Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Floods in Through BitTorrent

Posted by CmdrTaco on from the only-a-matter-of-time dept.

solareagle writes "Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma. Not any more, anti-spyware advocates warn. According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC."

12 of 457 comments (clear)

  1. This is Dumb by Enigma_Man · · Score: 3, Informative

    It's not bittorrent that has the spyware, it's crappy spyware-infested clients. A client can contain other malicious code obviously (as seen in Kazaa, etc). Bittorrent itself is just a file type with special download methods. How you download it is up to you. If you don't use a crappy client, and don't run .exe files that you don't remember downloading, you're all set, jesus-h-christ, how many times does this have to be re-hashed.

    -Jesse

    --
    Nothing says "unprofessional job" like wrinkles in your duct tape.
    1. Re:This is Dumb by Gnascher · · Score: 3, Informative

      You missed the point. Your 'torrent client isn't the one installing the adware.

      Adware companies are hosting up files that they've corrupted by adding in thier own files.

      So when you think you're downloading a linux .iso, or something else ... you MAY be getting more than you bargained for if one of the sources of the .torrent is hosting one of these corrupted pieces.

      Then, when the download is complete and is reassembled ... the spyware gets installed on your machine.

      The scary bad thing here, that the article doesn't mention, is if the SpyWare community can pull this off, it should be just as easy for a Virus writer to do it.

      Probably easy enough to verify your download if you can check an MD5 hash against it. But the article wasn't clear when the install happens. Is it automatic, or is user input required.

      --
      It's not my fault! It was this way when I got here.
    2. Re:This is Dumb by reidbold · · Score: 3, Informative

      BitTorrent does this automatically behind the scenes. It hashes each block of data and confirms it after it's downloaded it, and it redownloads blocks that fail hash check.

      --
      -Reid
  2. The only problem with this... by aslagle · · Score: 4, Informative

    is that Bittorrent is really not the problem here. The adware isn't coming from a Bittorrent client, or being 'snuck in' over the protocol instead of or alongside a file you're downloading, it's coming in the file you're downloading! It's the same way adware gets into a host of other files we've been told to be careful of, like email attachments.

    Bittorrent is simply used to add a bit more hype and FUD to the same old same-o.

  3. Bittorrent is *STILL SAFER* by Tezkah · · Score: 4, Informative

    Why is it still safer? Open Source / Freeware (no spyware) clients.

    Plus, even if you DO download a file that ends up being spyware, when you download the torrent from most sites, they allow you to give comments like "I FOUND SIXTEEN HUNDREN VIRUSES IN THIS TORRENT", and although some people lie, if people are complaining about stuff like that, you can usually guess that it is a spyware infested torrent.

    Of course, even this only matters when you download something containing an .exe or some such program. One program I did download asked me to install third party software... I quicky realized that the EULA was of a spyware company, asking me to waive all rights to privacy, and did not belong to the developing company.

  4. Re:Not so big of a deal by aslagle · · Score: 4, Informative

    Um...this is wrong. Perhaps you missed the part that said the client isn't the infection path?

    Oh, guess you didn't read TFA.

    The infection path is simply a self-extracting file that contains the content you wanted, along with a spyware tag-along. It can be downloaded with any client, they just happen to be seeding them as torrents.

  5. Re:Oh, the Irony! by Master+of+Transhuman · · Score: 5, Informative


    These spyware programs that use the Registry to spawn renamed multiple copies of the spyware programs are a nightmare to get rid of.

    I had a client last night with the Backdoor.Agent.BA trojan which is incredibly hard to get rid of. There are plenty of varied instructions on the Net on how to detect it and find it, but the problem is deleting the DLL file. You can't delete it from the command line or from Windows - in Safe Mode or not (and of course if it's an NTFS system, DOS can't touch it - Linux with the Captive utility might be able to). Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot - by which time you're screwed.

    The only way to delete it is to get a program called KillBox which will prompt for the filename, set itself to run on reboot before Windows is fully loaded, and then reboot Windows, deleting the file before Windows can lock it down.

    You also have to get into the Registry and delete a key which has an invisible value which is what causes it to recreate itself.

    I get my hands on the asshole who wrote this thing, he's gonna need medical life support for the rest of his life.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  6. Fight back against Direct Revenue LLC by prezvdi · · Score: 5, Informative

    Don't bother calling their office. Don't bother emailing them for help. And no matter what you do, don't run their uninstall utility myPCtuneup - it simply installs more crap.

    Direct Revenue LLC is VC backed. Please, complain to the right guy.

    Insite Venture Partners
    Mr. Deven Parekh
    His desk number is 212-230-9216 and his real email address is dparekh@insightpartners.com

    May we waste as much of his time as he has of ours. How many people here spend hours "helping" their non-tech friends remove this crap . . .

  7. Deleting the file by i8a4re · · Score: 4, Informative

    Although this is not a tech support forum...

    A simple solution is to remove execute permissions on the file. I've run across malware that doesn't like you accessing the permissions dialog, so I typically use the command line CACLS.exe. Then I reboot, get a few errors since it is trying to execute a file that no account has permission to access. Now you can restore the delete permission and remove the file since it's not locked.

    --

    If I drive fast enough at the red light, it'll appear green.
  8. Deleting files that are "in use" by frenetic3 · · Score: 4, Informative

    I guess no one has suggested this yet: use Process Explorer and search for any open handles to the file. Once all the handles are closed, you can delete it safely because it won't be in use.

    This technique is a little shaky because those running programs that have handles to the DLL might be a little upset that it the handle is suddenly closed, but just reboot after you complete the process if something breaks or crashes.

    -fren

    --
    "Where are we going, and why am I in this handbasket?"
  9. Re:I call BULLSHIT by SharpFang · · Score: 3, Informative

    It's worse.
    You see, Windows has this lovely feature known as "Hide file extensions for known file types". And guess what? One of these extensions is .exe. Another lovely feature of Windows is that you can assign any arbitrary icon to a file. Like the llovely Winamp llama. So all the bastards need is to rename infect.exe to Britney_Spears-Fuck_Me_Harder.mp3.exe, give it a common mp3 icon, add it to RAR (BT doesn't hide file extensions), then seed it. Your average Windows moron will right-click on the RAR, pick "unpack here", then double-click the icon.
    Easy like that.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  10. Re:Oh, the Irony! by cornjones · · Score: 3, Informative

    Unfortunately, it seems as though alot of the vids are coming down as .exes (or rars containing exes). Supposedly, the .exes are just self extracting archives but I don't trust them, I generally send the .exe into winrar. If it is just an archive, winrar can extract it. If winrar can't open it I assume it is a trojan, delete it and immediately stop seeding.

    YMMV