Spyware Floods in Through BitTorrent

solareagle writes "Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma. Not any more, anti-spyware advocates warn. According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC."

And the day has come...

[ChrisF79]

We had to see this one coming. The spyware/adware folks are getting good at putting their "product" everywhere. It was only a matter of time before bittorrent reached critical mass and became a good target.

Re:And the day has come...

[tropo3050]

Well, sure, if they were trying to share a modified version of the original torrent. The article certainly gives the impression that the torret is being posioned with modified "chunks" of data which, when reassembled into the file, create adware. However, the .torrent file should specify the checksum for each part - if it is invalid, the part is thrown out and gotten from somewhere else. The same reason why checksums work in encryption is why altering the chunk and maintaining an identical checksum is theoretically possible: yeilding a functioning chunk with that same checksum would just be really, really hard. I really think that these people are creating their own torrents, enticing users to download and use that .torrent file. Since they made it, the checksums will match the pre-made chunks, because the original file contains the adware.

This is Dumb

[Enigma_Man]

It's not bittorrent that has the spyware, it's crappy spyware-infested clients. A client can contain other malicious code obviously (as seen in Kazaa, etc). Bittorrent itself is just a file type with special download methods. How you download it is up to you. If you don't use a crappy client, and don't run .exe files that you don't remember downloading, you're all set, jesus-h-christ, how many times does this have to be re-hashed.

-Jesse

Re:This is Dumb

[Gnascher]

You missed the point. Your 'torrent client isn't the one installing the adware.

Adware companies are hosting up files that they've corrupted by adding in thier own files.

So when you think you're downloading a linux .iso, or something else ... you MAY be getting more than you bargained for if one of the sources of the .torrent is hosting one of these corrupted pieces.

Then, when the download is complete and is reassembled ... the spyware gets installed on your machine.

The scary bad thing here, that the article doesn't mention, is if the SpyWare community can pull this off, it should be just as easy for a Virus writer to do it.

Probably easy enough to verify your download if you can check an MD5 hash against it. But the article wasn't clear when the install happens. Is it automatic, or is user input required.

Re:This is Dumb

[reidbold]

BitTorrent does this automatically behind the scenes. It hashes each block of data and confirms it after it's downloaded it, and it redownloads blocks that fail hash check.

Not so big of a deal

[biryokumaru]

Wow, this is one up to date news source, this e-week is totally on top of the e-news.

"Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily"

And it only affects the btdownloadgui client, not the torrents themselves. Seems like non-news for people who use Azureus (or any of a number of quality clients, really).

Re:Not so big of a deal

[aslagle]

Um...this is wrong. Perhaps you missed the part that said the client isn't the infection path?

Oh, guess you didn't read TFA.

The infection path is simply a self-extracting file that contains the content you wanted, along with a spyware tag-along. It can be downloaded with any client, they just happen to be seeding them as torrents.

The only problem with this...

[aslagle]

is that Bittorrent is really not the problem here. The adware isn't coming from a Bittorrent client, or being 'snuck in' over the protocol instead of or alongside a file you're downloading, it's coming in the file you're downloading! It's the same way adware gets into a host of other files we've been told to be careful of, like email attachments.

Bittorrent is simply used to add a bit more hype and FUD to the same old same-o.

Info Direct From Vital Security

[TheRedHorse]

More info from Vitual Security here and here.

be smart

[lambent]

Azureus + the Safepeer/PeerGuardian plugin (http://azureus.sourceforge.net/plugin_details.php ?plugin=safepeer) specifically blocks much nasty stuff out.

Be smart when you engage in dangerous activity. No glove, no love.

Aurora

[eric_brissette]

My roomate has had Aurora installed on his system for about 2 weeks now, I just haven't had the time to get around to removing it. I've done some quick searches to find information about the removal of Aurora, and it looks like removal involves a lot of tedious work... Doea anyone know of some software that'll remove it so I don't have to do it manually? So far Microsoft Anti Spyware has found it, but not removed it. AdAware hasn't removed it. Spybot Search & Destroy hasn't removed it. AVG Antivirus hasn't removed it. Just a word of advice to others who may be "infected": Direct Revenue has a removal tool on their site. I wouldn't suggest using it after reading a number of posts on forums (computing.net)

Bittorrent is *STILL SAFER*

[Tezkah]

Why is it still safer? Open Source / Freeware (no spyware) clients.

Plus, even if you DO download a file that ends up being spyware, when you download the torrent from most sites, they allow you to give comments like "I FOUND SIXTEEN HUNDREN VIRUSES IN THIS TORRENT", and although some people lie, if people are complaining about stuff like that, you can usually guess that it is a spyware infested torrent.

Of course, even this only matters when you download something containing an .exe or some such program. One program I did download asked me to install third party software... I quicky realized that the EULA was of a spyware company, asking me to waive all rights to privacy, and did not belong to the developing company.

Re:Doh

[Smidge204]

After reading the article, it seems that the client itself is not the vehicle for infection - it's tainted files. Which client you use is irrelevant.

=Smidge=

Re:Oh, the Irony!

[AvitarX]

reboot in safe mode with command prompt and delete the file.

If you are uncomfortable with DOS then use WindowsKey+E to open an explorer window.

Re:Oh, the Irony!

[Master+of+Transhuman]

These spyware programs that use the Registry to spawn renamed multiple copies of the spyware programs are a nightmare to get rid of.

I had a client last night with the Backdoor.Agent.BA trojan which is incredibly hard to get rid of. There are plenty of varied instructions on the Net on how to detect it and find it, but the problem is deleting the DLL file. You can't delete it from the command line or from Windows - in Safe Mode or not (and of course if it's an NTFS system, DOS can't touch it - Linux with the Captive utility might be able to). Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot - by which time you're screwed.

The only way to delete it is to get a program called KillBox which will prompt for the filename, set itself to run on reboot before Windows is fully loaded, and then reboot Windows, deleting the file before Windows can lock it down.

You also have to get into the Registry and delete a key which has an invisible value which is what causes it to recreate itself.

I get my hands on the asshole who wrote this thing, he's gonna need medical life support for the rest of his life.

Fatal err0r!!1

[endtime]

http://www.marketingmetrixgroup.com/ Ha that didn't take long.

Fight back against Direct Revenue LLC

[prezvdi]

Don't bother calling their office. Don't bother emailing them for help. And no matter what you do, don't run their uninstall utility myPCtuneup - it simply installs more crap.

Direct Revenue LLC is VC backed. Please, complain to the right guy.

Insite Venture Partners
Mr. Deven Parekh
His desk number is 212-230-9216 and his real email address is dparekh@insightpartners.com

May we waste as much of his time as he has of ours. How many people here spend hours "helping" their non-tech friends remove this crap . . .

RTFA

[sjvn]

The story says that torrent files are being bundled with adware programs, not BitTorrent clients.

How can this happen? Again RTFA.

If seeing is believing, look at this link from the news story:

Vitalsecurity

You'll see a RAR--not an exe--for an episode of Family Guy. When you try to open it, you're faced with a licensing annoucement, which if you agree to it, will pack your Windows system full of spyware.

Would this fool someone who knew what they were doing? No.

Would it fool a lot of users just looking for a cheap thrill? Oh yeah.

Does this make it a real problem--as the article suggests--I certainly think so.

Maybe not for me, maybe not for you, but for those millions of clueless users, yes, oh yes it does.

Steven

Deleting the file

[i8a4re]

Although this is not a tech support forum...

A simple solution is to remove execute permissions on the file. I've run across malware that doesn't like you accessing the permissions dialog, so I typically use the command line CACLS.exe. Then I reboot, get a few errors since it is trying to execute a file that no account has permission to access. Now you can restore the delete permission and remove the file since it's not locked.

Re:Deleting the file

[SharpFang]

The problem is spyware installs its launchers in all (LOTS OF) startup points of Windows, each of them pointing to randomly named copy of the program, so if you disable one, another copy will start up and "fix it".

Re:Deleting the file

I've found that the files can very often still be renamed while they are locked, it's pretty useful to defeat groups of self running parasites

Re:Doh

[budgenator]

how an executable could be run if you downloaded a nonexecutable (e.g., a .mov or .avi file)
It can't but that's not what's happening, people are used to downloading ZIP files, which are often self-extracting; so double click the file, which is executable i.e. self-extracting, the custom extractor, throw up a alert-box says extracting "suzie does donkies" checkbox "I agree to terms" and ok. users never actually reads the terms which says something like I agree to install software, give my first born son ect. then the extractor installs the spyware, and then extract the .mov or .avi file for the user to watch. I'm not sure if windows even looks at the file extention anymore

Re:Oh, the Irony!

[Sinus0idal]

If you can't delete it from safe mode, boot up with your windows CD and delete it from the recovery console.

Re:Oh, the Irony!

[aetherspoon]

Do a google search for a program called dellater.exe - it does just what it says. It marks a file for deletion at the next reboot. Command line utility. Simple and it works.

Deleting files that are "in use"

[frenetic3]

I guess no one has suggested this yet: use Process Explorer and search for any open handles to the file. Once all the handles are closed, you can delete it safely because it won't be in use.

This technique is a little shaky because those running programs that have handles to the DLL might be a little upset that it the handle is suddenly closed, but just reboot after you complete the process if something breaks or crashes.

-fren

Re:Oh, the Irony!

This is a well known bug in Windows 2000. The problem is that explorer leaves filehandles open when it shouldn't. Try the following:

1) create a directory 'foo'
2) create a file in 'foo' called bar.txt
3) delete bar.txt with explorer
4) move up the directory tree and try to delete 'foo'.

You won't be able to delete 'foo' because explorer has an open filehandle to it which it will NEVER close.

This bug has existed throughout all service patches of windows 2000. Microsoft's solution: Install XP. Bastards.

Re:Oh, the Irony!

[robertjw]

DOS can delete them if you feel like paying for the NTFS dos drivers which support both read and write. (read is free).

Another option is to us a knoppix disk and boot to Linux. There is an article at http://www.planetfez.net/engl223/archive/page2.htm l#win32 that gives steps for doing this.

Someone's already taken action

[kassemi]

Looks like the company responsible for pushing the adware has already got some negative attention: http://www.marketingmetrixgroup.com/ (hacked)

Re:I call BULLSHIT

[SharpFang]

It's worse.
You see, Windows has this lovely feature known as "Hide file extensions for known file types". And guess what? One of these extensions is .exe. Another lovely feature of Windows is that you can assign any arbitrary icon to a file. Like the llovely Winamp llama. So all the bastards need is to rename infect.exe to Britney_Spears-Fuck_Me_Harder.mp3.exe, give it a common mp3 icon, add it to RAR (BT doesn't hide file extensions), then seed it. Your average Windows moron will right-click on the RAR, pick "unpack here", then double-click the icon.
Easy like that.

Re:Oh, the Irony!

[snakecoder]

One of many methods to remove files:

I had a bunch of remote boxes that I needed to get rid of those pesky "won't go away" trojans.

Fortunately the box had cygnus

I just kicked off
while [ 1 ]
do
rm filename
done

Then I rebooted the box and the file was gone for good.

Re:Oh, the Irony!

[prof666]

I've always used a VMware machine for P2P software. I take a snapshot before installing any new app, and if it contains spyware/adware...just halt the OS and roll back....and it's all gone again.

Re:Oh, the Irony!

[cornjones]

Unfortunately, it seems as though alot of the vids are coming down as .exes (or rars containing exes). Supposedly, the .exes are just self extracting archives but I don't trust them, I generally send the .exe into winrar. If it is just an archive, winrar can extract it. If winrar can't open it I assume it is a trojan, delete it and immediately stop seeding.

YMMV

Re:Oh, the Irony!

[Phs2501]

Uh, Linux and other Unixes quite happily memory-map running executables. For example:

:; cat /proc/$(ps auxw | egrep '(m)utt' | awk '{print $2}')/maps
08048000-080b8000 r-xp 00000000 03:0a 171032 /usr/local/encap/mutt-1.5.9i/bin/mutt
080b8000-080be000 rw-p 0006f000 03:0a 171032 /usr/local/encap/mutt-1.5.9i/bin/mutt

What's different is that Windows has a "delete" function while Unix has an "unlink" function. In Unix, a file doesn't get truly deleted until all references to it are gone, including open file handles. Try creating a 2GB file in /tmp, writing a simple program to open it and sleep forever, then deleting it with rm. You won't get your space back until the sleeping process exits.

You can also usually crash a running process pretty easily by scribbling over its executable, proving that it's memory-mapped.

To me this makes much more sense than the Microsoft B&D method, which as you mentioned leads to a ton of "Please reboot because I couldn't touch this file" messages. If it worked like Unix, you could simply unlink the old file and (optionally) put a new one in its place without affecting currently running processes. When those processes restarted, they would use the new files.

Of course, spyware and virus authors must love the way MS does it.

Re:Oh, the Irony!

[Eivind]

No, you're wrong. Infact unix happily mmaps executables and libraries.

The difference is that unix file-model is a lot more flexible than the model in dos (now largely inherited by Windows)

In Windows, a "file" is a collection of bytes with one name.

In Unix, a "file" is a collection of bytes with zero or more names.

Simply put, unix uses reference-counting, the actual blocks on disk are only freed when the last reference is gone. Thus it's unproblematic to allow deletion of an open file -- the deletion only affects the directory formerly holding a reference to the file, the file still exists because the process has a handle on it and the reference-count is thus not null.

You can try it out for yourself trivially:

• Create a large file somehow.
• start i.e. python with "python"
• open the file and get a filehandle by doing: "fp = open("filename.whatever")
• Open a different shell.
• Check how much space is free on the device.
• Delete the file. Notice it's gone from the directory.
• Check how much space is free, notice that it's not changed (i.e. the file is still taking up room)
• in python, do fp.close()
• Repeat test, notice that *now* the file is no longer taking up room.

The disadvantages of the unix-aproach you talk about don't exist, they are purely imagined and purely the result of you failing to grasp the unix file-semantics.