BitTorrent Malware Spreads to Media Players
Written by enigmax on May 22, 2007When someone or something becomes a huge success, inevitably some people want a piece of that and try to cash in. The BitTorrent scene is no exception and in recent months we have reported on a raft of torrent clients hitting the internet, each installing malware on unsuspecting user’s PC’s. Sadly this disease is now spreading to their latest tool; malware-infected media players.
We have regularly reported on BitTorrent clients which also install malware such as Torrent101, BitRoll, TorrentQ and GetTorrent and have done our very best to let people know about the dangers of using such a product.
Unfortunately, as fast as we report such things, the malware peddlers create yet more bad clients with new names, but carrying the same bad story. However, these guys are very determined to get software such as CIDHELP on your machine, ready to watch your activities and to this end have become quite creative. Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video which advises them to download a new media player called 3wPlayer, in order to view the rest of the file.
The displayed url directs the unsuspecting to the Play3W site, where they are given the chance of installing a shiny new media player.
From the screenshot you will see that there is a ‘more’ button and when you install this player ‘more’ is exactly what you get - more malware in the form of CIDHELP, yet again. It can be difficult task to uninstall it too, especially when you consider the veiled legal threat on the CIDHELP site - the vendor warns you could be in breach of the EULA if you try to remove it with your anti-spyware software. To get rid of the software, they advise to first turn off your anti-adware/spyware software and re-install the software, something that rings a few alarm bells!
It may seem that every pusher in the world is getting involved in the BitTorrent malware scene but a simple WHOIS on all the domains hosting the torrent clients listed above, (Torrent101 for example) including the 3wPlayer site, reveals that they are more than likely the same outfit, exploiting the less experienced members of the BitTorrent community. Anyone concerned about a particular torrent should take the time to read the user comments on the site where the torrent was downloaded from. Very often problems such as fake files are spoken about there.
Anyone needing a media player that will deal with almost any video format should consider the excellent VLC Media Player, available for free download. Those who still haven’t settled on a quality BitTorrent client will find everything they need by getting uTorrent. No spyware, adware or malware present in either product.
Previously: Tribler: A Next Generation BitTorrent Client?
Next: New and Promising Torrent Sites
74 Responses
Pages: [1] 2 3 » Show All
I tipped on this :D xD
Why that fucker still get money as criminal? Hy try hard installing trojans on your machines! That ass is very demanding for money! Better he takes it and go fucking bitch as soon he will go to jail.
[quote comment="103531"]I tipped on this :D xD[/quote]
You asked us to look at it and we did ;) Thanks
yay, fell for it as well :) that is, I downloaded a fake which wanted me to install this shiny new player, anyhow I just deleted it. But just to get this clear: These fakes are just to advertise their spyware and not somehow include the malware in the .avi itsself? so - no harm done if you just delete it straight away?
[quote comment="103531"]I tipped on this :D xD[/quote]
Fipo… amazing that TF gets this now too… ;)
I put in a review of the website to
McAfee SiteAdvisor for this site. Hopefully people will see it and not download the program
i am just waiting for a massive video attack. malformed video streams which hijack you machine via your media player …
who needs vulnerable services if there are plenty of vuln media players online.
recent adobe photoshop png bugs for example could just pop a remote shell.
maybe not the smartest idea to have the 3 “another” links to the Homepages of the malware clients without a nofollow tag.
you don’t want to give them extra pagerankings in google, would you enigmax?
I found one of these on a copy of 28weeks later from Piratebay. As soon as the “you need our player” message came on I knew it was bogus. They even used AXXO’s name to fool people with.
It even looks fake. How can people be tricked by that?
It’s called open source guys.
“Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video”
How does that work? What media file formats are we talking about here? Does this presuppose that the machine is already malware infected?
“But just to get this clear: These fakes are just to advertise their spyware and not somehow include the malware in the .avi itsself?”
Generally, yes, since media files need to be played in external programs. Be aware that Windows has a “feature” that hides known extensions, so potentially dangerous files can appear harmless by default - for example, “malware.avi.exe” might look like “malware.avi”. I have seen viruses take advantage of this, so I recommend changing it to show all extensions.
You should also keep your player and other software reasonably current, because it is possible to exploit vulnerabilities using hacked media files. Although this is hard, there are still a few websites using special wmf files to infect unpatched computers. I wouldn’t put it past them to do the same thing through bittorrent as new vulnerabilities are discovered.
Finally, remember that these are professional criminals who are always trying something new. For example, some legitimate torrents include codecs “just in case”, and it’s possible that criminals might try the same thing - for example by providing an unplayable avi/mkv and fake codecs that install malware. Use common sense and don’t let your guard down.
ok so like if i download the VLC media player will i be able to watch the movie i downloaded or did i just wast a day downloading a movie that is fake. Oh and it had AXXO on it.
@ph
you’ll be fine aslong as you dont download the player itself
@ cisco
you wasted a day man , sorry about that.
Crap, I downloaded pirates of the carabean 3. It took me 14 days. Now I’m simply stuck with a 4,5 gig video containing “Only … can play this video” bla bla bla. Wasted my time, I’ll kill these guys!
I just downloaded the player and managed to disable all the crap in it within a few minutes, The player still works fine, its quite a good piece of software. And I dont work for them or anyone else. My Spyware-Watcher shows nothing now and my system isnt running any unwanted processes. I managed to fix it, I am not sure the spyware is necessary in a piece of software like this its good as it is.
Another axxo imposter - I tried downloading “Shooter,” but came up with the 3wplayer screen in wmp.
So if this is a simple codec problem, then installing a codec combo from http://www.cccp-project.net/ should solve the problem. But still I don’t see why downloading any other player should matter.
I downloaded what I thought was Oceans 13, and after working with the 3wplayer, I did get a video to play (other than the download blah blah blah). Problem is, its Shrek 3.
Thats the good news, its a great copy. bad news, I cant get it to burn to a disk to view on tv. Id hate to look for another version. Anybody ever get through 3wplayer to see a movie? Did you get to convert to another format?
I downloaded another stupid 3wplayer movie (Pirates 3) and luckily I read the agreement page with the end-user agreement statement about all of the data that will be transmitted from and to my pc. Point being: ALWAYS READ THAT CRAP! The file shows as Divx3 format, but only repeats the 3wplayer message. I think it’s some bs personally!
if these files are rel it stores 2 indexes of the avi etc . so when norm players read it it plays the bogus 3w player msg. if a file is real i imagine it skipps to index 2 . possibly we can make a program to strip off the first index few bytes etc to fix the files but theres no real way to tell if its real off the bat in preview if i see the message i delete .
3 references to this post
Pages: [1] 2 3 » Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.