Trojan Found At Torrent Sites Insists "Downloading Is Wrong"

← Back to Stories (view on slashdot.org)

Trojan Found At Torrent Sites Insists "Downloading Is Wrong"

Posted by Soulskill on Friday January 9, 2009 @07:13PM from the attack-of-conscience dept.

NoisySplatter writes "Ernesto, founder of TorrentFreak, reports that a new trojan, 'Troj/Qhost-AC,' has been distributed on The Pirate Bay. The virus was disguised as a serial key generator, and the offending torrent has since been removed, but the source has not been identified. Troj/Qhost-AC makes changes to the user's hosts file that redirects The Pirate Bay, Suprbay, and Mininova to 127.0.0.1. In addition to making three popular torrent sites inaccessible, the virus also plays a sound file that says: 'downloading is wrong.' It looks like someone has finally stepped up to the plate to challenge Madonna for the title of 'Most Obnoxious Anti-Piracy Stunt.' Of course, this could just be the software industry's attempt at outdoing the RIAA and MPAA."

25 of 345 comments (clear)

Holy fuck by Anonymous Coward · 2009-01-09 19:23 · Score: 5, Funny

127.0.0.1 turns out to be *my* private IP address. So everyone with that virus is connecting to my Internet. That would explain why my connection has been so slow lately. I sure hope they find the bastard who did this to me. I'll gladly add my own lawsuit to the pile.
1. Re:Holy fuck by Chris+Daniel · 2009-01-09 20:24 · Score: 4, Funny
  
  Do you, by any chance, live in Tuttle, OK?
  
  --
  Don't blame me -- I voted for Roslin.
Expect the reverse by KDR_11k · 2009-01-09 19:25 · Score: 5, Insightful

A virus that instead plays "Downloading is right" and redirects the homepages of big software, music and movie companies to piratebay, mininova, etc...

--
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Keygens by Metapsyborg · 2009-01-09 19:26 · Score: 5, Insightful

It's pretty crazy to be running keygens on your system. Every time I do it, I think to myself "what are these guys getting for all their hard work?" The same thing with cracked software - you run an installer yourself how could the cracker pass up that type opportunity? I just assume most of them infect your computer with some spyware and trojans.

--
(\(\
(^.^) INFECTED
(")")
1. Re:Keygens by Anpheus · 2009-01-09 19:33 · Score: 4, Informative
  
  Virtual machines baby, boot it up, run the keylogger, run the install up to the point where it gives you whatever you need to install, and then reset the hard drive state.
2. Re:Keygens by Hal_Porter · 2009-01-09 19:44 · Score: 5, Funny
  
  I rely on feedback from other downloaders on TPB. If the installer or keygen do bad things, many people will scream in comments. For popular torrents that are more than a month old, that catches malware pretty well. So far, I've no visible problem on my machine with this approach.
  I checked out your machine from here and it seems ok. A bit slow though, makes me wonder what everyone else is running on there.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
3. Re:Keygens by Anonymous Coward · 2009-01-10 00:57 · Score: 4, Informative
  
  That is actually a very bad idea. Many default installs of Wine offer access to your entire filesystem (including your home directory). Wine is not a isolated environment like most VM's are. It lets you run Windows applications as native binaries, including viruses and trojans with many of their effects still intact. It is very possible to infect a Linux machine with malicious Windows binaries running in Wine.
  Personally I have never seen a real keygen that did anything other than it was suppose to. There are some flat out trojans like this article is talking about but I have never seen a working keygen that was malicious. With that said, there is always a first time. I would only run them in a VM and with networking disabled too. Wipe/reset the VM back to a known state afterwards of course.
Summary makes it sounds like a virus but it's not. by HumanEmulator · 2009-01-09 19:36 · Score: 4, Insightful

From everything I've read (the slashdot summary excluded) this isn't really a virus -- it's a straight trojan. That means you would have to be trying to download a serial key generator in order to get it on your system. (ie. It doesn't spread to you from other people's machines.)
I'm all against nefarious software creeping onto my system, but this is like complaining that the guy you tried to buy drugs from turned out to be a cop.
Re:Please explain to me by MrMista_B · 2009-01-09 19:47 · Score: 5, Insightful

Well, for one thing, it's illegal, immoral, and unethical. Fighting crime by being a criminal... well, you see where I'm going with that.
Furthermore, do you want your company to get the reputation of a malware maker and distributor? That's not likely to increase your sales.
Beyond even that, say, for example, someone repackages the malware you release as a 'linux-iso' or somesuch. Then you would be to blame for destroying the computers of innocent people.
Y'know, based on this, if I were your boss, I'd fire you, because you're clearly lacking in ethical stability, and making threats such as you have marks you as a company liability. Hmm.
Re:Summary makes it sounds like a virus but it's n by Warhawke · 2009-01-09 19:54 · Score: 4, Insightful

You're assuming that the keygen downloader does not have the authority (i.e. ownership) of the program in question. Apparently you've never accidentally tossed or misplaced a CD-key.
So really it's more like the guy you were trying to buy medical marijuana from turned out to be the naggy guy behind the Above the Influence campaign.
Re:Another possibility by Firehed · 2009-01-09 20:07 · Score: 4, Insightful

It's a trojan - you have no idea what else it's doing. If all it does is screw with your HOSTS file and play a stupid audio track I agree, but it could be doing all sorts of other unknown fun stuff to your machine with the root access it has.

--
How are sites slashdotted when nobody reads TFAs?
Re:Running as admin is fun by BrokenHalo · 2009-01-09 20:08 · Score: 5, Insightful

C:\Windows\System32\drivers\etc>cacls hosts
C:\Windows\System32\drivers\etc\hosts NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
Far out. I'll slap the next person who tells me Unix is hard to use, if that's Microsoft's idea of user-friendliness.
Comment removed by account_deleted · 2009-01-09 20:10 · Score: 4, Insightful

Comment removed based on user account deletion
Re:Summary makes it sounds like a virus but it's n by evanbd · 2009-01-09 20:17 · Score: 4, Funny

Or like complaining that instead of office chair, package contained bobcat.
Just wait 'til... by CarpetShark · 2009-01-09 20:22 · Score: 5, Funny

Just wait 'til you get a dumbass letter from the RIAA saying that the IP 127.0.0.1 has been identified as a computer uploading copyrighted material. Then the shit will really hit the fan ;)
1. Re:Just wait 'til... by dmsuperman · 2009-01-09 21:14 · Score: 4, Funny
  
  They would get halfway through the trial before realizing they're sitting on both sides of the court. Incompetent jackasses -_-
  
  --
  :(){ :|:& };: Go!
2. Re:Just wait 'til... by BlueStrat · 2009-01-09 23:19 · Score: 4, Funny
  
  They would get halfway through the trial before realizing they're sitting on both sides of the court. Incompetent jackasses -_-
  And how much do you want to bet they'd still try for a conviction or settlement? :D
  Cheers!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Re:Summary makes it sounds like a virus but it's n by mqduck · 2009-01-09 20:25 · Score: 4, Funny

I'm all against nefarious software creeping onto my system, but this is like complaining that the guy you tried to buy drugs from turned out to be a cop.
What, you don't get pissed when that happens to you?

--
Property is theft.
Re:Please explain to me by Craevenwulfe · 2009-01-09 20:42 · Score: 5, Insightful

The Sony Rootkit affected people who bought shit legally. Where's the fucking relevance?
Re:It literally kills its own spreading method by scream+at+the+sky · 2009-01-09 20:58 · Score: 4, Funny

Mod parent up. If you can't get to thepiratebay.org anymore, you're gonna reinstall your OS.
<cynic>
if you can't get to thepiratebay.org, where are you gonna get your OS from?
</cynic>

--
I wish I was a neutron bomb, for once I could go off...
Re:First? by kdemetter · 2009-01-09 21:36 · Score: 4, Informative

Well , the trojan has been removed , and i'm sure the user uploading has also been identified and banned.
If it changes the hosts file , it's easy to identify, and remove.
We get trojan and virus uploaders all the time, and they are removed at first sight, so this is nothing new, and nothing TPB can't handle.

--
Slipping shoelaces ?
Interesting artistic action by drx · 2009-01-09 21:38 · Score: 5, Insightful

Actually i think this is an interesting action. As a communicative act, this trojan shows several things, e.g. that the internet stays an unstable place where everything is mostly determined by convention -- even with pirates -- AND that TPB is taking down torrents they don't like, despite being a stronghold of free speech. Of course "malicious software" is the argument here for removal of the torrent, but who defines what is malicious? In the end TPB caters to the needs of its community, by filtering "content" this community doesn't approve of.
Re:Another possibility by EdIII · 2009-01-09 22:39 · Score: 5, Insightful

It's a trojan - you have no idea what else it's doing. If all it does is screw with your HOSTS file and play a stupid audio track I agree, but it could be doing all sorts of other unknown fun stuff to your machine with the root access it has.
Actually you are factually incorrect. As you can see in the summary and article itself it is referred to as, "Troj/Qhost-AC" by Sophos. That would seem to indicate that at some level it has been reviewed by a Anti-Virus company and I believe they would have tried pretty hard to determine the full capabilities of this Trojan. One could even say it is highly likely.
Even so, it may have been better for me to say, "This does not at first glance appear to be nearly as bad as the Sony Rootkit turned out to be".
Let's also remember that the origins of this trojan virus are unknown at the moment while the Sony Rootkit has it's origins WELL DEFINED. Those origins being the Sony board members that have yet to receive prison terms for their actions. For those that think that is a little melodramatic, consider what kind of reception any other corporation or private citizen would have received for releasing the same type of rootkit onto the populace.
If this does turn out to lead back to the feet of people working for the interests of Big Entertainment it will have been done for the same reasons the Sony Rootkit was put out. Their absolute and firm belief that YOU (the customer, citizen, etc.) have ZERO RIGHTS to any privacy or control over your own electronic equipment when their intellectual property is anywhere near it.
The funny thing is that the only other people that seem to be able to act like that and get away with it are governments. So if you are not the government or Big Entertainment you go straight to Federal Pound Me In The Ass Prison when you do act like them. Isn't that just hilarious?
Re:Nice by Crizp · 2009-01-10 01:07 · Score: 4, Interesting

naninaniyo
anatanobakayo
urusaiyo
Sorry. I have no idea what I'm doing.
The parent is not a troll so mod up please. by gatkinso · 2009-01-10 01:32 · Score: 4, Insightful

Even though it was probbaly intended to be a troll, it is worthy of discussion.
As a responsible software development shop, you should know that you absolutely do NOT want any version of your software floating around that attacks a users machine.
All I need to hear is that your Application 2.1 will say, format a harddrive and delete all partitions... and I woould not touch it with a 10 foot pole.
So. If you want to completely destry your customer base - go ahead and pull such a stunt.

--
I am very small, utmostly microscopic.