BitTorrent Shrugs Off Massive Malware Attack

enigmax
May 9, 2008
62
bittorrent,
Downloader-UA.h,
malware,
moderators
Print

Described as “One of the most prevalent pieces of malware in the last three years,” the Downloader-UA.h trojan is running wild on P2P networks. But thanks to its system strength – and the work of torrent site moderators – such outbreaks are shrugged off by BitTorrent.

Anti-piracy outfits, like all organizations fighting against massive odds, rely heavily on the media to amplify their message. Whether it’s a some fringe group exploding a trash can to get attention or someone chaining himself to a prominent building in protest, using the media is relatively cheap and effective. Organizations like the RIAA and IFPI like to play the fear card to reduce file-sharing so a nasty malware attack on P2P networks, affecting up to 27% of tested PCs this week, is a dream come true for them, as they continue to spread their message that P2P networks are nothing but trouble.

However, in a testament to its structure and security, BitTorrent is almost immune from these type of attacks and that is why you never hear the RIAA and IFPI talk about viruses and BitTorrent in the same announcement. In terms of sharing files and avoiding malware, BitTorrent does really well.

This recent malware attack revolved around people downloading files which were renamed to look like music and movies, but instead engineer a situation where lots of other stuff gets installed on the host PC, causing all sorts of problems. While viewing some of the filenames listed by McAfee, I had to remind myself that I was a novice once too – but it was still a stretch for me to believe so many people would download files that look like these:

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-peanut butter jelly amende.mp3

The good news is that the chances of these type of files appearing on BitTorrent are very low as trackers have moderators who remove such junk, something which is largely impossible on Gnutella (LimeWire) and eMule (ed2k). As long as the ‘infected’ users keep this stuff in their shared folder, there is little that can be done to stop it spreading. If they don’t clean this stuff out, no-one will, and it’s in this department BitTorrent comes out tops – again.

First of all, BitTorrent isn’t a ‘folder sharing’ client like LimeWire or KaZaA, which means that the user needs to use a torrent site to distribute (publish) his torrent. If the content is legitimate (and there are very few rules in most places, save obviously illegal material) the .torrent file will be up for all to download, with links to malware and viruses mostly filtered out by humans – otherwise known as ‘mods’ or ‘moderators’.

BitTorrent has thousands of hard working and largely unpaid moderators, who work tirelessly to make sure that files like these don’t make it to the BitTorrent user’s computer. In reality, files presented like the ones above could never slip by the site mods, they would see them a mile away and remove them quickly.

BitTorrent isn’t 100% malware free but compared to Gnutella and ed2k, it is astonishingly healthy and that is largely down to the strength of the system and the mods, who work non-stop behind the scenes to keep BitTorrent an enjoyable experience.

For the few small things that slip through the net, try our guides.

Previous Post | Next Post

Follow @torrentfreak

Erich

I’m confused, how can MP3-files carry malware? I don’t get the McAfee write-up, but I’m guessing there is a link in the ID3 tags somehow? I need a link so I can ‘investigate’ :)
Karma

I haven’t really learnt anything from this article.. maybe because i already knew it or just there’s just nothing in it to care about about. *scratches head*

Slow day at Torrentfreak me thinks :/
Yaya

[quote comment="380264"]I’m confused, how can MP3-files carry malware? I don’t get the McAfee write-up, but I’m guessing there is a link in the ID3 tags somehow? I need a link so I can ‘investigate’ :)[/quote]

I agree with this sentiment? Are we sure its not lalala.mp3.exe or similar?

Is it using an exploit?
Aninhumer

“When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.”

Exploiting some kind of DRM scheme/codec download?
ANTI-anti-p2p

Those anti-p2p companies also like to upload virusses like:
sdbot
virtumundo

They even go so far by copying the more popular torrents and infect them with a nasty trojan and you wont even notice.

use virustotal.com to scan a single file with over 20 virus scanners.
Matt

I use shareaza for some of my downloads and I see these things all the time. There is usually 15-20 different files that pop up in any type of search, and I mean any search. If you do a search for say, Matt, some of the first and best hosted files will be stuff like matt.mp3, matt((CRACKED)).rar and bullshit like this. What I’d like to know are the number of RIAA/MPAA controled computers that are the hosts for these files and the ones mentioned in the article. Somehow I just can’t believe that someone would be stupid enough to download these files in the first place, if it doesn’t match what you where looking for don’t download it.
Matt

Usually those file all come from the same IP ranges too.
Crandom

[quote comment="380264"]I’m confused, how can MP3-files carry malware? I don’t get the McAfee write-up, but I’m guessing there is a link in the ID3 tags somehow? I need a link so I can ‘investigate’ :)[/quote]

They are called ‘fleas’ – small pieces of executable code that are embedded into the media file that exploit bugs in the codec (esp the wmp core codecs and quicktime) that allow the code to executed. The real danger with these is, like with the 1990′s word macro viruses, these pieces of code are fairly platform independant and the virus can propogate on almost any system.

Also, the media file may ask you or your media player to download a codec to run it (like the ActiveX.Video-codec you may be asked to download on sevral sites) that then runs code every time that codec is used, and is far more dangerous, although only tends to infect windows boxes.

The file usually doesn’t run as the fleas either corrupt the file or there is no actual video data as the virus uploader tries to keep the filesize small so it can be easily distributed and ‘attractive’ to download.

Moral of the story: Don’t download movies that are 443.13kb!
Snake

Actually, many of the viruses replicate themselves so after you are infected, you become another source IP spreading it even further.

I always look at file sizes before downloading. If a music file shows up being much smaller than it should, consider it suspicious. Most virus-infected files I’ve seen are less than 1 MB while a typical music mp3 is 3 MB or more.
Linda

Hello mates, I found Tagoo.ru/en it is mp3 search engine, no ads no viruses, it works great if you are searching for singles.
kdsde (A “MOD” somewhere)

While I like to thank enigmax for his praise of all the Bittorrent Site Mods that work everywhere “behind the scenes”, let me remind the readers of torrentfreak that MODs are not omnipotent and can’t be looking after every upload!

That’s specially true if MODs do what they do on public sites where there is a constant flow of torrent after torrent 24/7/365.

It is therefor important that the USERS do their part too by not only following the guide how to avoid “bad” torrents but also reporting those that slipped thru the watchful eyes of MODs via the contacting avenues that every BT site has in place.

For “my workplace” for example that would be either via
http://www.suprbay.org/forumdisplay.php?f=34
or even faster via
irc://irc.efnet.net/thepiratebay.org
Anonymous

[quote comment="380311"]
Also, the media file may ask you or your media player to download a codec to run it (like the ActiveX.Video-codec you may be asked to download on sevral sites) that then runs code every time that codec is used,[/quote]
Users that use Windows Media Player are noobs…
People, use a GOOD media player such as VLC any many others… they don’t ask you to download any crap in order to watch a video.
Thanks god we aren’t in 1990′s anymore.
Just be smart and you won’t get in to (much) (big) truble.
Crandom

^ AS above use VLC. It IS the best: http://www.videolan.org/vlc/

Also use linux for extra protection: http://www.ubuntu.com/

Torrent for 8.04 Hardy Desktop LiveCD i386: http://releases.ubuntu.com/8.04/ubuntu-8.04-desktop-i386.iso.torrent

And all other releases at: http://releases.ubuntu.com/8.04/
Anonymous

[quote comment="380320"]Hello mates, I found Tagoo.ru/en it is mp3 search engine, no ads no viruses, it works great if you are searching for singles.[/quote]

hello bro, wrong site; hope you get your ip banned by mods for this.
other than that, what’s new in russia?
noname

ha- “shrugs off massive malware attack”… and then through the article you show how small, easily contained and obvious the malware was… becoming a hype-machine TF, very rapidly…
Karma

I agree with #14

If you read carefully and understand virus’s, you will find this article is nothing but over-hyped scaremongering.

it’s value as “news” is absolutely zero.

pretty poor if you ask me.
big lebowwowowowski

i myself have gotten a .avi file, tried to play it, and was told to dl a codec.
of course i deleted it, but i went into ‘properties’ and it was still pegged as an avi….

and before ya laugh, it looked nothing like files mentioned above.(because im not a fucking idiot)
fuckin torrent had 93 seeds on mininova!
they REALLY need the comment sector on the same page as .tor
rant over
*sigh*
:-)

linux and goodbuy viruses.
Phil

I agree with 16 about comments on mininova. I usually try to put my comments on the torrent.com site where it might actually be read
Phil

that’s “torrentz.com”
Rapper Alliance

yo da enemiez be tryin to infect us
but we be gettin on da malware free bus
JAg

This whole malware “attack” was aimed at total newbies anyway… after you download one of these it asks you to install X player to play it back… and who in their right clicks an .exe that comes attached with your mp3 or movie file?

Full article and details are here:
http://arstechnica.com/news.ars/post/20080508-alluring-mp3-movies-hit-limewire-install-malware-instead.html

Hope that helped!

Cheers!

http://www.ezee.se/
sbga

Why the fuck would you use shareaza or the gnutella or the donkey shit network??? limewire is for noobs. fucking lamers
voice of reason

[quote comment="380353"]ha- “shrugs off massive malware attack”… and then through the article you show how small, easily contained and obvious the malware was… becoming a hype-machine TF, very rapidly…[/quote]
that’s the whole point!! It doesn’t affect bittorrent!! There has been 500,000 infections on the other networks, this article is entirely justified, read it ffs! Bittorrent pwnz gnutella, thanks for reminding us!!
fuzzypiggy

The biggest trouble is muppets who don’t understand how to use their machines, the P2P options and leaving , thwey keep the “hide known extensions” on their Windows file mangler. Stupid 10 year old muppet downloads porno69.mpg from Shitewire, doesn’t realise that it’s actually called porno69.mpg.EXE, double clicks it and hey presto, another one bites the dust!

I still think PCs, power tools and lawnmowers should all have written tests, before you are allowed to own one, like cars and guns!
jerky

Umm, no, you can’t really get a virus from a MP3 or MPEG file unless you’re using some shitty media player like WMP and even then the file must be crafted to EXPLOIT a flaw in said player and that player only.

I’d bet dollars to donuts that you could open any of these files in VLC and nothing would happen. There’s no such thing as an exploit that works across all media players.

The only was this could get around is if it’s like a previous commentor described, these files are really .EXE and stupid fuckers are actually running them. If that’s the case, this is such non-news.

Terrible journalism at best here, you would think the writer of this article would have asked the obvious questions, but I guess not.
jerk-ass

BTW if you use Linux or anything else with permission-based filesys then all files saved by your client are marked as non-executable anyways. Problem solved, unless you’re working with .rar stuff.

I’m surprised people still run that microsoft shit these days.
Jag

This is the whole article on how this malware is functioning… it requires to install a player… few other that newbs are gonna fall for this.

http://arstechnica.com/news.ars/post/20080508-alluring-mp3-movies-hit-limewire-install-malware-instead.html

Hope that helped!
Cheers!
http://www.ezee.se/
Jag

What the heck is going on? I pasted a link to a related article on ars tech and my comment didnt get posted… is mentioning Ars banned here or something??
http://neuron2neuron.blogspot.com Ben Jones

Jag, it would seem that if the large portion of a post is a link, the system flags it up for approval, in case it’s spam. Thats what happened with your post. Relax, no conspiracy here. just an attempt to deal with spam, and link-bombing
Anonymous

[quote]Whether it’s a some fringe group exploding a trash can to get attention or someone chaining himself to a prominent building in protest, using the media is relatively cheap and effective.[/quote]
Why do not pro file-sharers get media attention and play the persecution card? Are they so apathetic to their beliefs that they just do nothing?
JuanDoe

I don’t see the point of this article – it says nothing. What is the point of quoting a load of filenames and saying you should know better. Any file can be called anything. Smug is not a good way to help people – tell them something that will help them. I suspect this site is not all it purports to be.
—_____—

[quote comment="380410"]Why the fuck would you use shareaza or the gnutella or the donkey shit network??? limewire is for noobs. fucking lamers[/quote]

The ed2k network doesn’t depend on trackers like bittorrent. Because of the Kad protocol not even servers are needed anymore.

Should a few larger BT trackers like TPB fall the ed2k network will still be up and running through Kademlia

The risk of downloading crap on ed2k is pretty small if you use common sense
Jag

[quote comment="380472"]Jag, it would seem that if the large portion of a post is a link, the system flags it up for approval, in case it’s spam. Thats what happened with your post. Relax, no conspiracy here. just an attempt to deal with spam, and link-bombing[/quote]

Sorry, posted it around 3 times and did check back after more than an hour, couldnt understand it as whatever i posted before on TF always gets displayed in around a min.
Totally respect your security in place to limit the spamming bastards, they really spoil it for everyone.
I use Akismet on my site, you might want to look it up, it catches most of the garbage out there (disclosure: am not in any way connected to this product, just an end user like a lot of others)

this is their link:
http://codex.wordpress.org/Akismet

Cheers!
http://www.ezee.se/
Jag

[quote comment="380501"] I suspect this site is not all it purports to be.[/quote]
And what exactly does this site “purport” to be? It just reports news that are related to filesharing and mostly torrents… so its a slow newsday, give them break will ya?
lol

[quote]Organizations like the RIAA and IFPI like to play the fear card to reduce file-sharing so a nasty malware attack on P2P networks, affecting up to 27% of tested PCs this week, is a dream come true for them, as they continue to spread their message that P2P networks are nothing but trouble.[/quote]

Wow what a charged statement. It’s basically the equivalent of calling pirates terrorists. Are you seriously trying to imply that the RIAA or MPAA is behind this without even trying to link to proof?
dwpbike

[quote comment="380410"]Why the fuck would you use shareaza or the gnutella or the donkey shit network??? limewire is for noobs. fucking lamers[/quote]

i’ve found amule to be handy when i’m looking for somewhat obscure music; e.g., japancakes. able to get entire album that wasn’t “out there”, either as torrent or rapidshare, etc.
Anonymous

Why are there so many dumbfucks posting here? This has nothing to do with .exe files at all, you stupid morons. It’s about mislabeled ASF files. Who’s fault is it? In case of ASF: Microsoft. The same is also possible with Quicktime files which means it’s Apple’s fault.

These files can embed URLs which will be accessed automatically by your browser, if you open them with the standard players like Microsoft’s Windows Media Player (WMP) or Apple’s Quicktime. Blame Microsoft and Apple for adding such a redundant but extremely dangerous feature to this container formats. These corporations are absolutely incapable of learning anything from their mistakes. This kind of vulnerability is very close to their other high-profile mistakes but they’re doing it over and over again.

It’s absolute bullshit if people claim you can’t get viruses/worms/trojans from pictures, videos or audio files. You can, you will. Moreover, these kind of people are too dense to understand that an average user has virtually no possible to tell the difference between active and passive content. The line between these is already heavily blurred because the anti-social, clueless, narrow-minded morons called “IT people” keep adding illogical, dangerous, misleading features to file formats and software that make it useless to apply common-sense or the like.

All of this has very little to do with P2P anyway. There a lot of evil, infected websites out there trying and succeeding in installing malware. Infections through P2P are just the tip of the iceberg, infections through the web and email are dominating by far.

People claiming “Gnutella is for n00bs” have it backwards. BitTorrent is for n00bs because it gives you far less options to do something wrong and almost everything is controlled through bottlenecks called index sites. That doesn’t mean BitTorrent is safe or secure. It sure isn’t but the right option for n00bs is BitTorrent and nothing else.

For morons there’s only one option: Pull the plug.
Anonymous

38

Claiming than an index site is a bottleneck is just laughable, as bittorrent is THE dominating protocol out there, despite it’s very centralized setup. The thing that makes bittorrent stand out from all of the other protocols in use is the fact that it was built for speed and large files.

But, as you say, the fault for getting a virus lies on the end user whose often relying on some security “suite” like norton or mcafee to lie to them that all is alright with the world.

If one wants to be completely secure, they have to constantly check and recheck their computer for odd behaviour, and turn off all automatic stuff, because that’s ALWAYS the road in for crapware like this.

However… I must admit that I didn’t even notice that the bittorrent network “shrugged off” any attacks :S
Garvy

Don’t forget also that people are less likely to seed garbage back out to other users if it adversely affects their machine/bandwidth.
tux

i got one of these yesterday ya found it in my firefox cache whats it meant to do anyway ????
k3nt

Its not just the moderators, the users also help in finding and reporting viral files.
bob

Go Mac!
Rick

So, to summize:

- You have to be a Windows user
- You have to download a .EXE
- You have to manually execute a .EXE from an untrusted source, and not do it inside a sandbox

As usual, the only thing “running wild” here is utter stupidity and laziness. These are most likely to be the same clueless a-holes that don’t seed, so why try to protect them against this crap?
Anonymous

Rick (44), the clueless hole of an a, is nobody else but you. How often do I have to kick you in the head until you understand that this isn’t about .EXE files?
Anonymous

Anonymous (39), you’re waffling. If you have nothing to say, STFU and fuck your GF.
Pingback: BitTorrent Shrugs Off Massive Malware Attack | Universe_JDJ's Blog
Chris

Moderation!? Piratebay, for example, does jack-all moderation.
Hugh G. Rection.

I love how there is always a “must be a slow news day hardy har har” comment. Like they were somehow inconvenienced to read a blog that had information they already knew.
Pingback: p2pvine.com
private

Hmmm. A cursory search of McAfee and Symantec websites revealed no such mention of anything like an MP3 “flea.” Someone please provide a reputable link to evidence.
Pingback: SoftwareZone : Blog sobre Software con tutoriales de ayuda y noticias » Blog Archive Las autoridades antipiraterÃa se frotan las manos por bulos sobre inseguridad de la red Bittorrent »
silentzow

@ everyone arguing about what client or protocol to use, why not just use the one that fits your needs best (because they all have strength’s and weakness) and leave everyone else alone to do as they please.
im just sayin….
-silentzow
Pingback: links for 2008-05-11 at DeStructUred Blog
torrentusersdeserveit

Torrent users deserve to be infected, and they can go wanking on forums like castlecops that omg my mommas box running a bot! YAY!

Stupid dumbshits, wanna use windows then deepthroat my shit bitch.

Giving advices for these a major waste of time, like install super-assbuster-AV which won’t detect the hexed malware so u suck dick again asswipe, got what u deserve.

IT security industry please continue sucking my dick, fat dumbasses, die with ur degenerated family, thats what u all know wanking in the office every day and stoling others work.
Anonymous

It’s apparent you haven’t ‘learnt’ anything, especially grammar, because it’s learned.

Just saying.
zbu

#53: How old are you?
#54: “learnt” is UK english. Smart as you are you do know that, don’t you?

There will be virii on whatever system you use, none is v-proof. As soon as Linux/MacOS raises above 7,5% of a userbase, it’ll get attractive too for virus-writers. ed2k, torrent, gnutella(2), kad, fasttrack,… they are all vurnable, some more than others. But it’s up to the user to use his brain. 400kb for the Harry Potter film is not possible, avi extension or exe (or pkg,…), doesn’t matter. Read comments before downloading if they are there. Know what you download, nero9 still does not exist. “Sharaza” is not Shareaza. “mesenger live” is not from microsoft.
Pingback: BitTorrent Shrugs Off Massive Malware Attack | Clint Is A Geek.com
Pingback: BitTorrent Shrugs Off Massive Malware Attack at IDTorrent Blog
Pingback: eMule 0.49a | Paolo Ruffino
Claudia

Can i just say, I have found myself with two of these files. But on the search engigne they DONT appear with the codes infront of them, so we aint all idiots for downloading them, thankyou.
Claudia

This is all Apples fault, i say. If they wouldn’t rip us off for music then none of us would turn to p2p and file sharing. Once i pay my 79 pence, its MY property, i should be able to put it on any player i like, apple or no apple printed on the back. Yes i know – distribution rights – yada yada, but do us all a favour and just go back to trusty MP3 format, eh Apple?

TorrentFreak

The place where breaking news, BitTorrent and copyright collide

BitTorrent Shrugs Off Massive Malware Attack

Related Posts

Previous Post | Next Post

NewsBits

The Pirate Bay Isn’t Down Completely, Just Having a Few Issues

Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

Foxtel Breeds Pirates by Locking Up Game of Thrones

UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

MostDiscussed

Pirate Bay Takes Over Distribution of Censored 3D Printable Gun

McAfee Patents Technology to Detect and Block Pirated Content

Pirate Bay Finds Safe Haven in Iceland, Switches to .IS Domain

Copyright Trolls Threaten to Call Neighbors of Accused Porn Pirates

The Pirate Bay Moves to .SX as Prosecutor Files Motion to Seize Domains

CopyQuote

PopularArticles

VPN Services That Take Your Anonymity Seriously, 2013 Edition

Top 10 Most Popular Torrent Sites of 2013

Which VPN Service Providers Really Take Anonymity Seriously?

What’s The Best VPN / Proxy for BitTorrent?

BTGuard Review: How Does it Work?

Optimize Your BitTorrent Download Speed