unknown software you downloaded from a semi-anonymous source... Great guys, keep running those executables you get through the e-mail.

-Jesse

Re:This is Dumb

[nahpets77]

I don't see how the spyware can be installed automatically. When you download a file, it goes in a directory. Unless you execute the infected file(s), the spyware can't be installed. Of course, I'm assuming here that you're using a "real" BT client that won't execute files for you ;) Furthermore, it shouldn't be too hard to filter out fakes: - Using things like MD5 to verify 'real' releases. Maybe even GPG signatures? - Virus/Spyware tools which can scan your downloads and detect known spyware progies.

Re:This is Dumb

[Daedala]

Renowned security researchers need to flog this stuff to become renowned outside their own heads?

Perhaps I'm betraying my own ignorance (who, me?), but I've never heard of this guy, I don't particularly respect people who flog their MS MVPness as a qualification, and a quick look on Google shows his general tone to be somewhat...hysterical. The spywares are coming to get us! Run away! Run away!

Am I missing something?

Re:This is Dumb

[mcc]

The scary bad thing here, that the article doesn't mention, is if the SpyWare community can pull this off, it should be just as easy for a Virus writer to do it.

My thought is, if it's illegal for a Virus writer to pull this off, it should also be illegal for the SpyWare community to do it.

We should stop acting like spyware deserves some kind of special, dignified status, different from "viruses", just because they're created by companies and not by some guy in his basement. They aren't different. They're trojan horses. Proscecute them like they are.

Either these people are stuffing their trojan horses into legitimate, legal-to-distribute programs and releasing them on bittorrent misleadingly, and should be hit under whatever law you'd get hit under if you were doing exactly that with a virus, or they're stuffing their trojan horses into warez, and they should be hit for the above plus copyright infringement.

Re:This is Dumb

It's crappy spyware-infested downloads. Boyd used a standard client and found an infection in a bundle that claimed to be a TV episode. Open the archive, get a misleading license agreement, and boom.

Why would a movie file (pick your favorite format) need to be executed in the first place? If I download a movie and the file in the archive is called XYZ.exe, I don't run it because it's not a video file. End of story.

Re:This is Dumb

[Trigun]

This is why I only download my tv shows from respectable pirates. And for the most part, I don't run into too many archives, they're usually just a single avi file. The ones that do come as rars or similar are generally cams or crap.

Re:This is Dumb

[Master+of+Transhuman]

Excuse me, but porn sites mostly don't need spyware - they know what you're there to get - they don't need marketing of any kind - the marketing is between your legs.

Most of my clients are picking up spyware from going to SPORTS sites. I got a client whose kids keep checking out Nike shoes at sleazy commercial sites and going to sports sites. It's sleazy commercial sites that are using spyware and spam software to hawk their products and sell marketing info.

And why would a warez site install spyware? What's in it for them (unless they're big enough to make deals with sleazy marketing operations)? They're distributing FREE illegal stuff to begin with! Again, they KNOW what you're there for. Sure, some of them are probably crackers who are looking to spread viruses and the like, but a lot of people using warez will spot that in a hurry and spread the word and then they're out of business (on that site at least.)

Even this BitTorrent thing - it's not the "legitimate" sharers doing this - it's COMPANIES seeding the torrents with crap. It's the companies that need to be targeted and shut down, regardless of their legal excuses.

Ultimately I think that since the law can't work - because it's mostly unenforceable - it will have to be hackers who start finding and (illegally) targeting these companies for DoS attacks and the like that will have to solve this.

And of course, better tools and better user education is needed to stop people from clicking on spam and installing crap.

Even so, a certain level of crime is a given and security is an issue that won't go away (until humans do, which fortunately is a given as well.)

Re:This is Dumb

[alecks]

This isn't that difficult people. Let's say you just downloaded PhotoshopCS2.torrent, and you go to the folder and you see what looks like a legit photoshop CD folder structure. One of the following could happen:
1 - Setup.exe is a virus/spyware
2 - Setup.exe is the real setup with a virus/spyware attached to it
3 - Keygen.exe is one of the above.

Re:This is Dumb

[budgenator]

How many even see the XYZ.mov or even the xyz.mov.exe; most windoser just see the XYZ part.

Re:This is Dumb

[TCaptain]

And why would a warez site install spyware? What's in it for them (unless they're big enough to make deals with sleazy marketing operations)?

You can't possibly be this naive...but who knows?

You don't need to be a "big" operation to make deals with spyware firms. They can make big bucks just like they try and make big bucks with their convoluted attempts to make you click on ads and such. Yes they distribute free stuff, but they aren't above screwing YOU over to make a little green. If they can install 100K clients and make some money doing it, they'll do it.

Re:This is Dumb

[TCaptain]

I know I check my SHA1 when getting linux ISOs...but is the standard AOL moron gonna even KNOW how to do this when downloading a DVDRip of "Pumping Irene" or whatever?

Re:This is Dumb

[laxian]

and silly AIM addons (great for the office chicks, not so much fun for the nice IT folk who allowed them to run AIM and then had to clean up the mess) are all great ways to pick up spy/ad/malware.

Oh man, that mention of "office chicks" spoke directly to me. The pretty girls we try to curry favor with can end up being such a liability. Then there's the others who I'm not interested in at all. One figured out how to screw up her PC w/spyware on her own. I think she likes that I reprimanded her.

Offices are so great.

Re:This is Dumb

[laxian]

Thank you very much, righteous, discerning user. While you're at it, please remind everyone to:

• Only install software from the original install disks.
• To always, no matter what, use a condom, even if it's your wife.
• Always leave the house with an umbrella in hand.
• Sit down when you pee.
• Only answer phone calls that display who's calling you.
• Use the highest octane gasoline.
• Buy name brand computers.
• Get the extended warranty at the store.
• Wear goggles when mowing the lawn.
• Only swim in the pool with someone else present.

The truth is that everyone downloading any pirated software is vulnerable to getting spyware. Our anti-virus programs are usually pretty good about catching viruses from the occasional evil keygen.exe and 115MB setup.exe, but anti-virus programs are shitty at catching spyware. It won't be long before people with an interest in recieving spyware revenue start packaging their own warez releases with spyware trojans. Maybe they can even look just like a reputable release. But, of course, it'd be our own damn fault, right?

Re:This is Dumb

[reidbold]

BitTorrent does this automatically behind the scenes. It hashes each block of data and confirms it after it's downloaded it, and it redownloads blocks that fail hash check.

Re:This is Dumb

[Cally]

>BitTorrent already hashes the download with SHA1, so unless the Spyware
> industry has come up with some practical way to generate
> collisions it's not the pieces that are corrupt. It's the whole
> torrent.

I'm glad you asked me that, Brian.

Re:This is Dumb

[cortana]

Morons can damage their computers -- flim at eleven?

Re:This is Dumb

[_Qiang_]

Then, when the download is complete and is reassembled ... the spyware gets installed on your machine.

is that possible, once you download a bittorrent file it can install itself?

Re:This is Dumb

[irc.goatse.cx+troll]

Checksum the rars against the sfv posted on a public dupesite (like nforce/isonews/whatever you kids use these days).

If your download didnt come in the original scene release rars, you're already screwing yourself with something most likely subpar.

Re:This is Dumb

[m50d]

How do you tell then? It used to be the case that if a warez thing was packaged as an exe it would be a self-extractor, so you could unzip/unrar it without having to run it. But nowadays that's not always how it is, they can be an actual installer. If you have an msi or similar package, how do you tell whether it's installing spyware along with what you're seeing it install? Monitor your registry for changes I suppose, but that's beyond most users, I certainly wouldn't call you moronic for not knowing how to do that. What if it adds itself to the task scheduler instead of using the registry?

Sites?

[kevin_conaway]

Which "sites" does this affect? The article and summary says that its flooding in through "BitTorrent." BT is just a protocol, there are have got to be sites hosting trackers that are providing these malicious files. My question is, who are they?

Re:Sites?

[Beryllium+Sphere(tm)]

Mininova is playing Whack-a-mole with trackers that are spewing out infections. I question the value of trying to find out who's seeding the files. Rumor has it that five cents will rent you a machine on a botnet, and that's all a spyware crook would need.

Re:Sites?

[EmperorKagato]

torrentreactor.net has quite a few torrent files that contain virus/trojan/spyware.

Re:Sites?

[e+r+i+k+0]

Actually, it seems like most of the files on TorrentSpy.net are now executables, especially videos. What's most annoying is that they are sometimes buried in RAR files, making them hard to detect before downloading.

Re:Sites?

[jZnat]

Maybe it's just like viruses and worms are flooding in through POP3 and LDAP, and spyware is flooding through HTTP, and annoying ditzes are flooding through Oscar...

Shrug

[The+Bungi]

Download something, install it on your machine. You get malware. Surprise. This has nothing to do with the fact that it's BT, because BT is open to everyone. It's the user's responsibility, as always. As with Kazaa, LimeWire and any other P2P technology or just downloading "that really cool screensaver" using your web browser.

Of course this won't stop some people from blaming Microsoft somehow.

Re:Shrug

Ok you asked for it...

If Microsoft didn't promote users running as admin/root then the spyware wouldn't be able to take over services like bt.

Have a nice day!

Re:Shrug

[sqlrob]

BZZZT.

It just as easily be a reverse connect trojan that modifies ~/.profile or other login startup files, no admin privileges needed.

If a user runs something bad, they can be screwed no matter what OS.

Re:Shrug

> Of course this won't stop some people from blaming Microsoft somehow.

We don't blame MS because our warez with trojans, we blame MS for making it easy for web sites, emails, etc to infect our PC's WITHOUT US INSTALLING ANYTHING.

[Sidenote: WTF: Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment. It's been 10 minutes since you last successfully posted a comment.]

Re:Shrug

[It+doesn't+come+easy]

The bittorrent issue is 1) the vector is new, 2) bittorrent is very widely used, and 3) it's tough to track the original source of the spyware (except by knowing who publishes the spyware because of the name of the spyware program). Imagine injecting an unknown spyware program...or maybe a malicious worm...

Re:Shrug

[SalsaDoom]

BZZZT.

While its true that a program could do that, in a unix like system it would be a trivial matter to remove the spyware, unlike, oh, say, windows where such a file can replicate itself all over the system, bury itself in the registry etc. It can only infect a single user, who, should he find a clue at some point, could remove it without having to run a bunch of strange -- often commerical -- tools.

No, your not going to let MS off this hook this time. Their OS sucks and thats final.

--SD

Re:Shrug

[sqlrob]

Trivial to remove != immunity.

You can run as non-admin, it's (mostly) the ISVs that are at fault for not letting you run as a limited user. Who do you blame if you can't run something as root? Linus or the vendor?

Even Mozilla/Firefox has issues, unless it's been fixed recently. How come you have to be admin to install plugins on Windows? You don't have to be on Unix, directories under home work just fine there.

Re:Shrug

[petermgreen]

right until they type su while typing over a keylogged pty set up by thier login profile.

oh good, another compay for the district attorney

anyther 3 mil for the city... hooray~~ of course i would rather see some equally unethical tactics being directed to that company, but meh, money for school is good XD

Not so big of a deal

[biryokumaru]

Wow, this is one up to date news source, this e-week is totally on top of the e-news.

"Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily"

And it only affects the btdownloadgui client, not the torrents themselves. Seems like non-news for people who use Azureus (or any of a number of quality clients, really).

Re:Not so big of a deal

[aslagle]

Um...this is wrong. Perhaps you missed the part that said the client isn't the infection path?

Oh, guess you didn't read TFA.

The infection path is simply a self-extracting file that contains the content you wanted, along with a spyware tag-along. It can be downloaded with any client, they just happen to be seeding them as torrents.

Re:Not so big of a deal

[Spy+der+Mann]

The infection path is simply a self-extracting file that contains the content you wanted, along with a spyware tag-along.

Excuse me, wasn't this called "virus" in the old napster times?

Re:Not so big of a deal

[gclef]

See, here's where they lose me: you have to have downloaded the self-extracting file...the ad folks can't insert this file into an existing download of some other content since that chunk will fail the checksum tests. So, basically, this story boils down to adware sites putting up fake exe's and offering torrents to those exes, yes? I don't see this as a big deal...which torrents you choose to download has always been the tricky part of BT.

Re:Not so big of a deal

The infection path is simply a self-extracting file that contains the content you wanted, along with a spyware tag-along.

This is why you should never execute a self-extracting archive. How can you be sure what's in it?

The best method of dealing with this is to explicitly open the self-extracting archive using a decompression tool (WinZip or what have you). That way, you'll know exactly what you're getting.

If the content itself is an executable, then you should have confirmed its authenticity ahead of time.

Bottom line: If you run an untrusted executable, then you deserve whatever spyware, adware, malware, or virus you happen to get.

Re:Not so big of a deal

[stinerman]

I don't see how this will work.

Most torrent sites are run as a forum with user posts that make their way to the tracker. When someone notices that they are downloading an .exe when they wanted an .avi or .mpg, they'll think twice before opening it.

Even then, WTF are they going attach their spy/adware to? If they are attaching to copyrighted files, they've become infringers, and once the spyware installs, it should be easy to where it is calling home and who installed it.

Re:Not so big of a deal

[aslagle]

The example is of a self-extracting rar file, of a 'Family Guy' episode. When you launch the rar file, the spyware installs before you see the video.

So yes, the spyware guys are uploading someone else's property with their stuff in the same archive.

Re:Not so big of a deal

[stinerman]

I would never blindly click on an exe I got from any file sharing program, but your average luser probably would, so there is perhaps some "merit" upon a closer look.

Re:Not so big of a deal

[biryokumaru]

I guess you didn't read beyond TFA

http://www.vitalsecurity.org/2005/06/aurora-instal l-source-revealed-and-175.html

Re:Not so big of a deal

Hmm ... comprehension problems maybe?

The client has hashes for the pieces it downloads from the .torrent file. Which means that, unless the original seeder is uploading an infected file, any addition to the chunks by a peer will fail the SHA1 check. Thus there's no way for a peer to add extra bits without the client noticing. Yeah, and some clients would even let you ban IPs that send out corrupted chunks.

So the GP is right - they started seeding adware through BT as well. Well, that's nothing new, kazaa had it ages ago. I'm surprised it took them that long.

BTW, TFA makes no assumptions on how the file got infected. It only says you're getting an exe archive that tries to install spyware when running its own installer, while using the (winrar in this case) archiver to unpack it works fine. You get to download an infected file - and the BT details make sure that the file was infected to begin with and not simply doring download.

Re:Not so big of a deal

[0111+1110]

I would never blindly click on an exe I got from any file sharing program

What do you mean by 'blindly'? My SOP is just to scan the exe for viruses with Kaspersky AV before running the install program. In the past I always assumed that malware was confined to pseudo-freeware and some shareware programs. At least I had never heard of commercial software that was bundled with it.

Now that malware is starting to be bundled with something other than the pseudo-freeware that was its traditional vector, I am going to have to scan for malware in addition to viruses before opening a downloaded exe. Will Spybot, Adaware, etc. do this kind of pre-install scanning, finding malware even from within archives or embedded in an install program? I always associated these programs with finding malware that was already installed. I believe my version of Kaspersky AV (personal pro 5) does scan for some malware, but I have to wonder if their lists are as comprehensive as those of the traditional spyware removal tools.

Re:Not so big of a deal

[aslagle]

I *did* read that, and the article writer makes a leap that because the bittorrent gui is running, the file must have been downloaded by bittorrent.

If you'll read closer, the file he's talking about is a *rar* file, and not the client itself.

Re:Not so big of a deal

[leifbk]

Did you read TFA?

In the logs, he found that "nail.exe" and "aurora.exe" were always listed alongside "btdownloadgui.exe," the user interface that downloads/uploads when using BitTorrent.

It's rather interesting that the author mentions one specific BT-client along with the spyware executables. To me, it seems that he tries to create the impression that the spyware installs itself along with "btdownloadgui.exe". Like it did with Kazaa, actually, and a lot like what happened when you installed things like Netscape 4.x or RealPlayer a few years ago. They, too, used to come bundled with heaps of spyware.

The article that he's referring to makes it a little clearer that it's not BitTorrent itself that is the immediate spyware carrier, but the thing is most interesting in what it does not mention. From the screenshot, the title of the download looks like "family_Guy_403_PDTV - LOL.rar" or something like that. Then, in the next screenshot, he proceeds to actually install stuff on his computer. WTF - install a RAR file? In my eyes, there's some serious explanation lacking here. In the first place, he must have unrarred the download, then found an executable in there. Starting this executable produces a License Agreement, which he has to accept before proceeding. All this just to watch a lame TV show? If you run a domain called "vitalsecurity.org" you should probably know better.

The next thing, he'll be writing about how worms and trojans are often found along with a program called "outlook.exe". Oh, wait...

They're number one financial backers

[bigwavejas]

I wouldn't be surprised if the MPAA and RIAA are their number one financial backers, it was probably even their brainchild in an effort to chase wouldbe wrongdoers from downloading music or movies.

Re:They're number one financial backers

[brouski]

I'm going to go out on a limb and say that most people who would download a strange BT client probably wouldn't know they've got spyware on their system in the first place. They're the type of people who take the computer to the shop every two months because "it's slow".

Re:They're number one financial backers

[superpulpsicle]

There is nothing wrong in blaming organizations like RIAA.

Do you really think those executives are actually sampling music all day to see what's good for consumers? They are spending their day wrecking havoc online, offline so they can protect their cash cow... while maintaining employed with zero skills.

Re:They're number one financial backers

[hb253]

That would be "wreaking havoc" not "wrecking havoc."

Re:They're number one financial backers

[WormholeFiend]

I think the grandparent had it right... the havoc (pirated files) is already there in the mind of the *AA, so they're trying to wreck it.

Re:They're number one financial backers

[brouski]

I'm not saying that they aren't responsible.

I'm saying it's rather pointless to try to discourage people in this manner, as the ones most likely to fall for it wouldn't know there's a problem at all, let alone connect it to their file sharing.

Re:They're number one financial backers

[ConceptJunkie]

Proud member of the American Non Sequiter Society. We might not make much sense, but boy do we love pizza!

You might not be able to spell "non sequitur" but I think I need another Mountain Dew.

Practical solution to spyware and p2p executables

[nektra]

When you download something suspicious like an executable to extract a movie, one of the best solutions available is to run VMWare or any other machine virtualization software and extract the contents inside the Box. Then copy data files to your machine.

Enjoy!

I call BULLSHIT

[Jarnis]

Anyone with half a brain will NOT download a 'video file' that ends in .exe

None of the real proper releases are 'infected'. Only way to get spyware is to be a moron and download some 'hot_paris_hilton_sex_video.exe'.

There is no magic way to 'insert' spyware in bittorrent transfers. Tracker has the hash of the file, you cannot modify it. This is just a marketer seeding crap, hoping that idiots bite. Hook, line, sinker -style.

Re:I call BULLSHIT

[Beryllium+Sphere(tm)]

>Anyone with half a brain will NOT download a 'video file' that ends in .exe

The example in the fine article is .rar

Re:I call BULLSHIT

The sad part is that hot_paris_hilton_sex_video.exe turned out to be better than the real video.

Re:I call BULLSHIT

It might be hot_paris_hilton_sex_video.wmf.exe, and they might not have turned off the [idiot] default extension hiding.

Re:I call BULLSHIT

[Jarnis]

Bull. The person describes how it launched somekinda installer (those come from .exes, btw) and then a selfextracter.

If you actually unpacked the rar using winrar, that wouldn't happen.

In any case, it wasn't a proper release. Proper release = bunch of identical-sized partfiles, .nfo, and .sfv files, all neatly in a properly named directory. And then you unpack the directory using WinRar, so there is no way for anything to launch (Since winrar itself searches the actual packets from the folder, then unpacks the actual .avi, .mpg, .iso or whatever).

DL crap, and you probably get crap...

Re:I call BULLSHIT

[Andy+Dodd]

Still, if the result of un-RARing the file is an .exe when you downloaded video, any moron can tell that something is WRONG.

Such torrents would quickly die from lack of seeders.

So far, very few (if any) BT clients are bundled with spyware. Perhaps if you got them from an untrustworthy mirror, this would be different, but nearly every client is adware/spyware-free if you download it from a reputable source.

With the exception of downloading warez (games/apps), there's almost no way anyone could sneak spyware/adware into a BT download. You just simply can't infect AVI/WMV/MPEG/MP3 files. Probably 50% of BT traffic (or more) consist of media files. Another 30-40% (at least) are Linux ISOs, which are also pretty damn hard to infect with spyware/adware.

Re:I call BULLSHIT

There is no magic way to 'insert' spyware in bittorrent transfers.

No, it comes in bittorrent *clients*. RTFA.

Re:I call BULLSHIT

[Jarnis]

So 'I downloaded a spyware-infested P2P client. Hold me!'.

Ummm... considering it takes skill to find an infested BT client, that would require even more moronic user intervention. DL a known good client(!)

Re:I call BULLSHIT

You can infect WMV.

The DRM can automatically open a website and, with a proper browser vulnerability exploit, run arbitrary code on your computer.

Re:I call BULLSHIT

[nahpets77]

An infected torrent wouldn't necessarily die if the original seeders use a high-speed link to seed their crap. Since we're talking about a corporate entity here, they may be willing to pay for a lot of bandwidth to spread their adware. I've often downloaded torrents with 10 seeders, and have maxed out my d/l bandwidth.

Re:I call BULLSHIT

[Beryllium+Sphere(tm)]

>Bull.

or, to put it calmly, "the fabuluous article is completely unclear on how Boyd got from a RAR file to the opening screen of the 'MMG Installer' "

Re:I call BULLSHIT

[Russellkhan]

No, it's in files downloaded with the client. Re-RTFA.

Here, I'll quote you a couple relevant sections:

"A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled."
...

"Boyd said BitTorrent was currently "overwhelmed" with multimedia files rigged with adware bundles, adding that the file sizes vary from 3MB to 175MB."

Re:I call BULLSHIT

Or if the spyware has a built in bittorrent engine. To keep it alive. Remember good spyware also does what it advertises. So hot_sex_video.exe better show a hot_sex_video. Thus the user keeps and and BINGO, zombie bittorrent seed machine.

Re:I call BULLSHIT

Such torrents would quickly die from lack of seeders.

That Sir, is where the "there's a sucker born every minute" part proves you wrong.

Re:I call BULLSHIT

[fani]

i call bullshit to your post.

Part of what you say pertains to a savvy tech user ( who're probably the ones using the torrents anyways). However, a video file can exist within a .exe ( zipped Self Extracting exe's ). I'm sure you perhaps aware of that. ( Microsoft distributes their WMV HD samples like that. in .exe's )

Looks like you've bitten your own tail. Hook, line and sinker style

Re:I call BULLSHIT

[robbyjo]

You just simply can't infect AVI/WMV/MPEG/MP3 files

You could. Just construct a malicious AVI/WMV/MPEG/MP3 file that exploit buffer overflow bug and insert malicious binary over there. Unsuspecting user will say bad movie. The uploader will say sorry and reupload the fixed movie the next time around (next week / day). Unbeknownst to the users, their computers have been 0wn3d. Think of creative ways that hackers could do. Not even hash could help with this issue.

Re:I call BULLSHIT

[msormune]

Another 30-40% (at least) are Linux ISOs

You know that stuff you're smoking is probably illegal.

Re:I call BULLSHIT

[kurokaze]

No he's saying that any 'clued' user will open the SFX Archive with his/her preferred compression program (WinRar or WinZip). Blindly double-clicking the SFX is something stupid users do. And frankly, its probably not a bad thing.

Stupid users are the ones who tend to be leechers anyway, getting them off of the Net would be beneficial to all.

I just feel sorry for whoever ends up supporting them.

Re:I call BULLSHIT

[0111+1110]

AVI/WMV/MPEG/MP3

Can we please stop including WMV in the list of difficult to exploit media files. It has already been pointed out that a WMV file is completely unsafe. Once I foolishly downloaded one and it opened a website in my browser when I tried to open it. After that I deleted every single WMV file on my computer and will never download one again. They are quite scary.

Re:I call BULLSHIT

[SharpFang]

It's worse.
You see, Windows has this lovely feature known as "Hide file extensions for known file types". And guess what? One of these extensions is .exe. Another lovely feature of Windows is that you can assign any arbitrary icon to a file. Like the llovely Winamp llama. So all the bastards need is to rename infect.exe to Britney_Spears-Fuck_Me_Harder.mp3.exe, give it a common mp3 icon, add it to RAR (BT doesn't hide file extensions), then seed it. Your average Windows moron will right-click on the RAR, pick "unpack here", then double-click the icon.
Easy like that.

Re:I call BULLSHIT

[SharpFang]

Phew. It can be hot_paris_hilton_sex_video.exe too. With appropriate icon for wmf. How much time does the user have between first and second click of a doubleclick on the file, when the name "hot_paris_hilton_se..." displayed below the icon turns into full filename?

Re:I call BULLSHIT

All the more reason to hunt these souless demons out (the adware/spyware execs) and eradicate them before they can do any more damage.

Re:I call BULLSHIT

Well, that's the Usenet style, anyhow. The rigamorole with the RAR parts and the .SFVs and whatnot is intended to preserve the payload even when there are problems propogating the size-restricted parts, which happens a lot on Usenet. It's a work-around for Usenet's limitations.

But BitTorrent doesn't have those limitations. Or to look at it from another perspective, BitTorrent's whole reason for being is to handle all the piece-making and piece-assembling for you automatically. .torrents have extensive built-in CRC checking, and can represent a complete directory structure. So there's no reason to ever use RAR or ZIP inside a .torrent, at least not for already-compressed media file type payloads.

Personally, I won't even join a .torrent that contains a ZIP or RAR. Those formats serve primarily to cloak the true payload until the download is done. Too often, the ZIP or RAR contains a multi-megabyte EXE file. Heh, no thanks.

Re:I call BULLSHIT

[mako1138]

A bittorrent release of RARs strikes me as redundant, as BT does its own hashing. Don't tell me it's for compression, as there'd be little compression benefit for something like video. I'm imagining people downloading a release off usenet and making a torrent out of it right away.

Re:I call BULLSHIT

[0111+1110]

Proper release = bunch of identical-sized partfiles, .nfo, and .sfv files, all neatly in a properly named directory.

Sounds like you are talking about usenet releases. There is no need to package releases in 'a bunch of identical-sized partfiles' unless you plan to release on a newsgroup. Of course you can still include an sfv or md5 file if you want. Personally I try to avoid releases with multi-part rar files because it seems to take longer to extract and it cannot be seeded once it is converted to a useable format.

Re:I call BULLSHIT

[itr2401]

Actually there are BitTorrent downloaders out there that contain spyware. One I can think of right away is "bittorrent absolute downloader"

They have a www site to download from or via download.com

The installer contains a new variant of the AdBlast from 2003.

Re:I call BULLSHIT

[pmsyyz]

It is safe to open WMV in VLC media player.

Re:I call BULLSHIT

[Matilda+the+Hun]

Naturally. Of course, no Windows user worth their salt ever leaves the option to "Hide known file types" checked.

Re:I call BULLSHIT

[Stauf]

Create a file called EVILVIRUS.jpg.exe - the file extension is there and 100% visible. You would never click on that.

Now rename the file to EVILVIRUS.jpg.pif - notice how it now looks exactly like a jpg file with the wrong icon. And if you've got "Hide known file types" unchecked, you'll think it's 100% safe.

There are certain extensions (off the top of my head .shs, .lnk and .pif - there may be more) that windows always hides. Of these, .shs is the scariest because it's a shell script wrapped around an object - a script on its own can do a lot of damage, but the object can be anything excecutable.

Still feel safe opening your attachments?

Re:I call BULLSHIT

You'd be amazed at how many people still run Windows with "Hide extensions for known file types" turned on. Not just Grandma. One of our company's programmers does this. It is to those people that Whatever.jpg.exe are targeted.

Re:I call BULLSHIT

[trigggl]

You would be downloading a .torrent file. The bittorrent program does the rest. So, what you say is quite correct. The person with half a brain does not download the .exe, the bittorrent program does it for the person with a full brain.

Re:I call BULLSHIT

[Jakeypants]

"Easy like that."

Wrong.

With SP2, you get a warning that it is an application and have to confirm that you want to run it.

Re:I call BULLSHIT

[Matilda+the+Hun]

Yes, actually: Those are only always hidden until you go and find the registry keys that tell them to always be hidden. Do a registry search for "NeverShowExt" and you won't have to worry about having .pif files. Not that I expect the less enlightened to do something like that, but I happen to like seeing all my file extensions. Of course, I use Linux most of the time.

Sure there's spyware, but...

[codesurfer]

I'm downloading it at a fantastic rate, and it's available as soon as it's been designed!

Well, what do you expect...

[GillBates0]

It wouldn't do for Spyware to trickle in through BitTorrent would it.

If it did, we would have to call it BitDribble or something.

windows problem

[jon_oner]

Another problem for the average windows user.

I hate to point out the obvious, but users that don't pay attention to what they are installing deserve their pop-ups.

Re:windows problem

[part_of_you]

You know, I hear a lot of this shit about if the user isn't savvy enough, or know enough about it, then they deserve what they get, and I'm tired of it.

What do you know about your vehicle? Hell, I live in Alabama (please stay seated, and for god's sake, stop clapping!) and there was a guy pulled over on the side of the road. There was steam everywhere just boiling out of his engine. I pulled over and looked at it. His radiator hose had come unclipped. I clipped it back for him, and drove to the nearest gas-station, and got water. I brought it back to him, and put enough water in his radiator so he could go to the gas-station. He didn't know anything about an engine, and really, I don't either. I just pulled over to see if I could lend a hand.

People like you are so fucking 1337 that you end up in your mother's basement with a really nice linux "boxen" and enough bandwidth to replace your cockwidth. You are trying to glorify yourself with this type of shpeel, and I'm not impressed.

Oh and just to clarify one thing, if you were broke down on the side of the road, I would help you if I could. But you probably don't even have a car, you can ride your "boxen".

Mod me down if you must, but this shit happens all of the time. This is why the business world is starting to pump spyware in. It will solve nothing, but will make everything a lot harder. Congradulations Nerds! It matters.

The only problem with this...

[aslagle]

is that Bittorrent is really not the problem here. The adware isn't coming from a Bittorrent client, or being 'snuck in' over the protocol instead of or alongside a file you're downloading, it's coming in the file you're downloading! It's the same way adware gets into a host of other files we've been told to be careful of, like email attachments.

Bittorrent is simply used to add a bit more hype and FUD to the same old same-o.

Re:The only problem with this...

[budgenator]

The scumbags have figured out how get the victoms to pay for the bandwidth, that's all

Re:The only problem with this...

[at_slashdot]

I wish I could mod you +10
exactly, that's like saying "the web is used to distribute malicious files" Duh!

Re:Practical solution to spyware and p2p executabl

[TheKidWho]

or just open the file directly with winrar or winzip bypassing the self extracting EXE all together.

Info Direct From Vital Security

[TheRedHorse]

More info from Vitual Security here and here.

Re:Info Direct From Vital Security

[TubeSteak]

Looks like he's downloading Family_Guy_403_PDTV -LOL.rar

I'm confused. How does this installer crapola get bundled with a copywritten show?

Either they're doing something illegal, or they have the tv network's permission to bundle this stuff together.

Very shady. I suspect that its just an automatic script designed to run when you open the archive.

I know that you can open any winrar archive (and lots of exe's) without triggering any auto-run nonsense.

Anyways, I thought everyone knew that proper warez comes in chunks of 15MB winrar archives.
That or IRC tar's

Re:Info Direct From Vital Security

LOL!! The marketer's website got H4X0rD

http://www.marketingmetrixgroup.com/

be smart

[lambent]

Azureus + the Safepeer/PeerGuardian plugin (http://azureus.sourceforge.net/plugin_details.php ?plugin=safepeer) specifically blocks much nasty stuff out.

Be smart when you engage in dangerous activity. No glove, no love.

Re:be smart

[Bert690]

Azureus + the Safepeer/PeerGuardian plugin specifically blocks much nasty stuff out.

All that does is block bad IPs. That won't do squat if you're downloading and running an application with malware inside. The real solution is to use something like bitzi which lets you check if a given file/app you are downoading is known to have "issues."

Re:be smart

Not if the files you're downloading contain the spyware...like what happened to me 2 weeks ago

Re:be smart

[lambent]

Which is why no matter how many slickers you wear on your John Thomas, you don't go trolling for hookers in Camden (NJ, not UK).

Oh...

[matth1jd]

How I miss the days when BitTorrent wasn't mainstream...*sigh*.

/Hates cleaning spyware of peoples computers

Ohh Ohh, i want Spyware_Installer.exe *click*

[fizz]

I can see users now, overwhelmed with Desire to click on Adware.exe, advertisment-keylogger.exe, and more. I mean come on.. how do they think they are going to get users to start torrents with this shit unless they add it to pirated software and what not. Not only that, but that would bring lawsuits if im not mistaken about what they are doing in their massive software campaign.

EXCEPT!!

All good Torrent sites include a comment area on each individual torrent. Non-working, fake, or spyware-ridden files are quickly discovered and noted if not eliminated. Nice scare tactic though.

Let me get this straight

It's nothing in the actual act of downloading that installing the spyware. It's that the spyware is downloaded along with the file, i.e., Instead of the expected one file there are two. Then the unsuspecting mark runs the executable.

Kind of funny

[alvinrod]

It's kind of funny how people will complain like this: "So I was downloading the new Star Wars movie off of BT so I didn't have to pay the ridiculous $12 movie ticket price just to see it. Anyhow, some company bundled some spyware with the movie that installed on my machine! That's like illegal! They should get into serious trouble for this."

Just a little ironic how the same people who use P2P programs for illegal purposes complain when someone will do something legally questionable to their computer.

Re:Kind of funny

[WhatAmIDoingHere]

Not in the downloads. In the CLIENT. The story is about Spyware in the CLIENT.

Re:Kind of funny

[aslagle]

Look up the definition of irony sometime. I think you'll find it illuminating. Then read TFA.

Re:Kind of funny

[Politburo]

Just a little ironic

No, it's not ironic, it's hypocritical. Learn what the fucking words mean before you use them.

Re:Warm and Fuzzy??

[WhatAmIDoingHere]

90% you say? How far up your ass did you pull that number from?

Today, bittorrent...

Today, bittorrent! Tomorrow, TCP Streams! The day after, the world!

Re:Warm and Fuzzy??

surprisingly refreshing.

just out of curiousity, what if i was using bittorrent completely legally. do i deserve to have spyware installed then?

Aurora

[eric_brissette]

My roomate has had Aurora installed on his system for about 2 weeks now, I just haven't had the time to get around to removing it. I've done some quick searches to find information about the removal of Aurora, and it looks like removal involves a lot of tedious work... Doea anyone know of some software that'll remove it so I don't have to do it manually? So far Microsoft Anti Spyware has found it, but not removed it. AdAware hasn't removed it. Spybot Search & Destroy hasn't removed it. AVG Antivirus hasn't removed it. Just a word of advice to others who may be "infected": Direct Revenue has a removal tool on their site. I wouldn't suggest using it after reading a number of posts on forums (computing.net)

Re:Aurora

[eric_brissette]

PS - I've read that Ewido Security Suite will take care of it, but I haven't tried it yet.

http://download.ewido.net/ewido-setup.exe

Re:Aurora

[ClayDowling]

It's fairly simple to get rid of the problem.

1. Download ftp://ftp.openbsd.org/pub/OpenBSD/3.7/i386/cd37.is o

2. Burn the image to a CD

3. Load into your primary CD drive on the infected PC.

4. Reboot

5. Follow the instructions on the screen

Re:Aurora

[Abalamahalamatandra]

Kinda ironic that you'd post a direct link to an EXE in a spyware discussion thread...

Re:Aurora

[duggie]

Ewido does get rid of Aurora, but as a heads up it takes a while for it to complete its scan (which is do be done in Safe Mode). It may also be worth it to run CleanUp! before running Ewido, as CleanUp! will remove temp files that Ewido would spend a lot of time scanning.

Re:Aurora

[kwandar]

Ok ... I don't know if I'd trust this solution or not (but if you're infected already, what the hell), but Direct Revenue LLC claims to provide a program to remove it: http://www.direct-revenue.com/consumers.php Directs you to some program called "My PC Tuneup" - yah - they break it and then fix it when you complain.

Re:Aurora

I say again: Kaspersky's Personal AV (free trial download, even)takes out Aurora.
I used it to wipe Aurora/Nail off a laptop last week.

har har

http://www.rpgarmoury.net/ro/piffy/images/torrent. jpg

Bah, big deal...

[Jugalator]

Not a problem in BT communities requiring registrations.

Not a problem if you're sane either, really.

Bittorrent is *STILL SAFER*

[Tezkah]

Why is it still safer? Open Source / Freeware (no spyware) clients.

Plus, even if you DO download a file that ends up being spyware, when you download the torrent from most sites, they allow you to give comments like "I FOUND SIXTEEN HUNDREN VIRUSES IN THIS TORRENT", and although some people lie, if people are complaining about stuff like that, you can usually guess that it is a spyware infested torrent.

Of course, even this only matters when you download something containing an .exe or some such program. One program I did download asked me to install third party software... I quicky realized that the EULA was of a spyware company, asking me to waive all rights to privacy, and did not belong to the developing company.

It never ceases to amaze me...

[Karellen+!-P]

how much crap people will put up to keep using those oh so cool Windoze machines.

Re:It never ceases to amaze me...

Neither Linux nor MacOS are even slightly immune to this kind of attack.

On Pirated Media?

[TeacherOfHeroes]

Does this mean that they'll only be wrapping otherwise illegial media with this adware as an alternate means of revenue for these works? Or will it be bundled around anything and everything that they can get their hands on.

Loading up illegal media with adware is one thing. To redistribute Linux ISOs or other legal files with adware included would be another thing entirely.

Strange...

...how I have never seen this MMG installer in all the time I have used BT

Re:Practical solution to spyware and p2p executabl

I've had good luck with TeaTimer, which comes as part of the Spyboy S&D package. Let's you allow/deny all changes to your registry, among other features.

Oh, the Irony!-TechnoAIDS.

So what technological solution does the community come up with to solve this social problem?

Half a Brain (was Re:I call BULLSHIT)

[ArielMT]

I share your rant; you're right on the mark.

The only problem is, the average computer task requires at least half a brain, while the average user has at most half a brain.

Re:Practical solution to spyware and p2p executabl

[KingSkippus]

Excellent idea; anyone know where I can get a torrent of VMWare?

(For those conserving humor filter battery power, I'm kidding--please don't reply...)

If I'm reading this right

[shoptroll]

Correct me if I'm wrong, but isn't the point of this piece that the BT client (ie. www.bittorrent.com) is being bundled in with some Adware systems? Also it kinda sounded as if BT could be used as a distribution system for adware as well.

Re:If I'm reading this right

[TeacherOfHeroes]

Not the client, the media itself;

"A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing."

Re:If I'm reading this right

[Vermifax]

Translation:

"I'm a moron who has extensions turned off for known file types and instead of verifying that my download was a video after I un-rar'd it I just double clicked it"

Re:Practical solution to spyware and p2p executabl

[nektra]

You can extract with a tool if it uses a standard method of executing code. But if it's not then you can spend time on reverse engineering or put it inside a virtual machine and solve the issue faster.

i would love to see a lawsuit

[mozkill]

I would love to see a lawsuit that could prove that Direct Revenue LLC is using illegal software as bait to inject their spyware....

wouldn't it be illegal? think someone would sue?

Re:i would love to see a lawsuit

Yeah, right. "Your honor, I was trying to download a warezed copy of Photoshop, but these bastards tricked me and gave me spyware instead!"

Re:Warm and Fuzzy??

[mowler2]

THere is nothing wrong with sharing copyrighted material. There is NOTHING in nature that says whatever bran that came up with a pattern should have exclusive rights to that pattern. Its just made up and not real. Just ignore copyrights and other IP laws since they are infact harmful for society.

Piracy (of copyrighted material) is just a natural defence to this IP crap and hence piracy is the good thing and its the IP laws that are bad and evil.

Spam the sites

Um, dont download "spyware.torrent". Nuff said.

Maybe we should take the "direct-revenue" and affiliated sites .. down.. signing them up for all the spam lists is fun too.

Fight back f00lz.

almost

[QMO]

You have a point, but it's still a hasty inaccurate generalization of a point.

The only thing I've use bt for, so far, is getting Project Gutenberg (http://www.gutenberg.org/) stuff.

This is ridiculous.

[almostmanda]

I'm not understanding this. Are they saying that BitTorrent clients are being bundled with adware? Or, that companies are labeling things as starwars3.torrent and instead of an avi file, the person downloading it gets a 700mb .exe? Who is this affecting? If someone is competent enough to use BT, aren't they competent enough to realize that .exe is not a video? Most sites even allow comments with torrent downloads so you can see what other people have to say about its legitimacy. I don't think the writer of this article really understands how BT works, or he wouldn't be sensationalizing the "threat" of spyware.

Re:This is ridiculous.

[Dunbal]

If someone is competent enough to use BT, aren't they competent enough to realize that .exe is not a video?

Whoa hold your horses there Charlie. Remember that according to some RIAA lawsuits, we're talking about grandmothers, dead people and family pets here...

Re:This is ridiculous.

[RupW]

Or, that companies are labeling things as starwars3.torrent and instead of an avi file, the person downloading it gets a 700mb .exe?

I think they're saying you get

starwars3.avi.part1
starwars3.avi.part2
starwa rs3.avi.part3
join_together.exe

and join_together.exe installs spyware as well as assembling the movie file.

Re:This is ridiculous.

[bcmm]

I sounds like something along the lines of what RupW said, or possibly just a self-extractor which also installs spyware. It's hard to tell because TFA is so (deliberately?) confusing. Here are two of the most stupid and misleading paragraphs in the article; which confirm that the author either knows nothing ("digital files") or is lying to discredit Bittorent:

Because BitTorrent strips digital files into tiny shreds and reassembles them locally once a user completes a download, it has emerged as the perfect place to bundle adware programs among the bits, without the end user ever knowing.

A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing.

This gives the very flawed impression that BT is somehow to blame, and that either the programs runs through a security flaw in the BT client, or opening a "media file" or even the process of assembling the fragments could cause software to be installed.

Also, the filenames are not hidden during the download s the article explicitly claims. Any BT user with any sense would notice they were downloading an EXE file and not the MP3s/Film they were expecting. You could rename them with a different extension, but then you'd have to make the user change the name back.

TFA is pure bullshit. This is just like hosting "install_sexy_screensaver.exe" on a website, but with lower bandwidth costs.

Re:This is ridiculous.

[dlapine]

Perhaps the fact that the author is a Microsoft MVP and that Microsoft is bringing out a competitor to bittorrent could be seen as evidence that the purpose of the article is to spread Fear, Uncertainty and Doubt about bittorrent, rather than to simply inform the public about a new threat to security.

Given that the videos are being distributed in a self-extracting wrapper, it's certainly possible that this method of deploying their adware will not be as obvious as it might otherwise be. At least, not that obvious for the first time you accept one of these crappy licenses.

Interesting timing on the part of Slashdot to post both of these articles at the same time, no? I mean, it's not like Slashdot would actually advertising revenue from Microsoft...

Re:Warm and Fuzzy??

[dr_dank]

It's funny to see BitTorrent now get their comeuppance. When you lie with snakes, you're going to get bit.

How does it feel to get hoist by your own petard now?

Feels just like making my bed and lying in it or lying with dogs and getting up with fleas. But not as embarassing as painting myself into a corner or being caught with my pants down. A bird in the hand is wor#*NG(*(JF>SA

POST TERMINATED: Cliche limit reached.

Re:Warm and Fuzzy??

[rhkaloge]

How does it feel to get hoist by your own petard now?
Given the decentralized nature of bittorrent, who exactly is this directed at?

This bothers me not...

[Kylere]

Things like this only hurt dumb people, they tend to profit smart ones.

1. Wait for Joe AOLuser to figure out what BT is 2 years after everyone with a clue.
2. Wait 6 months for some to make his machine a viral mess
3. Wait for the call, and.......PROFIT!!!

I love making 50 bucks per regedit!

Idiotic...

[rbarreira]

Geez people, is this really a news for nerds site? One would expect crappy stories like this being rejected immediately. Bittorrent is not infected with spyware and never will be unless Bram Cohen wants that to happen. Of course, unofficial clients may have all the spyware they want, it wouldn't be the first time for this to happen with BT...

I won't even mention distributing spyware using a bittorrent tracker...

They SHOULD get into trouble...

[KingSkippus]

You bring up a real issue, not from an end-user standpoint, but from major corporations. Shouldn't these companies get into serious legal trouble? I can think of two ways right off the top of my head.

First, if they're sticking adware on an illegal file and uploading it, don't the same laws apply to them uploading the illegal file? Is the **AA suing these companies along with 12-year-old kids? After all, it's adware-infested, but it's still an illegal file, right?

Second, if they are modifying warez software, not only does the previous apply, but doesn't it fall under the protection of software that outlaws modifying binary code and distributing it without the publisher's consent? I mean think about it, this kind of thing not only supposedly denies companies revenue, but it can give them a serious black eye. What if people get the incorrect impression that an adware-infested version of a respectable piece of software is the real thing? All of a sudden, you have a really bad--and undeserved--reputation for distributing spyware on everyone's computers.

Re:They SHOULD get into trouble...

If they infect a UK resident they are in breach of the computer misuse act here. If someone were to report it to the police they would have to investigate. That is if it is actually a problem and not just a journo trying to make noise.

(1) A person is guilty of an offence if-

1. he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
2. the access he intends to secure is unauthorised; and
3. he knows at the time when he causes the computer to perform the function that that is the case.

full text

Re:They SHOULD get into trouble...

[Maestro4k]

First, if they're sticking adware on an illegal file and uploading it, don't the same laws apply to them uploading the illegal file? Is the **AA suing these companies along with 12-year-old kids? After all, it's adware-infested, but it's still an illegal file, right? Better yet, if a 12yo or younger downloads one of these and gets greeted with the installer are they making sure they conform to COPPA? COPPA's a pain in the ass, you have to provide a physical address, phone number, fax number, full disclosure of all personal information collected, how it's used, etc. and provide for forms that the parents of the 12yo and younger folks have to send in before they can use your site. Since they're pushing ads _and_ they're likely collecting statistics to "target" said ads, then I'm betting that COPPA applies to them. Looking at the screenshots of the install it doesn't ask what age you are. Ooops, big mistake there. Maybe someone should tell Spitzer about this, I'm sure he'd love to nail some companies for COPPA violations too. Second, if they are modifying warez software, not only does the previous apply, but doesn't it fall under the protection of software that outlaws modifying binary code and distributing it without the publisher's consent? I mean think about it, this kind of thing not only supposedly denies companies revenue, but it can give them a serious black eye. What if people get the incorrect impression that an adware-infested version of a respectable piece of software is the real thing? All of a sudden, you have a really bad--and undeserved--reputation for distributing spyware on everyone's computers. Wait, it gets better. The screenshots show that he downloaded an episode of The Family Guy and this install popped up with it. Anyone want to take any bets on whether or not they had permission to distribute The Family Guy? What do you think the MPAA's going to do to them when they find out they're "monetizing" illegal downloads of their member's products? Bet it makes the lawsuits we've seen against fileshares look tame, and bet the owners of Direct Revenue will be able to put up their own goats.cx photos once it's over with.

Re:They SHOULD get into trouble...

[itchy92]

Hmmm... I'm not so sure which way the **AA/BSA pendulum will swing on this one.

I haven't heard much about the file-swapping lawsuits lately, but I understand that they're still going on. However, if they do file suit against this company, it's kind of like "cleaning up" a tool that they've repeatedly condemned as the downfall of their industry. Also, I would imagine they're happy that P2Pers are getting infested with crap, and that would probably outweigh their desire to protect their (pirated) products.

If they did press charges or file suit and it gained publicity, they'd probably have to publicize a new slew of "average-joe" lawsuits, too.

Re:They SHOULD get into trouble...

[KillShill]

you forgot...

there are 2 sets of laws.

one for the great unwashed masses

the other for the top 1% who bind them in the darkness.

Re:They SHOULD get into trouble...

> Is the **AA suing these companies along with 12-year-old kids?

What does the NCAA have to do with any of this?

Re:They SHOULD get into trouble...

"First, if they're sticking adware on an illegal file and uploading it, don't the same laws apply to them uploading the illegal file?"

umm RTFA ... its not that theyre bundling adware into warez torrents & then posting them. Theyve bundled adware into a Bittorrent CLIENT, which then embeds spyware into whatever files you download, which then infects you when you try to open the zip/play the avi/whatever.

i'm surprised it took this long for it to happen, there are hundreds of different torrent clients out there, and none of them seem to be from trustable sources (except for maybe the original one.)

Re:They SHOULD get into trouble...

[sandwiches]

Honestly, I hope the **AAs don't do anything against these spyware companies profiting from illegal files. Not protecting their interests from those companies would weaken **AAs' case when trying to sue other people.

Re:They SHOULD get into trouble...

[Mozk]

I'm not quite sure but from RTFA, I think it says the the adware modifies the incoming files. They aren't spreading fake files with adware in them.

Re:They SHOULD get into trouble...

Completely wrong. Has nothing to do with any BT client(s). Yes, they ARE bundling adware into torrents and posting them.

Re:They SHOULD get into trouble...

[sugarboy]

Wait, it gets better. The screenshots show that he downloaded an episode of The Family Guy and this install popped up with it. Anyone want to take any bets on whether or not they had permission to distribute The Family Guy? What do you think the MPAA's going to do to them when they find out they're "monetizing" illegal downloads of their member's products? Bet it makes the lawsuits we've seen against fileshares look tame, and bet the owners of Direct Revenue will be able to put up their own goats.cx photos once it's over with.

I think it gets even better. The **AA has two options: sue the pants off them, or set up a business model with them. If they do the former, fine. But if they do the later, doesn't that almost legitimise the download?

Either way we win: no more spyware (from this company, anyway); or legitimate media downloads (working out how to avoid the spyware should be trivial).

Re:They SHOULD get into trouble...

[Splintax]

Found your comment interesting as reading this article it seems to me to be complete bullshit.

In the logs, he found that "nail.exe" and "aurora.exe" were always listed alongside "btdownloadgui.exe," the user interface that downloads/uploads when using BitTorrent. Okay, this is only for BitTorrent, the mainline client that Cohen wrote. What about the hundreds of other BT clients available? javaw.exe for example: Azureus, but it could be a variety of other Java programs too..

No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming from--there was no site. It would have never occurred to the end users that it could have crept in by another means altogether," he said. Oooh, make it sound all secretive and stuff. Here's a tip asshole - you need to download a torrent file to use BT and 99% of the time this torrent comes from a web site. (I guess you could get them off P2P apps or friends but that ruins most of BTs allure insofar as there is some sort of responsibility attributed the uploaders, and people will post comments about a bad release, at least on tbsource-based sites).

Because BitTorrent strips digital files into tiny shreds and reassembles them locally once a user completes a download, it has emerged as the perfect place to bundle adware programs among the bits, without the end user ever knowing. This is the main thing that's pissing me off. It makes it sound as if dodgy pieces are being sent around the net and reasssembled into a legit file, infecting it with spyware. BitTorrent uses SHA-1 hashing to check the validity of the pieces. The ONLY way that such a thing could happen is if there was no hashing on your client, or if the ORIGINAL torrent was infected. Some people have claimed to be able to generate SHA-1 hash collisions but there is no current practical implementation (and LOTS of processing power is needed). Additionally, for these collisions to be meaningful is MUCH harder, just read the recent /. article on Meaningful MD5 collisions and see how long it has taken for the long-since-broken MD5 algorithm to be so 'hacked'. Additionally, this is a far cry from embedding a full-blown executable to an unrelated file. And how exactly do you make it execute? e.g. if the users are on Windows, how do you change the .rars or whatever the file is packaged in to have a .exe extension? Doesn't work at all.

A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. See above point: the supposed infected files aren't even executables to start with.

"Although Bit Torrent is a file format and not a P2P Network ... [it] is the fastest growing protocol for file sharing online. Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily," said MMG, which lists PartyPoker.com and Hotbar.com among other clients on its roster. Glad to see the article is so up-to-date. TorrentBits.org and SuprNova.org Go Dark
LokiTorrent Shut Down
And BitTower? Can't say I've heard of it but googling for it yields this (haha, "Here are your heroic search results"?) and this, which appears to be down.

This article is FUD and the people who believe it all need to learn a little more a

Re:They SHOULD get into trouble...

[Maestro4k]

I'm not quite sure but from RTFA, I think it says the the adware modifies the incoming files. They aren't spreading fake files with adware in them. I agree it's not completely clear but I looked at the site of the security guy too, and in the photos it shows him downloading a torrent of a Family Guy episode, then running what was downloaded which prompts to install shit, then proceeds to go apeshit popping up advertising stuff, quite a bit of which would be innappropriate for a 12yo (much less younger). The download was a self-executing rar file, obviously wrapped with some installer shit first. He noted that if you cancel out of the install prompt (multiple times) eventuallly it'll give up and give you the WinRAR self-executable extrator display and let you extract the file _without_ installing the adware. That's why he was so critical of them, they're misrepresenting things to make it look like you _must_ install their adware before you can extract the file but it's not true.

Even if you're right the points still stand, the adware install doesn't prompt for age so they could easily get hit with COPPA violations. Even if they're modifying the file after it comes down they're still using downloads of illegally pirated stuff to profit from, something I really doubt the MPAA/RIAA will think highly of (unless they're supporting this little endeavor behind the scenes, but I doubt that, it could jeopardize their goals of making P2P illegal).

Aurora is everywhere

[Avohir]

Aurora is the most prevalant form of crap out there today. I help at www.geekstogo.com and almost 10% of our google hits (we generally have about 800 users on at any given moment) come from searches on how to get rid of aurora popups. ALL their uninstaller does is trigger a hidden "/fullremove" switch inside the executable file, and to do that, they insist you lower your browser settings and firewall so that they can phone home with loads of fun information about you and your computer. These are the same people that brought the infamous Look2Me, which rivals CoolWebSearch in tenacity and obnoxious difficulty of removal. Its good to know this stuff is coming in through bittorrent, although they offer file samples as direct downloads from their website (making it easy to diagnose and write up cures). At least now we can spread the word on how not to get infected

Legal uses?

This may seem like a foolish question, but what commonly used legal uses are there for bittorrent BESIDES Linux ISOs? While I have a deep hatred for spyware and viruses (having worked at a college it helpdesk), I can't bring myself to feel too terrible for those who download the latest theatrical release of x,y,z movie and find themselves dealing with Aurora or (insert fav spyware here).

Yeesh.

[jridley]

If I downloaded executables from BitTorrent, I'd be surprised not to get hit. I can't imagine anyone with much sense doing that.

Media files only for me thanks.

Re:Yeesh.

[jridley]

Obvious exception: legit distributions of OSS from torrents approved on their site, with MD5 validation.

Crapware

[Foolomon]

Did anyone else notice that both pages of that article were half content, half crap? The lower half of both pages were loaded with nonsense. There's already AdBlock; maybe someone should write CrapBlock?

So why not go after Direct Revenue for piracy?

[doormat]

If they're including their spyware into pirated software, why doesnt the BSA go after these guys and shut them down? Its seams like they're very low-hanging fruit on the tree of software piracy (since its easier to follow money and corporations than individuals and IP address from foreign countries).

EXE files?

[mindaktiviti]

A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing.

Yeah...but those movie files tend to be .exe files, right? How can you install spyware if you're just playing an avi file? And when you're downloading a bittorrent file you can go into your directory and SEE what files you're getting! I sometimes click on torrent files and yes it might be an .exe even though I was expecting an .avi. but then I just cancel the download and grab something else.

Maybe this will get people who don't really know anything?

Re:EXE files?

[coolsva]

Not to nitpick, but we are beyond that. It is possible for a media file (WMV) to automatically open links in the container and run it (html-chm exploit etc).

Re:EXE files?

[Too+Much+Noise]

How can you install spyware if you're just playing an avi file?

I hate to break it to you, but it's been done already. It's true that the process is not completely automated yet, unless you happen to have a vulnerable IE. Some social engineering might also prove useful. Anyway, it's lovely to see DRM at work, don't you think?

Re:EXE files?

Maybe this will get people who don't really know anything?

Exactly. Spyware, adware, and most viruses are as rampant as they are because 'Joe User' is click-happy and has no idea about computer security issues, nor does he care. Television, movies and marketing by the big PC companies has lead Joe User to believe their PC is as easy to use and maintain as their DVD player, unfortunately, we at /. know it not to be true.

Restricted user accounts, as somebody else in the thread has pointed out, doesn't solve things, malware can still get in if run by the user, and it can still write itself into the user's home directory and startup scripts. Granted, it can't fuck with the OS, making it somewhat easier to remove, but that doesn't help if the user doesn't even realise it's there to begin with.

Re:Warm and Fuzzy??

[l3v1]

I think you meant to write illegal and thieving. Fact it, 90% of BT traffic was copyrighted material that was illegal to distribute.

You mean the about 60gigs of linux install images and live disks for x86 and amd64 I download monthly to keep an always uptodate collection is a unique event occuring only once a month on this planet and only I do it.

Ok, I know, I also get some series episodes from somewhere. Still, you and the like just LLLLove trashing the whole damn city out with the bathing water, not just the poor baby.

I'll admit it

I was infected (it was a new install) they are distributing their spyware in warez encased in a zipped .exe

So you run the exe to extract and it goes about installing the spyware, THEN whatever you downloaded.

So if you weren't paying attention you'd not even realize it.

Of course as soon as I opened the .exe I exclaimed D'Oh! and went about removing the crap.

Brother

[Lord_Dweomer]

I never used to comprehend how people could be so stupid (fairly computer literate people at that) as to open an .exe file when they downloaded a video.

That was until my brother showed me a ligitimate site (forget which) that required their own "player" to view a trailer or something. As far as I could tell (verified by ad/spyware checks afterwards) it didn't leave anything. So I guess there are companies stupid enough to make those things, and people stupid enough to use them, but at least now I have a connection.

The cool thing about bittorrent is that although it doesn't have a built in moderation system per se (although the trackers often do), you can generally tell if a file is the correct version or not based on how many people are downloading/seeding. Yeah, its not always accurate, but if you see several releases of a movie, and there's one or two seeds on one link, and over 500 on another, you'll pick the latter because you're going to get higher speeds, and presumably it is the correct file.

Re:Brother

[SharpFang]

Let me guess. Talking about this site? :)

Re:Brother

A legitimate site that requires users to download .exe files to view a video? Here you go: http://www.microsoft.com/windows/windowsmedia/cont ent_provider/film/ContentShowcase.aspx

Just avoid the Brittney Spears movies

[WillAffleckUW]

and stuff like this.

It's pretty much FUD to scare you away.

Re:Just avoid the Brittney Spears movies

[Jeff+Hornby]

I hope that's not the only reason you have to avoid Britney Spears movies

**shudder** Crossroads **shudder**

Re:Just avoid the Brittney Spears movies

[WillAffleckUW]

well, they are the primary source of viruses in emails, so it's logical that they'd be the primary source of spyware on BitTorrent ....

Re:Practical solution to spyware and p2p executabl

[l3v1]

Or use some damn free and cool resident protection software, like avast, which is my favourite for about a year now. Saved some trouble many times. Even offers breaking connection to sites which try to execute some bonzy.

Re:Warm and Fuzzy??

[anakin876]

Did you mean "hoisted by your own petard" or were you just using a cliche instead of coming up with something original?

OH MY GOD!

[chrisnewbie]

Who would have thought to use Bit Torrent for malicious programs! tsk! tsk!

Speaking of Idiotic

Try reading TFA next time, so you'll know what to call idiotic. Maybe you won't mention distributing spyware through trackers, but that's the topic for today.

Re:Speaking of Idiotic

[rbarreira]

That's even more idiotic then... Any file transport protocol can be used for that, that's why I wasn't going to mention it.

16bit Win32

[kyoko21]

It's too bad I do all my work on a 32bit machine running a 16bit frontend GUI with a portion of the code running 32bit va win-32.

How I love Windows for Workgroups 3.11. Go Trumpet Winsock!!!

Re:16bit Win32

Forget "security through obscurity", we're all about "security through antiquity"!

DOS 6.22/WIN 3.1 4EVAR!

Irony Indeed...

[Saeed+al-Sahaf]

It's interesting that often in the same breath, P2P advocates claim that P2P is not about, and for the most part, has nothing to do with software / Intellectual Property theft, than they say things like this:

Where else can I gripe about companies that try to exploit my illegal activities!

Well, which is it? Often they say it with humor, but it's clear that people know what's going on. You can't claim the High Road while admitting to the Low Road; that's called hypocrisy.

Re:Irony Indeed...

[Paradise+Pete]

Well, which is it?

You're right. There is only one person posting to all these accounts, so clearly he is both prolific and schizophrenic.

Re:Warm and Fuzzy??

[bersl2]

Exclusive rights, no. Attribution, yes.

The one thing that makes the small-time artist or coder seek strong copyright is that they cannot bear the thought of someone else taking credit for their work.

What Timing

[jbrader]

Fantastic, and here I was mere seconds away from aquiring some new music. Alas.

thieving? THIEVING!?

[Lead+Butthead]

I think you meant to write illegal and thieving .

Dammit, for the LAST FSCKING TIME, it's copyright infringement. To state otherwise is to validate and perpetuate MPAA/RIAA propaganda.

Re:thieving? THIEVING!?

[huge+colin]

Parent post should not, in fact, be -1, Troll, but rather +5, Exactly Fucking Correct. God damn it!

Re:thieving? THIEVING!?

[Travelsonic]

Whoever modded this as troll must really have a hard time dealing with facts.

Re:Practical solution to spyware and p2p executabl

Try QEMU instead.

Re:Warm and Fuzzy??

[Kartik3]

Are you kidding? IP doesn't necessarily benefit the world population but people aren't trying to constantly better the world. I'd venture to say that a majority of the people on this earth have prioritized themselves before society. Consequently, people want to gain something for themselves (money, etc.) from what they make/do/come-up-with. If you want a clear cut example of this, just look at pharmaceutical companies and their products. Drug companies spend billions of dollars researching their products and various drugs, but do you see them helping society and giving away their aids, cancer, etc treatments to all those who need it in 3rd world countries? I haven't heard of any drug companies doing this recently. From what I've found, drug companies seem to generally be more concerned with how to get the most money out of these poor countires/people than to effectively heal them.

Now, mind you, I'm no fan of the MPAA or the RIAA, but I'm not about to say that (most) IP laws are to blame...I'll support artists and their IP but I won't support the ridicoulous legal intimidation tactics of the MPAA and RIAA.

Just my two pennies.

Re:Warm and Fuzzy??

[kz45]

Piracy (of copyrighted material) is just a natural defence to this IP crap and hence piracy is the good thing and its the IP laws that are bad and evil.

bad and evil? IP isn't something you are FORCED to use. If you don't agree with the licensing of a certain song, movie, or piece of software, DON'T USE IT!.

The natural defense to piracy is higher protection of IP and harsher laws. People like you feel that it's somehow your right to get other people's work for free, when in reality, it's just an excuse for your greediness.

You get what you pay for and

[whoppers]

Anyone who double-clicks a 5KB file named MS_Longhorn.exe deserves what they're gonna get. Same with newd_britany.exe and so on.

Re:You get what you pay for and

[mark-t]

The premise I believe they are working on is that the exe is bundled with the media file in either a zip or rar archive file, and it is necessary to run the exe in order to view the included media file.

Whether it is because the media file is in a custom format, or is somehow encrypted, or whatever... one needs to run the bundled exe so that they can watch the movie.

Re:They're [sic] number one financial backers

[1u3hr]

That would be "Their number one financial backers".

Fatal err0r!!1

[endtime]

http://www.marketingmetrixgroup.com/ Ha that didn't take long.

Re:Fatal err0r!!1

For comparason, here is the google cache:
http://64.233.167.104/search?q=cache:wcmrSqHuaRYJ: www.marketingmetrixgroup.com/+marketing+metrix+gro up&hl=en

Re:Fatal err0r!!1

The hacked version is an improvement.

Funny indeed

...I know I find it so ironic when some whore gets robbed and beaten, and has the nerve to complain about some thug putting her the hospital.

Re:Warm and Fuzzy??

[mowler2]

I agree to that. Attribution and credit should be given where its due. However, this is not in conflict with piracy (which you didnt say, just clarifying for others who might make the confusion)

Guilty of copyright infringement?

[It+doesn't+come+easy]

If Direct Revenue LLC and Marketing Metrix Group are pulling real movies out of Bittorrent, adding spyware, and then reinjecting them into Bittorrent without the MPAA's permission, I am pretty sure that would constitute direct copyright infringement.

And if they are doing that WITH the MPAA's approval, I am pretty sure that the MPAA just lost the ability to sue over copyright infringement for those movies.

Re:Guilty of copyright infringement?

[Ugly+American]

IANAL, but I'm not so sure about that... even if the MPAA has actually authorized these assholes to distribute movies bundled with malware, they still haven't authorized the recipient to make a copy of the movies in question. It might be entirely possible that, in this instance, they can have their cake and eat it too.

Re:Guilty of copyright infringement?

[It+doesn't+come+easy]

I would have to disagree. It is widely known that bittorrents can go to millions of users without any control over who gets a copy. If the MPAA sends out a file throught bittorent, they have no control over who gets it. One of the requirements to defend a copyright is for the copyright owner to define what ways constitute authorized copying. Bittorent would never be considered a controlled way to distribute because there is no control, therefore if the MPAA sent out a movie through bittorent, or authorized someone to do so for them, they would be approving a copy received through bittorrent as an approved copy. That means if you receive a copy through bittorrent, the copy would be legal.

On the other hand, if Direct Revenue LLC and Marketing Metrix Group did not get the MPAA's approval, they ARE distributing the movie and that makes them guilty of infringing. In addition, if the MPAA doesn't respond, the MPAA risks losing their copyright on the movies involved (you have to defend your copyright from known infringement or you can lose the copyright).

Re:Guilty of copyright infringement?

[Ugly+American]

Makes sense... thanks for the explanation.

THIS JUST IN--

[BitHive]

--File Transfer Protocol Used to Transfer Files. Story at 11.

Re:THIS JUST IN--

Don't you mean..

"Story at 21"

(port, that is. =)

Looks like someone is striking back

Well one of the companies mentioned has been hacked http://www.marketingmetrixgroup.com/

Re:Practical solution to spyware and p2p executabl

[Socket790]

How is installing virtualizaion software and installing an entire OS just to download files practical?

Not original intent..not anything new

[SumDog]

Bittorrent was never meant to be a P2P program as much as a mass distribution program for new releases of stuff such as movies, Linux CDs, etc.

I think because of that is has avoided that spy-ware mess for a while. I remember downloading a copy of The Ring II before it came out only to discover after you downloaded the zip file, there was an exe in it. Of course running in Linux, I decided to run the exe in a clean VMware install for fun and sure enough, it was spyware.

With Bittorrent becoming more distributed like with exeem and Azurus implementing their own tracker-less systems, I think there is going to be a lot more clutter on bittorrent. At least we won't have the problem with incomplete files we had with P2P. I hated downloading a porn only to find out it cut out right before the end.

-Sumdog

Re:Warm and Fuzzy??

[mowler2]

IP is something i am FORCED to live with, others use it to protect "their" IP, which in turn hurts me and limits my freedom.. ..

No, it is not just an excuse to get other peoples work for free.

Many see that a different future is possible, where the IP laws have room for free sharing between humans. This is great for many reasons, for example, that the consumption of culture will increase, grass-root-level of distribution works good, and it makes it easier for good stuff to be noticed (piracy is some kind of counterweight to commercials for music). Also piracy enables everyone in the world to access the same content. Where I live, for instance, most tv-shows aired in US never reaches me the "classic way".

I download hundreds of movies each year and follow 10-20 tv-series (which most does never even air here). AND I am also a mass consumer of culture-for-money. For example, I am a "gold member" at the local cinema for watching a lot of movies (> 25 / year), I own lots of CD:s and DVDs. Generally piracy makes it possible for me to sample lots of different kids of culture which I could never afford normally (I am a poor student). Then I can choose to buy what is intresting to me; what I want to see at the silverscreen, or own in a nice box with all the extras, etc..

In effect, piracy has made me consume more culture and spending more money on movies and music than I did before. I simply had other prioritys before, such as buying computer hardware or stuff for my car.

In the end, I believe that the free flow of information is desired. Be it "copyrighted" information or other information, that does not matter. But the free flow is important.

btdownloadgui.exe ??

I guess there's people who still use the "official" client. I don't know any, but this is a big world. There's gotta be somebody.

These days, it's Azureus and empornium.us

MOD PARENT

haha

O noes!

My iBook will be flooded by viruses and spyware now! O noes!

Easy to bypass

I've seen these MMG .exe files before. Funny thing is, they don't force to install anything. All you have to do is click the Cancel button and it goes straight through to the content. Hell, you can't even CLICK the Install button until you check the "I agree" box.

They're just harvesting stupid people, which is a relatively endless resource on the Internet nowadays.

unzip/unrar twice

[Cheeze]

you can usually unzip or unrar the .exe file and extract the real movie. Sometimes it needs to be done twice.

Just so you know.

Re:unzip/unrar twice

[SharpFang]

Yes, and then you extract some_very_long_filename_with_movie_icon{shared-by- 1337}[2007]_DVDrip.avi.exe and even if you don't have known extension hiding turned on, Windows will truncate the displayed filename and you will doubleclick it to play it.

Or it will unpack your-wonderful-movie.avi.lnk and BONUS!!!MovieScreensaver.exe and no matter what settings you use, your-wonderful-movie.avi.lnk won't display the .lnk, just .avi, despite pointing to the exe.

Re:unzip/unrar twice

[Cheeze]

if you're using windows to unzip/unrar, you get what you deserve.

be a little smarter about it and you don't have to infect yourself.

Re:unzip/unrar twice

[SharpFang]

And if my neighbors do? They get their computers infected. And once they start working as spammer zombies, my ISP's DNS slows down to a crawl, being spammed with hundreds DNS requests for all addresses from the spam address lists. So do I deserve that for living near some morons?

DLL

[Neurotoxic666]

Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot

Can't you create a fake DLL with the same filename while in Safe Mode, make it read-only and then reboot? Will the worm overwrite it, rename it, create the DLL under another name?...

Re:DLL

[X0563511]

To expand, what happens when you use something like biew and write all noops to the file? Pull the power cord immediatly after writing, and it should have no chance to save itself. Last time I tried, biew bypassed windows and wrote directly to the file.

Re:DLL

[Master+of+Transhuman]

The DLL doesn't always have a consistent filename - these things generate random file names a lot of the time.

Actually this particular one DOES have a consistent file name, so maybe creating a fake DLL would prevent it from creating it if it's smart enough to see if it already exists.

Might be something to try next time I run into it. Right now, I just want to delete it for the client, and I think the KillBox utility will do that.

Re:DLL

[Master+of+Transhuman]

I wasn't aware of biew - on examining the Web site, I don't see any indication it handles current NTFS - unless the NT version does. Might be worth a shot next time.

Re:DLL

[X0563511]

Well, it appears similar to HIEW, which wrote over a DLL that windows wouldn't let me touch.

I know that it does allow editing on NTFS, but I don't know if it ignores the normal file attribute settings (like read-only) or windows' "file in use" protection. Worth a shot, right?

Portability?

[matt+me]

Damn, I knew something was wrong when make started compiling trojan.c! Oh yeah, BitTorrent is in Phython. Let me rephrase. Damn, I knew something was wrong when make started to compile trojan.py!

Fight back against Direct Revenue LLC

[prezvdi]

Don't bother calling their office. Don't bother emailing them for help. And no matter what you do, don't run their uninstall utility myPCtuneup - it simply installs more crap.

Direct Revenue LLC is VC backed. Please, complain to the right guy.

Insite Venture Partners
Mr. Deven Parekh
His desk number is 212-230-9216 and his real email address is dparekh@insightpartners.com

May we waste as much of his time as he has of ours. How many people here spend hours "helping" their non-tech friends remove this crap . . .

Re:Fight back against Direct Revenue LLC

[Khyber]

Here's an idea to add to it, since we'll all be email bombing him soon enough, perhaps.

Why not attach a bill to it and CHARGE HIM FOR OUR TIME WASTED FIXING HIS FUCKUP? After all, computer repair/maintenance can get expensive. Why not let us profit off of his own spyware? Attach a bill/fee for service performed, and if he refuses to pay, we file a big class-action lawsuit?

RTFA

[sjvn]

The story says that torrent files are being bundled with adware programs, not BitTorrent clients.

How can this happen? Again RTFA.

If seeing is believing, look at this link from the news story:

Vitalsecurity

You'll see a RAR--not an exe--for an episode of Family Guy. When you try to open it, you're faced with a licensing annoucement, which if you agree to it, will pack your Windows system full of spyware.

Would this fool someone who knew what they were doing? No.

Would it fool a lot of users just looking for a cheap thrill? Oh yeah.

Does this make it a real problem--as the article suggests--I certainly think so.

Maybe not for me, maybe not for you, but for those millions of clueless users, yes, oh yes it does.

Steven

Re:RTFA

They jump from downloading a .RAR to running some sort of executable with the grace of underpants gnomes explaining their business.

What was inside the .RAR? dollars to donuts it was an executable, that they conveniently left out of their article for the additional shock value.

Re:RTFA

[0111+1110]

When you try to open it, you're faced with a licensing annoucement

And how long before they just do away with the licensing dialog box? At the very least I would expect the next version to execute whether you agree or disagree. After all they are already breaking the law by distributing the file itself.

So the real news here is the possibility that some kind of vulnerability has been found in Winrar to allow for automatic launching of executable files within the archive or of code embedded in the archive itself. Now that would be big news. But I didn't read anything about that in the article.

Re:RTFA

[hokeyru]

Hmm. I've read this article, and the other, and still don't understand what the problem is. How is this exe file presenting itself as a video file? I'm not entirely familiar with RAR, but does the unpacker automatically launch the contents? Who would use such a thing? That would be a fault with the RAR archival program, not BT.

Or does the RAR unpack the exe file, and the user then needs to click on it? If that's the case, then this is a non-issue.

Or, most likely, it's an exe with a RAR archive icon. And now we're back to MS's foolish decision to hide extensions by default, which has been rehashed many times.

But, the problem isn't clear from any of these articles.

Not a windows problem

[KingSkippus]

It's not a Windows problem.

First of all, I can't think of anything stopping the same thing from happening with Linux software. Although it's ever elusive, if Linux does eventually become the desktop standard, do you think that average Linux users will conscienciously check every MD5 hash for every binary they download? Probably not. Even if some external means of verification exists that a program is authentic, it adds a layer of complexity to using the system that most average people, given the choice, simply won't use.

Which brings me to my second point, that if you have to blame anything you mentioned, the emphasis should be on the USER, not the operating system. And personally, I don't blame the average user because I think that there's no excuse for computers and software not being easy and intuitive enough for average users to use without having to spend hours and hours learning it. So who does the blame lie with? Primarily, the developers of virii and adware. Secondarily, the developer community (closed AND open source) for not putting enough emphasis on security with ease of use. And the problem with feeling that they "deserve their pop-ups" is that they're not just hurting themselves by throttling their own bandwidth, they are collectively throttling the bandwidth of the entire Internet, and that makes it your and my problem, too.

Third, I am a Windows user for around twelve years, and a damn competent one, if I do say so myself. I have never once been hacked, infected, or adwared (can that be used as a verb?) without it being a deliberate action on my part for academic purposes. If Windows were such an insecure operating system, it seems that no amount of virus and adware protection would prevent me from eventually getting some nasty bug. The fact is that with a few simple actions, Windows is as safe and secure for an average user as any other OS.

In addition to pointing out the obvious (which I'm not criticizing you for, sometimes things need to be said), please do something about it. A nice start might be what I did: Buy a spindle of CD-R's and burn a copy of a FOSS antivirus program, adware detector/remover, Firefox, etc. and start handing it out to your friends and family, and offer to help out in giving their machines a periodic tune-up (or overhaul, as the case may be) to make their lives--and by extension, your life--a little easier and better.

Re:Not a windows problem

[PetriBORG]

Even if some external means of verification exists that a program is authentic, it adds a layer of complexity to using the system that most average people, given the choice, simply won't use.

Then I guess Debian, Ubuntu, OSX(using Fink), Gentoo etc etc etc, don't use MD5 checksums on every package you download do they? In fact they already do and if the mirror you download from doesn't match the checksum from the master server the package won't install. Nor do these groups allow spyware or adware (whatever) to be added to their install list. So unless you downloaded a binary from the net instead of apt-get/emerge/fink then you aren't going to have those problems.

And lets not even get into the fact that on windows 90% of users are running as admin and can install to anywhere. Which of course everyone knows would require root on any UNIX system.

Re:Not a windows problem

[HermanAB]

"never once been hacked, infected, or adwared"

I guess your Windows box is behind a very good Linux firewall router. Kudos to Linksys...

Re:Not a windows problem

[Tzarius]

or adwared (can that be used as a verb?)...

Anything can be verb'd. Just add 'd !

Re:Not a windows problem

[hokeyru]

From what I understand from the article, it is a windows problem. I have to assume -- the author isn't very clear on this -- that the rar archive is really a .exe masquerading as a rar file, via a disingenuous icon. By default, windows hides "known" file types, which makes it hard to distinguish a masquerading exe from something else. This isn't a problem on linux.

Re:Not a windows problem

[Kjella]

First of all, I can't think of anything stopping the same thing from happening with Linux software. Although it's ever elusive, if Linux does eventually become the desktop standard, (...)

That depends on which desktop. If you mean the F/OSS desktop, it will not happen. Simply because you have a single authoritative source that is your distro. They will quickly slam any crap (and hopefully there's enough distros to make sure they don't get in bed with the enemy).

If you mean a distro where people constantly install third-party software downloaded from random places on the Internet, well sure. I mean you wouldn't have this problem if the OS refused to install anything not coming from your apt-get source would it?

Of course, you may consider that a *bad* thing. It shouldn't be so difficult to disable for those who need it though. Is it for real? Jump through the hoops, get on the repository. If not, you're probably some shady company who can't get on the repository.

Consider it a "prescreening" of applications, just as you can use blocklists to prescreen mail. Ultimately, the choice is always your though. Unlike certain DRM solutions for the same that I've seen outlined... You can't install it because the computer won't let you.

Kjella

MarketingMetrixGroup just got HACKED

http://www.marketingmetrixgroup.com/

In other news...

Hookers more likely to have HIV, diamonds bought in back alleys more likely to be fake.

Deleting the file

[i8a4re]

Although this is not a tech support forum...

A simple solution is to remove execute permissions on the file. I've run across malware that doesn't like you accessing the permissions dialog, so I typically use the command line CACLS.exe. Then I reboot, get a few errors since it is trying to execute a file that no account has permission to access. Now you can restore the delete permission and remove the file since it's not locked.

Re:Deleting the file

[SharpFang]

The problem is spyware installs its launchers in all (LOTS OF) startup points of Windows, each of them pointing to randomly named copy of the program, so if you disable one, another copy will start up and "fix it".

Re:Deleting the file

I've found that the files can very often still be renamed while they are locked, it's pretty useful to defeat groups of self running parasites

Re:Deleting the file

[Hosiah]

Excellent suggestions, to which I might ad, a hex editor works wonders in disabling a virus, too. Just type enough zeros!

Re:Deleting the file

[Master+of+Transhuman]

I think some of the batch file solutions to this problem I've seen have used the CACLS.exe program and done as you suggest.

KillBox seems to be the automated way of doing this.

If KillBox doesn't work in this case, I'll try the manual way.

Re:Deleting the file

[SharpFang]

http://www.google.pl/search?q=aurora+bolger+nail+r emoval

For anyone who modded this "overrated".

The Real Problem?

[Nom+du+Keyboard]

Isn't the real problem here that trackers are being posted that haven't been verified as valid first by the "moderators".

Or is it the new "trackerless" BT that has opened this door?

Re:The Real Problem?

[robertjw]

Or is it the new "trackerless" BT that has opened this door?

That's a good point. I bet it has made this way easier, although for the record I have a friend that uses BT under Windows and has complained about viruses and spyware for months.

Re:Practical solution to spyware and p2p executabl

[nektra]

It depends if you usually use virtualization, when you have a lot of virtual machines created with a lot of snapshots, just 'play' VM, drag and drop, execute, and drag and drop again from your desktop.

Another idea is to have some vm in Internet for public use, so you can use it to clean your scrap, and the machine return to previous snapshot periodically.

Re:Warm and Fuzzy??

that's all well & nice in theory, but what happens when you simply don't have the funds to partake in ANY copywrited material?
"well, then, i guess you just can't use any!"
right, because luxuries are only for the rich. way to step on the poor.

what about copywrited material from another country? their laws don't apply. they have absolutely /no/ right to enforce their laws on me.
"think about the artists!"
those same artists whose labels are getting all the money from their album sales and lawsuits? i'll start thinking about the artists when i download music when the record labels start thinking about the artists when they sign them.

BitTorrent, eh?

[TheSportsGED]

Now I'll have to burn my Fedora 4 ISOs. Dammit back to the 6.5 KB/s FTP site.

Spyware is good business (for me)

Lucky for me, I have exclusively run linux based computers in my household for over 5 years now. I *never* suffer the slings and arrows that people running Windows do. I also have never lost any productivity due to OS / application failure (as I have with Windows in the past).

However, this *ware problem is my heaven. As tedious as it is, I do enjoy making money by removing spyware from my client's plagued systems. Often times, it is cost effective to replace the system rather than pay me to fix it. So, I make money by installing and configuring the system for them.

Their pain is my profit. Luckily, I see no end in site for this plague. Unless, of course people switch to a better OS or just get a little smarter.

Thank you evil spyware/adware people everyone for the diservice you do my clients with your crapware :P

Irony Indeed...What's an Aggregate?

"You're right. There is only one person posting to all these accounts, so clearly he is both prolific and schizophrenic."

You do realize that statistics and psychology shoot down your "we're all completely different" argument. He's obviously talking about majority behaviour over time.* The very same that allows this forum's tagline to be "News for nerds, stuff that matters", as opposed to "News for 800,000 completely random people, stuff that interests no one".

*Backed by a skinner style moderation system.

Re:Irony Indeed...What's an Aggregate?

[iamwahoo2]

statistics....blah...blah....blah

Everybody on slashdot runs Linux, yet we spend all of our free time downloading the vast amount of Windows applications that are shared via bitTorrent. And we are super concerned about that adware getting installed on our Linux distributions as well.

Re:Irony Indeed...What's an Aggregate?

[peakoil]

You are statment is not correct. Many Linux users do not "download" windows's apps. I sure don't. However, I do have windows apps that I bought from yard sell. As for bittorrent, I only downloaded two iso version of Linux. I personally don't like any of these p2p sharing (be they Kazaa, Java Limewire, or Bittorrent). They all have spyware in them. Use logic, why would a "linux user" download windows' app? They doesn't make sense... It reminds of a joke we used to have in office "It's not for nothing they call me Bill "Gate".

"According to Chris Boyd,"

[theurge14]

Is it ok to be freaked out if that's my name?

Re:Warm and Fuzzy??

[kz45]

IP is something i am FORCED to live with, others use it to protect "their" IP, which in turn hurts me and limits my freedom.. ..

no, it doesn't. IP was never your right to begin with, so it doesn't limit your freedom. Without IP protection, the cds/dvds might not have been released.

This is great for many reasons, for example, that the consumption of culture will increase, grass-root-level of distribution works good, and it makes it easier for good stuff to be noticed (piracy is some kind of counterweight to commercials for music). Also piracy enables everyone in the world to access the same content. Where I live, for instance, most tv-shows aired in US never reaches me the "classic way".

The IP laws don't need to change to have "grass-roots distribution". People can just as easily release new software, music, and movies, without any commerical support on the Internet. Commerical IP doesn't need to be noticed in this way. They have marketing and sales teams to do that for them.

But what you want is to have "grass roots distribution" of commerical-level IP. You want the IP that costs millions of dollars to create in a professional studio...for free.

In the end, I believe that the free flow of information is desired. Be it "copyrighted" information or other information, that does not matter. But the free flow is important

I don't consider music, movies, or software, "information".

Re:Warm and Fuzzy??

[Yartrebo]

Funny enough, copyright law is just the opposite. There is no part of copyright law that says that credit must be given or that one cannot claim to be an author of something that (s)he is not. Plagarism and ghostwriting are both perfectly legal.

I am a small-time artist (mostly a programming artist, but I do dabble in other forms). What gets me upset about copyright law as an artist is that:
1 - When I view or read something, I cannot be sure that the listed author actually wrote it, because ghostwriting is so prevelant.
2 - It forces me to hold on to the copyright and enforce at least some provisions. The creative commons license does address this issue, but I should have to be well verse in law and able to implement what I know to have this right protected. It should be the default. If I worked for a company, this would likely be impossible.
3 - While it makes no provisions about unrevokable rights of attribution, it forbids derivative works, and that makes it much, much harder to make the type of works I'd like to make. Both fan fiction and sampling are somewhere from hard to downright impossible to do legally with the current law.

And yes, as a small time artist, my dream is about being famous and influential, not about making boatloads of money. If I achieved the first, making enough money to live off of would not be an issue anyway even without copyrights.

Just look what you are downloading...

[Chris2547]

Very simple, if you are downloading a movie, download an .avi or .mpg. If you are downloading a game or a big software packet, download an .iso or any other cd-image. Ofcourse these files can be packed in .rar files, so simply open it with winrar. I never download .exe's, why? Because there are many diffrent ways to upload/download files. If you want to get an app, smaller than 75mb. Use LimeWire... That's my strategy, and I never got any problems relating spyware/virusses.

Company in question - defaced !

[acidjesus]

I love the intraweb, news spreads like wildfire. This is the website of the canadian spyware company mentioned in that article. http://www.marketingmetrixgroup.com/ :)

defaced

http://www.marketingmetrixgroup.com/
the addware peoples site is defaced.

Re:Warm and Fuzzy??

[kz45]

that's all well & nice in theory, but what happens when you simply don't have the funds to partake in ANY copywrited material?
"well, then, i guess you just can't use any!"
right, because luxuries are only for the rich. way to step on the poor.

I can't have 60" widescreen HDTV either. Way to step on the poor! Sony should give them out to everyone for free!

what about copywrited material from another country? their laws don't apply. they have absolutely /no/ right to enforce their laws on me.
"think about the artists!"

those same artists whose labels are getting all the money from their album sales and lawsuits? i'll start thinking about the artists when i download music when the record labels start thinking about the artists when they sign them

another excuse I hear over and over. The artists choose to sign an agreement with a recording label. In any business agreement, you look at the contract you are signing. If it's unreasonable, they shouldn't be signing it. If you want to blame someone..blame the artist. They know what they are getting into. I have no sympathy.

if it was really a problem, most artists just wouldn't sign. However, they realize that they can get their music out to a much bigger audience with commerical support (and they don't have to worry about booking the next gig at a shitty bar or venue for pennies).

it reminds me of open source projects. The good ones realize they need the commerical support.

Deleting files that are "in use"

[frenetic3]

I guess no one has suggested this yet: use Process Explorer and search for any open handles to the file. Once all the handles are closed, you can delete it safely because it won't be in use.

This technique is a little shaky because those running programs that have handles to the DLL might be a little upset that it the handle is suddenly closed, but just reboot after you complete the process if something breaks or crashes.

-fren

MMG site defaced!

[codguy]

Just went to check out the MMG website at http://www.marketingmetrixgroup.com/, and saw it has been defaced with the following message: "hey metrix! Ferror was here! yeahh let's go!! hahaha fuck off our T0RRENTS. back off and die!!!!"

Horrible.

[Peterus7]

Spyware on my BitTorrent?

Worst summer vacation EVER.

Someone's already taken action

[kassemi]

Looks like the company responsible for pushing the adware has already got some negative attention: http://www.marketingmetrixgroup.com/ (hacked)

Yes And No

[Lagged2Death]

Theoretcially this is true, but I wonder if it's really practical enough for a malware author to consider. A malicious MP3 file, for example, would find itself getting decoded by one of about a zillion decoder/media player programs out there. Any particular buffer overflow attack would probably only be successful on a minority desktop PCs.

In the case of video files, things would be easier for an attacker, since a DivX file (for example) is virtually always going to be played back with the one official DivX decoder, even if it's not always running under the same media player.

Of course, if the world at large could be persuaded to eschew the closed-source codecs, (yay XviD!) exploits like these might be more quickly contained.

OK guys, this IS bad

[cheaphomemadeacid]

Run for you lives, this is just as bad as SARS was (not for humans but for computers) you need to RUN along and by LOTS and LOTS of anti-spyware, anti-virus, firewall products RIGHT now! Your computers life is at STAKE! And remember kids, the more money you put into it, the more protected you are!

Re:Warm and Fuzzy??

[huge+colin]

It's funny to see BitTorrent now get their comeuppance.

This, folks, is a perfect example of why you should both:

(a) read the article, and
(b) know something

before you make a smart-ass post.

BitTorrent Trackers

[NaruVonWilkins]

Many users of BT are still quite unaffected by this simply because they use membership-based trackers.

I don't see that changing - as long as someone's accountable for the content (and can lose tracker privileges for bad content), I don't think it will.

NSIS open source installer

[stevetures]

Hi all, Here's some other issues. If you've ever come across these .exe files (for testing reasons of course), you might notice that the company used what could be the favorite installer of many people using win32 slashdotters. *** 1. Is there some sort of re-poisoning that Nullsoft can create so that future NSIS installers won't be allowed to do mean things like this (y'all are a lot smarter than me... I might suggest some way of coersing the installer to have any active spyware monitors check the files being installed) *** 2. Is it possible that legit programs in the future using the NSIS installer might become a false-positive for spyware. Maybe the smart kids at Nullsoft might have answers/suggestions/etc. Steve "Nooooooo!"

Re:Warm and Fuzzy??

[Geoffreyerffoeg]

How does it feel to get hoist by your own petard now?

Do you even know what a petard is, and exactly how it feels to be hoist by one?

Maybe you could illegally thieve a dictionary. It might also help you realize that the past participle of "bite" is "bitten".

Something weird I've noticed recently

[sacrilicious]

Last week I noticed that several of my downloads in bittorrent just kept downloading and downloading, despite showing that they had downloaded 3x original file size. I found myself wondering if someone was crapflooding, sending bad data that caused the eventual every-9-megabytes checksum to be bad and start the segment over. Anyone else notice this?

Re:Practical solution to spyware and p2p executabl

[SharpFang]

then click britney-spears-nude-photos.avi.exe

anoNet

Connect info

Wikipedia article

Come join anoNet / MetaNET and you can trade files the old fashioned way -- ftp without the worry of corporations monitoring you.

It doesn't take a network engineer to setup or understand how you are anonymous. And it doesn't suffer the speed problems of freenet.

--PEACE!

Re:Warm and Fuzzy??

[Travelsonic]

think you meant to write illegal and thieving.

You mean potentially illegal, and potentially copyright infringing, copyright infringement is that, copyright infringement, illegal copying, not theft.

"Fact it, 90% of BT traffic was copyrighted material that was illegal to distribute. "? Here we have another flaimbate throwing troll who gets statistics out of the rectal section of the library.

Seems some of responsible parties have been hacked

[Plug1]

Here It seems that someone didn't take their spyware too lightly. I only hope that this doesn't get pinned on the /. community.

marketingmetrixgroup.com

[Kwee]

One of the biggest companies behind all this adware had there site hacked. http://www.marketingmetrixgroup.com/

Re:Warm and Fuzzy??

[ymgve]

Stop using this damn dumb defense! You downloaded 60 gigabytes of Linux. I downloaded 60 gigabytes of copyrighted material. And there are dozens of people like me for every one like you.

One better

[bradleyland]

Process Explorer is overkill for this purpose. Unlocker works nicely. http://ccollomb.free.fr/unlocker/index.htm#redirec t

Re:One better

[Master+of+Transhuman]

Thanks for the tip - I've downloaded it, it looks like it will be very useful.

admitting to the illegal software

so I also saw that this came with a downloaded copy of Family Guy. Now obviously this media company, marketingmetrixgroup.com, is putting this adware with the file and distributing it. Doesn't this make them liable for some sort of copyright violation? After all, them putting their installer with it seems to be all the proof you would need to prove that they distributed it onto a P2P network.

Responsible Company Hacked

[mlorentz]

The company responsible for infesting Bit Torrent has been hacked. Check it out. Sweet justice...

http://www.marketingmetrixgroup.com/

Another way remove all the spyware

[tolkienfan]

It's called "Windows Service Pack 3"

Get it at: Windows Service Pack 3

Defaced

[Leme]

Looks like http://www.marketingmetrixgroup.com/ was just defaced.

hey metrix! Ferror was here!
yeahh let's go!! hahaha fuck off our T0RRENTS. back off and die!!!!

Fatal Error BR Crew 2005 - irc.gigachat.net #Ferror
by the danz
danz@bsdmail.com

greetz: #Commandt #H4ck3rsbr #hack3rz #un-root #RSY #SIMIENS

slashdotted!

The company responsible for the adware over bittorrent has had its site hacked.

http://www.marketingmetrixgroup.com/

a question of motives

[celeb8]

I'm sure it's just a coincidence that the instant MS starts marketing a p2p product, they "find out" that sometimes files hosted using bittorrent can include a spyware installer. Under all the cleverly phrased descriptions, this article is basically just telling us that software can be sent using BT. How is this news?

This is why I DONT want Linux to be popular.

[MikeyVB]

Please read my entire post before modding me Troll....

I recently installed Linux on my computer.

The final trigger for installing it was the stupid Aurora adware mentioned in TFA. As an IT guy by profession, I found it insanely difficult to get rid of that one. I am very diligent with my computer (firewall, adware scanning and virus scanning, Firefox etc..) when it comes to anything I download, and I am almost usually completely ad/spy/vrius-ware free. But in the end, some do slip through my defenses.

About a year ago I did run Linux and then went back to Windows because I just wanted to have a computer that runs common software and apps that you run into instead of the ones to have to look for, and also having software install itself painlessly more often than not, which is usally the case for me on Linux since I am just mediocore with it.

But why do I not want Linux to be used more and become a new standard? Because right now I like my Linux system. The fact that it is COMPLETELY adware free (other than www) is why I love it so much. If Linux became more standardized, the Adware/Spyware creating bastards would then consider it a new target market and we would have to go through all of the growing pain bullshit with viruses and adware as Windows is discovering right now. Because the user base of Linux is so small, the creating adware for it is not worth the effort.

I like it that way.

More importantly:

[tod_miller]

When I was young, I asked my mum, why are some plants weeds, and others flowers, because the ones I saw with flowers, were in fact weeds. When she told me it was up to you which ones were weeds, I realised what she meant.

Now, how does this apply?

When is a virus a virus (using the n00b def of something bad - forget tech semantics for a mo).

File A, loads onto system, HAS NO PAYLOAD, but is a virus

File B, loads onto system, HAS A SPYWARE/ADWARE PAYLOAD, but is not a virus, because marketting types with small cocks wet themselves at giving things new names.

I say this should be a virus, and saying that a file without a payload is a virus (most/many viruses have little/no payload) yet a file, the same metaphor of infection, is not a virus, but has an unwanted, active, and threatening payload, is sucking fupid!

AV apps are shit in general, not as shit as that slashdot 'are you real' script. that can jump off a cliff handcuffed to an old VW van, and the guy who wrote it.

Typical Canadians...

[freezin+fat+guy]

Trust those freakin' Canadians to figure out a way to rip off honest, hard working people. I guess scammers like a country with fewer crime fighting resources than America and yet similar modern amenities.

Now if you don't mind I'll just finish topping my pancakes with maple syrop while watching amateur hockey and drinking beer. Oops, think I may have given something away there...

MMG Hacked!!

[crabpeople]

i was going to go try and figure out if i could do someting evil to this website but looks like someone beat me to it

http://www.marketingmetrixgroup.com/

look out!

[ikes]

you've angered the kids!

Thanks Mods!

[tolkienfan]

Troll?

I guess you either like to initiate newbies or you're Microsoft lovers.

I suppose I should've put:
In Soviet Russia spyware removes you!

Grumble...

With luck, the *AA will make use of this

[Bootard]

Assuming that the *AA hasn't authorized these companies to repackage and redistribute a crime, as I suspect, the *AA would be wise to make use of this development. Currently, their program of suing everyone doesn't seem to be doing as well as it might; massivly suing teenagers and college students for a crime most regard as reletively victimless is tough going. However, it would appear that these spyware companies are engaging in piracy, and even better, for the sole purpose of making money. I would imagine a really big lawsuit against them would have tremendous popular support, revitalizing the *AA's efforts. A greedy spyware company makes a far better target than poor college kids.

I wonder if Avalanche...

[tolkienfan]

will install adware/spyware.

Microsoft isn't known for being particularly sensitive to users' privacy... are they?

Microsoft Wants P2P Avalanche to Crush BitTorrent

Beautiful quote from TFA

[LionMage]

A quote attributed to MMG:

Although Bit Torrent is a file format and not a P2P Network ... [it] is the fastest growing protocol for file sharing online. Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily

I love it! BitTorrent is a file format and not a P2P network! But wait, is it a file format or a protocol? I'm so confused now...

Any slimy company that produces malware and publishes blatantly idiotic statements like the above on its web site deserves some serious smack-down.

7-zip for the cheep way.

If it don't have winrar open with 7-zip(www.7-zip.org)if it does not open delete it and stop seeding it. For you windows users who don't pirate or buy winrar.

All p2p networks have a attack problem. Basicly they are like early HTTP no extra protection yet.

The source of you torents is the most important part from a trusted open source provider no problems any one else no trust should be provided.

And the confirm stuff is nasty I can under stand why but could someone do a more human friendly one.

.zip

[budgenator]

From what I've seen very few windosers are astute enough to even know how to look at the file's extentions, to them anything that's compressed is a zip especialy if the spy-ware.evil-hacker.com web site says it's a zip

Re:Oh, the Coincidence!

[Vengeance_au]

I'm more taken by the coincidence of this 'news', where the key references are from;

Chris Boyd, a renowned security researcher
Boyd, the Microsoft Security MVP (most valuable professional)

and then we see in a subsequent article here on slashdot.... Microsoft wants P2P Avalanche to Crush Bittorrent

Marketing Metrix Group site oWnzEd!

[Alexeck]

These are the dudes mentioned in Paperghost's research

Check it out

http://www.marketingmetrixgroup.com/

hmmm

[don'tyellatme]

"Many top Bit Torrent sites such as SuprNova, Lokitorren[t]" seeing how suprnova and lokitorrent were taken down months ago.....

A must read

[Neoncow]

Read through the parent's post. Notice they point out the scamware comapany.

See what someone did to the site http://www.marketingmetrixgroup.com/

Re:A must read

[biryokumaru]

Look at the defacement's source... it seriously looks like it was made in Word!

not the offical client

[lart2150]

there have been copies of bittorrent flying around for a while now that has spyware/addware in it. this sounded odd but when he talked about a 8MB installer I was confused because both the stable and beta versions on the OFFICAL site are below 4MB. I looked and didn't see any spyware.

I have been hit..

[earthstar]

I have personally seen mpeg files, when being played,opening up webpages themselves , at a particular time in the mov.Now if the website automatically installs crap,u know what happens...

Re:Warm and Fuzzy??

[mowler2]

Information is any pattern. Music and movies are just patterns. Data is information.

I mean information in the sence that one says in physics - "information can never be destroyed (except perhaps in black holes).

bt isnt the problem (obviously)

[jnf]

really i dont see why this is news, i mean seriously this is the same issue as with any file downloaded, especially so when it comes through a p2p medium.

If peopel would take the time to learn just the littlest bit about their computers i think we would find a lot of this stuff would at least decrease in volume (as it wouldnt be as effective of a method of advertising and such)

WMP-supported Spyware

[SeanDuggan]

Actually, wasn't there a big stink recently about how Windows Media Player automatically followed the URL involved with a license, meaning that it was virtual child's play to get a person to an exploited site, particularly if they're using the default setting of getting licenses automatically?

That's the key

[trigggl]

Nothing legal is free. If someone IS giving you something for free, think of "free internet", they usually want you to use 'their browser' so they can make money off of advertising. So...

If I need 'their program' to see something...

(ALARM)...(ALARM)...(ALARM)

...I usually don't want it.

My Mistake

[trigggl]

I guess there is free software.

Feel free to give me 40 lashes with a we noodle.

there site

[thatcyberdude]

I noticed that there site has been down for a while that company is just a shell company of triton solutions. http://www.tritonsolutions.ca/index.htm

Re:Warm and Fuzzy??

[kz45]

Information is any pattern. Music and movies are just patterns. Data is information

physical things are just a pattern too..of atoms.