Trojan Found At Torrent Sites Insists "Downloading Is Wrong"

NoisySplatter writes "Ernesto, founder of TorrentFreak, reports that a new trojan, 'Troj/Qhost-AC,' has been distributed on The Pirate Bay. The virus was disguised as a serial key generator, and the offending torrent has since been removed, but the source has not been identified. Troj/Qhost-AC makes changes to the user's hosts file that redirects The Pirate Bay, Suprbay, and Mininova to 127.0.0.1. In addition to making three popular torrent sites inaccessible, the virus also plays a sound file that says: 'downloading is wrong.' It looks like someone has finally stepped up to the plate to challenge Madonna for the title of 'Most Obnoxious Anti-Piracy Stunt.' Of course, this could just be the software industry's attempt at outdoing the RIAA and MPAA."

Holy fuck

127.0.0.1 turns out to be *my* private IP address. So everyone with that virus is connecting to my Internet. That would explain why my connection has been so slow lately. I sure hope they find the bastard who did this to me. I'll gladly add my own lawsuit to the pile.

Re:Holy fuck

[Chris+Daniel]

Do you, by any chance, live in Tuttle, OK?

Another possibility

[EdIII]

This could be the piracy groups themselves throwing this out there to stir up sentiment against the RIAA, MPAA, etc.

Of course that's like adding a few cords of wood to the fires of HELL, but it is a possibility.

P.S - This is not nearly as bad as the Sony Rootkit.

Re:Another possibility

[Firehed]

It's a trojan - you have no idea what else it's doing. If all it does is screw with your HOSTS file and play a stupid audio track I agree, but it could be doing all sorts of other unknown fun stuff to your machine with the root access it has.

Re:Another possibility

[EdIII]

It's a trojan - you have no idea what else it's doing. If all it does is screw with your HOSTS file and play a stupid audio track I agree, but it could be doing all sorts of other unknown fun stuff to your machine with the root access it has.

Actually you are factually incorrect. As you can see in the summary and article itself it is referred to as, "Troj/Qhost-AC" by Sophos. That would seem to indicate that at some level it has been reviewed by a Anti-Virus company and I believe they would have tried pretty hard to determine the full capabilities of this Trojan. One could even say it is highly likely.

Even so, it may have been better for me to say, "This does not at first glance appear to be nearly as bad as the Sony Rootkit turned out to be".

Let's also remember that the origins of this trojan virus are unknown at the moment while the Sony Rootkit has it's origins WELL DEFINED. Those origins being the Sony board members that have yet to receive prison terms for their actions. For those that think that is a little melodramatic, consider what kind of reception any other corporation or private citizen would have received for releasing the same type of rootkit onto the populace.

If this does turn out to lead back to the feet of people working for the interests of Big Entertainment it will have been done for the same reasons the Sony Rootkit was put out. Their absolute and firm belief that YOU (the customer, citizen, etc.) have ZERO RIGHTS to any privacy or control over your own electronic equipment when their intellectual property is anywhere near it.

The funny thing is that the only other people that seem to be able to act like that and get away with it are governments. So if you are not the government or Big Entertainment you go straight to Federal Pound Me In The Ass Prison when you do act like them. Isn't that just hilarious?

Re:Another possibility

[Culture20]

I wonder if the ever agenda driven Slashdot would get a little butt hurt if somebody took one of their open-source programs or Linux; they closed sourced it to make it proprietary and hosted it on a torrent website.

What, like BSD network stack and Windows? I think the BSD people are happy that Microsoft chose to use good code.

Jail time for a rootkit, geez and here I thought the RIAA might have been a little psycho.

Yes, jail time for a rootkit. If it makes more sense, it's jail time for hundreds of thousands of rootkits, several hundred in low-security government computers.

Expect the reverse

[KDR_11k]

A virus that instead plays "Downloading is right" and redirects the homepages of big software, music and movie companies to piratebay, mininova, etc...

Re:Expect the reverse

Safety in numbers. The more people pirate stuff, the less chance you have of it being actually *you* that gets caught.

Keygens

[Metapsyborg]

It's pretty crazy to be running keygens on your system. Every time I do it, I think to myself "what are these guys getting for all their hard work?" The same thing with cracked software - you run an installer yourself how could the cracker pass up that type opportunity? I just assume most of them infect your computer with some spyware and trojans.

Re:Keygens

[Anpheus]

Virtual machines baby, boot it up, run the keylogger, run the install up to the point where it gives you whatever you need to install, and then reset the hard drive state.

Re:Keygens

[Hal_Porter]

I rely on feedback from other downloaders on TPB. If the installer or keygen do bad things, many people will scream in comments. For popular torrents that are more than a month old, that catches malware pretty well. So far, I've no visible problem on my machine with this approach.

I checked out your machine from here and it seems ok. A bit slow though, makes me wonder what everyone else is running on there.

Re:Keygens

[AngryBacon]

The authors of Norton Anti-Virus did this already, but most people don't really notice.

Re:Keygens

That is actually a very bad idea. Many default installs of Wine offer access to your entire filesystem (including your home directory). Wine is not a isolated environment like most VM's are. It lets you run Windows applications as native binaries, including viruses and trojans with many of their effects still intact. It is very possible to infect a Linux machine with malicious Windows binaries running in Wine.

Personally I have never seen a real keygen that did anything other than it was suppose to. There are some flat out trojans like this article is talking about but I have never seen a working keygen that was malicious. With that said, there is always a first time. I would only run them in a VM and with networking disabled too. Wipe/reset the VM back to a known state afterwards of course.

Re:Running as admin is fun

[Hal_Porter]

C:\Windows\System32\drivers\etc>cacls hosts
C:\Windows\System32\drivers\etc\hosts NT AUTHORITY\SYSTEM:(ID)F
                                                                            BUILTIN\Administrators:(ID)F
                                                                            BUILTIN\Users:(ID)R

So only SYSTEM and Admin can write. On Vista with UAC enabled I can't write to it, even though I'm an Admin.

Summary makes it sounds like a virus but it's not.

[HumanEmulator]

From everything I've read (the slashdot summary excluded) this isn't really a virus -- it's a straight trojan. That means you would have to be trying to download a serial key generator in order to get it on your system. (ie. It doesn't spread to you from other people's machines.)

I'm all against nefarious software creeping onto my system, but this is like complaining that the guy you tried to buy drugs from turned out to be a cop.

Re:Please explain to me

[MrMista_B]

Well, for one thing, it's illegal, immoral, and unethical. Fighting crime by being a criminal... well, you see where I'm going with that.

Furthermore, do you want your company to get the reputation of a malware maker and distributor? That's not likely to increase your sales.

Beyond even that, say, for example, someone repackages the malware you release as a 'linux-iso' or somesuch. Then you would be to blame for destroying the computers of innocent people.

Y'know, based on this, if I were your boss, I'd fire you, because you're clearly lacking in ethical stability, and making threats such as you have marks you as a company liability. Hmm.

Re:Summary makes it sounds like a virus but it's n

[Warhawke]

You're assuming that the keygen downloader does not have the authority (i.e. ownership) of the program in question. Apparently you've never accidentally tossed or misplaced a CD-key.

So really it's more like the guy you were trying to buy medical marijuana from turned out to be the naggy guy behind the Above the Influence campaign.

Re:Running as admin is fun

[BrokenHalo]

C:\Windows\System32\drivers\etc>cacls hosts
C:\Windows\System32\drivers\etc\hosts NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R

Far out. I'll slap the next person who tells me Unix is hard to use, if that's Microsoft's idea of user-friendliness.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Summary makes it sounds like a virus but it's n

[evanbd]

Or like complaining that instead of office chair, package contained bobcat.

Re:Running as admin is fun

[dov_0]

Far out. I'll slap the next person who tells me Unix is hard to use, if that's Microsoft's idea of user-friendliness.

From someone who runs a PC repair business, XP makes Unix look like childs play... Man it even makes doing a Gentoo install look easy.

Give me a nice clean bash terminal any day.

Just wait 'til...

[CarpetShark]

Just wait 'til you get a dumbass letter from the RIAA saying that the IP 127.0.0.1 has been identified as a computer uploading copyrighted material. Then the shit will really hit the fan ;)

Re:Just wait 'til...

[dmsuperman]

They would get halfway through the trial before realizing they're sitting on both sides of the court. Incompetent jackasses -_-

Re:Just wait 'til...

[BlueStrat]

They would get halfway through the trial before realizing they're sitting on both sides of the court. Incompetent jackasses -_-

And how much do you want to bet they'd still try for a conviction or settlement? :D

Cheers!

Strat

Re:Summary makes it sounds like a virus but it's n

[mqduck]

I'm all against nefarious software creeping onto my system, but this is like complaining that the guy you tried to buy drugs from turned out to be a cop.

What, you don't get pissed when that happens to you?

Re:Please explain to me

[Craevenwulfe]

The Sony Rootkit affected people who bought shit legally. Where's the fucking relevance?

Re:Please explain to me

[Tom9729]

Because boobytrapping your software would be the equivalent of having a robot shoot the person on the other side of the register when the silent alarm was triggered.

Works great, but once it's triggered it doesn't differentiate between customers and criminals.

Say there's a bug in your software that causes it to format the customer's computer because it mistakenly thought they were a criminal. That's a big "oops".

Re:Please explain to me

[spathi-wa]

It's OK to pull a gun on someone who is robbing your store only if local and state laws specifically say so.

Downloading and using software without a valid license is not covered by laws that allow the licensed distributor to do anything to other people's data.

Being other people's data, which the distributor or developer do not and cannot have any rights over, it is unlikely that any such law will be passed.

Re:It literally kills its own spreading method

[scream+at+the+sky]

Mod parent up. If you can't get to thepiratebay.org anymore, you're gonna reinstall your OS.

<cynic>
if you can't get to thepiratebay.org, where are you gonna get your OS from?
</cynic>

Re:First?

[kdemetter]

Well , the trojan has been removed , and i'm sure the user uploading has also been identified and banned.

If it changes the hosts file , it's easy to identify, and remove.

We get trojan and virus uploaders all the time, and they are removed at first sight, so this is nothing new, and nothing TPB can't handle.

Interesting artistic action

[drx]

Actually i think this is an interesting action. As a communicative act, this trojan shows several things, e.g. that the internet stays an unstable place where everything is mostly determined by convention -- even with pirates -- AND that TPB is taking down torrents they don't like, despite being a stronghold of free speech. Of course "malicious software" is the argument here for removal of the torrent, but who defines what is malicious? In the end TPB caters to the needs of its community, by filtering "content" this community doesn't approve of.

Re:Interesting artistic action

[Opportunist]

That's the prerogative of people running a webpage. Detach yourself from the idea that "the internet" is a place without rules. It's not an anarchy, it's a collection of tiny dictatorships, with every server admin being a little dictator.

The nice thing about the internet, compared to reality, is that you can simply walk away if you don't like the taste of said dictator and create your own little dictatorship.

Re:Nice

[ciderVisor]

Whatever you do
Don't become a poet
That was dreadful. For real.

Worst. Haiku. Evah.

Re:Nice

[Crizp]

naninaniyo
anatanobakayo
urusaiyo

Sorry. I have no idea what I'm doing.

OT thead

[totally+bogus+dude]

Somewhat relevant quote from Clientcopia:

In my previous life as a fed agent I was often asked to assist with some "undercover" sting operations all over the Northeast US. One of the most memorable was a op in northern Maine. I was to play the brother-in-law of our source whose co-worker had recently asked him if he knew of any good dealers of crack.

Long story short, they brought me in to sell him crack. We met the "Client" as planned and you should have seen this kids eyes when I pulled out this giant bag of crack we had obtained from a previous bust. He looked like he was going to start crying, like he had just come to know Jesus or something... anyway he wanted to buy it all, every last gram of it, but he had only brought $150.00 bucks with him.

I thought for a second and asked him if had his checkbook on him and he did. I asked him how much money he had in the bank, he told me and I told him he could just write me a check for the total. This kid didn't think twice about it and started writing the thing out. As he was writing he asked me all the usual questions, correct spelling of my name, confirmed the date, then stopped writing for a second, put his pen down, and I started to panic.

He looked me straight in the eye and he stated that he always wrote down "the reason" in the little space provided in the lower left hand of checks for that purpose. Before I could even speak he picked his pen back up again and started writing, then folded the check in half and handed it to me. Before I handed him the crack I wanted to see what he wrote, so I unfolded the check and read aloud; "For Illegal Drugs", the second I read that out loud we could all hear very loud laughter coming from the room next door. You see I was wired and 6 agents were in the next room, hanging on every word. They knew they had alerted this guy and without delay came charging into the room to arrest him, but what a strange sight it was to see 6 armed feds tearing into a room, guns drawn and laughing so hard they really could not even speak in complete sentences...

The parent is not a troll so mod up please.

[gatkinso]

Even though it was probbaly intended to be a troll, it is worthy of discussion.

As a responsible software development shop, you should know that you absolutely do NOT want any version of your software floating around that attacks a users machine.

All I need to hear is that your Application 2.1 will say, format a harddrive and delete all partitions... and I woould not touch it with a 10 foot pole.

So. If you want to completely destry your customer base - go ahead and pull such a stunt.

Re:Running as admin is fun

[marcosdumay]

Try to open regedit someday.

Anyway, "easy to use" is jargon to "works like Windows" nowadays. So, obviously, Windows is "easy to use", you can't contest that.

Downloading is wrong?

[nurb432]

Tell that to SourceForge.

If these people are caught with ties to any industry the FTC needs to come down on them, hard.

Madonna has new strategy

[fuliginous]

Madonna has since adopted an even nastier tactic, that of producing such lousy crap no one will want to pirate it (specifically her most recent album!).

Thanks - didn't know about suprbay

[Werrismys]

well, I didn't.