BitTorrent Shrugs Off Massive Malware Attack
Written by enigmax on May 09, 2008Described as “One of the most prevalent pieces of malware in the last three years,” the Downloader-UA.h trojan is running wild on P2P networks. But thanks to its system strength - and the work of torrent site moderators - such outbreaks are shrugged off by BitTorrent.
Anti-piracy outfits, like all organizations fighting against massive odds, rely heavily on the media to amplify their message. Whether it’s a some fringe group exploding a trash can to get attention or someone chaining himself to a prominent building in protest, using the media is relatively cheap and effective. Organizations like the RIAA and IFPI like to play the fear card to reduce file-sharing so a nasty malware attack on P2P networks, affecting up to 27% of tested PCs this week, is a dream come true for them, as they continue to spread their message that P2P networks are nothing but trouble.
However, in a testament to its structure and security, BitTorrent is almost immune from these type of attacks and that is why you never hear the RIAA and IFPI talk about viruses and BitTorrent in the same announcement. In terms of sharing files and avoiding malware, BitTorrent does really well.
This recent malware attack revolved around people downloading files which were renamed to look like music and movies, but instead engineer a situation where lots of other stuff gets installed on the host PC, causing all sorts of problems. While viewing some of the filenames listed by McAfee, I had to remind myself that I was a novice once too - but it was still a stretch for me to believe so many people would download files that look like these:
preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-peanut butter jelly amende.mp3
The good news is that the chances of these type of files appearing on BitTorrent are very low as trackers have moderators who remove such junk, something which is largely impossible on Gnutella (LimeWire) and eMule (ed2k). As long as the ‘infected’ users keep this stuff in their shared folder, there is little that can be done to stop it spreading. If they don’t clean this stuff out, no-one will, and it’s in this department BitTorrent comes out tops - again.
First of all, BitTorrent isn’t a ‘folder sharing’ client like LimeWire or KaZaA, which means that the user needs to use a torrent site to distribute (publish) his torrent. If the content is legitimate (and there are very few rules in most places, save obviously illegal material) the .torrent file will be up for all to download, with links to malware and viruses mostly filtered out by humans - otherwise known as ‘mods’ or ‘moderators’.
BitTorrent has thousands of hard working and largely unpaid moderators, who work tirelessly to make sure that files like these don’t make it to the BitTorrent user’s computer. In reality, files presented like the ones above could never slip by the site mods, they would see them a mile away and remove them quickly.
BitTorrent isn’t 100% malware free but compared to Gnutella and ed2k, it is astonishingly healthy and that is largely down to the strength of the system and the mods, who work non-stop behind the scenes to keep BitTorrent an enjoyable experience.
For the few small things that slip through the net, try our guides.
Previously: MPAA Demands $15 Million from The Pirate Bay
Next: Victorious BitTorrent Tracker to Return
62 Responses (Add yours or TrackBack)
Pages: [1] 2 3 » Show All
I’m confused, how can MP3-files carry malware? I don’t get the McAfee write-up, but I’m guessing there is a link in the ID3 tags somehow? I need a link so I can ‘investigate’ :)
I haven’t really learnt anything from this article.. maybe because i already knew it or just there’s just nothing in it to care about about. *scratches head*
Slow day at Torrentfreak me thinks :/
[quote comment="380264"]I’m confused, how can MP3-files carry malware? I don’t get the McAfee write-up, but I’m guessing there is a link in the ID3 tags somehow? I need a link so I can ‘investigate’ :)[/quote]
I agree with this sentiment? Are we sure its not lalala.mp3.exe or similar?
Is it using an exploit?
“When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.”
Exploiting some kind of DRM scheme/codec download?
Those anti-p2p companies also like to upload virusses like:
sdbot
virtumundo
They even go so far by copying the more popular torrents and infect them with a nasty trojan and you wont even notice.
use virustotal.com to scan a single file with over 20 virus scanners.
I use shareaza for some of my downloads and I see these things all the time. There is usually 15-20 different files that pop up in any type of search, and I mean any search. If you do a search for say, Matt, some of the first and best hosted files will be stuff like matt.mp3, matt((CRACKED)).rar and bullshit like this. What I’d like to know are the number of RIAA/MPAA controled computers that are the hosts for these files and the ones mentioned in the article. Somehow I just can’t believe that someone would be stupid enough to download these files in the first place, if it doesn’t match what you where looking for don’t download it.
Usually those file all come from the same IP ranges too.
[quote comment="380264"]I’m confused, how can MP3-files carry malware? I don’t get the McAfee write-up, but I’m guessing there is a link in the ID3 tags somehow? I need a link so I can ‘investigate’ :)[/quote]
They are called ‘fleas’ - small pieces of executable code that are embedded into the media file that exploit bugs in the codec (esp the wmp core codecs and quicktime) that allow the code to executed. The real danger with these is, like with the 1990’s word macro viruses, these pieces of code are fairly platform independant and the virus can propogate on almost any system.
Also, the media file may ask you or your media player to download a codec to run it (like the ActiveX.Video-codec you may be asked to download on sevral sites) that then runs code every time that codec is used, and is far more dangerous, although only tends to infect windows boxes.
The file usually doesn’t run as the fleas either corrupt the file or there is no actual video data as the virus uploader tries to keep the filesize small so it can be easily distributed and ‘attractive’ to download.
Moral of the story: Don’t download movies that are 443.13kb!
Actually, many of the viruses replicate themselves so after you are infected, you become another source IP spreading it even further.
I always look at file sizes before downloading. If a music file shows up being much smaller than it should, consider it suspicious. Most virus-infected files I’ve seen are less than 1 MB while a typical music mp3 is 3 MB or more.
Hello mates, I found Tagoo.ru/en it is mp3 search engine, no ads no viruses, it works great if you are searching for singles.
While I like to thank enigmax for his praise of all the Bittorrent Site Mods that work everywhere “behind the scenes”, let me remind the readers of torrentfreak that MODs are not omnipotent and can’t be looking after every upload!
That’s specially true if MODs do what they do on public sites where there is a constant flow of torrent after torrent 24/7/365.
It is therefor important that the USERS do their part too by not only following the guide how to avoid “bad” torrents but also reporting those that slipped thru the watchful eyes of MODs via the contacting avenues that every BT site has in place.
For “my workplace” for example that would be either via
http://www.suprbay.org/forumdisplay.php?f=34
or even faster via
irc://irc.efnet.net/thepiratebay.org
[quote comment="380311"]
Also, the media file may ask you or your media player to download a codec to run it (like the ActiveX.Video-codec you may be asked to download on sevral sites) that then runs code every time that codec is used,[/quote]
Users that use Windows Media Player are noobs…
People, use a GOOD media player such as VLC any many others… they don’t ask you to download any crap in order to watch a video.
Thanks god we aren’t in 1990’s anymore.
Just be smart and you won’t get in to (much) (big) truble.
^ AS above use VLC. It IS the best: http://www.videolan.org/vlc/
Also use linux for extra protection: http://www.ubuntu.com/
Torrent for 8.04 Hardy Desktop LiveCD i386: http://releases.ubuntu.com/8.04/ubuntu-8.04-desktop-i386.iso.torrent
And all other releases at: http://releases.ubuntu.com/8.04/
[quote comment="380320"]Hello mates, I found Tagoo.ru/en it is mp3 search engine, no ads no viruses, it works great if you are searching for singles.[/quote]
hello bro, wrong site; hope you get your ip banned by mods for this.
other than that, what’s new in russia?
ha- “shrugs off massive malware attack”… and then through the article you show how small, easily contained and obvious the malware was… becoming a hype-machine TF, very rapidly…
I agree with #14
If you read carefully and understand virus’s, you will find this article is nothing but over-hyped scaremongering.
it’s value as “news” is absolutely zero.
pretty poor if you ask me.
i myself have gotten a .avi file, tried to play it, and was told to dl a codec.
of course i deleted it, but i went into ‘properties’ and it was still pegged as an avi….
and before ya laugh, it looked nothing like files mentioned above.(because im not a fucking idiot)
fuckin torrent had 93 seeds on mininova!
they REALLY need the comment sector on the same page as .tor
rant over
*sigh*
linux and goodbuy viruses.
I agree with 16 about comments on mininova. I usually try to put my comments on the torrent.com site where it might actually be read
that’s “torrentz.com”
yo da enemiez be tryin to infect us
but we be gettin on da malware free bus
This whole malware “attack” was aimed at total newbies anyway… after you download one of these it asks you to install X player to play it back… and who in their right clicks an .exe that comes attached with your mp3 or movie file?
Full article and details are here:
http://arstechnica.com/news.ars/post/20080508-alluring-mp3-movies-hit-limewire-install-malware-instead.html
Hope that helped!
Cheers!
http://www.ezee.se/
Why the fuck would you use shareaza or the gnutella or the donkey shit network??? limewire is for noobs. fucking lamers
[quote comment="380353"]ha- “shrugs off massive malware attack”… and then through the article you show how small, easily contained and obvious the malware was… becoming a hype-machine TF, very rapidly…[/quote]
that’s the whole point!! It doesn’t affect bittorrent!! There has been 500,000 infections on the other networks, this article is entirely justified, read it ffs! Bittorrent pwnz gnutella, thanks for reminding us!!
The biggest trouble is muppets who don’t understand how to use their machines, the P2P options and leaving , thwey keep the “hide known extensions” on their Windows file mangler. Stupid 10 year old muppet downloads porno69.mpg from Shitewire, doesn’t realise that it’s actually called porno69.mpg.EXE, double clicks it and hey presto, another one bites the dust!
I still think PCs, power tools and lawnmowers should all have written tests, before you are allowed to own one, like cars and guns!
Pages: [1] 2 3 » Show All
Add your response