A Google search on the same pages returns, “This site may harm your computer.”

So what exactly is the problem? TorrentFreak spoke with Peter Sunde (brokep) who told us that right now they don’t have a clear idea of what is causing the problem although they are working hard on fixing it. Current thinking by some says that the problems are being caused by malicious ads from third parties which are embedded in the site.

Google has made its own analysis and is reporting that the /user sections of the TPB site were listed once for suspicious activity, yesterday 14th March 2009. Of 699 pages tested, it found that 2 pages resulted in malicious software being downloaded and installed without user consent. Google goes on to say that the malicious software includes 68 scripting exploits although they report that a successful infection resulted in zero new processes on the target machine.

The malicious software in question is said to be hosted on 3 domains; savelocity.com, seekerfeed.com, and xoads.com, with another 6 reported as distribution intermediaries including parkneed.com, yieldmanager.com and zxxds.net.

This type of problem is nothing new on torrent sites. Last year we reported how Google and Firefox blocked Empornium, the world’s largest porn tracker, when they suffered similar problems at the hands of outsiders. Just yesterday, the h33t.com torrent site suffered a similar problem, but that now appears to be fixed after we tipped off the staff there.

We will add to this post during the day to include the latest updates.

Article from: TorrentFreak, check out our new blog at FreakBits.

One of the main drawbacks of using P2P software such as Limewire, is that the content on the network (Gnutella) is unmoderated – anyone is free to put up whatever they like, be it music, movies or TV shows. Of course, others use this lack of moderation as a green light to upload viruses, spyware and other malicious software. Equally, one of the great strengths of BitTorrent (at least from a harm-reduction point of view), is that .torrent files are uploaded to torrent sites where staff work hard to filter out as much of the malicious software as they can, making BitTorrent relatively malware-free.

Of course, this great system falls apart if you can’t trust the people running the site. People expect anti-pirates like MiiVi to be ‘the enemy within’, but who needs those when you have ‘friends’ like the guys at new torrent site, TrafficLoader.com.

TrafficLoader.com (and its forum, pdls.info) hasn’t been setup for the benefit of BitTorrent users, it will be used by spammers, scammers and virus peddlers to spread their malicious software among the community (and make money off it). One of the admins called ‘Satty’ says that no registration is needed to upload torrents to the site and none will ever be removed. The site does have a notice – ‘Viruses, spyware, affiliate links and everything related is strictly prohibited’ but don’t believe it – Satty says these rules don’t apply to his friends in the PPI (Pay Per Install) community.

A few days ago the site was pretty bare with relatively few torrents and it was clear that most of them contained malware. It was suggested to Satty that it might be a good idea to have some genuine torrents too, to help disguise the bad torrents. Now things are starting to ‘improve’ on the site with many more torrents added recently which don’t immediately appear to be malware.

In the last few days, TrafficLoader cosmetically ‘cleaned up’ the site to remove porn adverts in order to appear more genuine but unfortunately, someone as well as TorrentFreak noticed that they made a big mistake:

“Why would you [Satty, admin] put a forum for ppi on a publicly scraped site, a.k.a here?? Do you just want ppl to find out shit is full of malware?”

Just in case they did want people to find out, hopefully this post will help them get the word out.

For those that want advice on how to avoid bad torrents in the future, try one of our guides.

Update: The site was taken offline a few hours after this article was posted, that’s our good deed for the weekend.

Article from: TorrentFreak, check out our new blog at FreakBits.

However, in a testament to its structure and security, BitTorrent is almost immune from these type of attacks and that is why you never hear the RIAA and IFPI talk about viruses and BitTorrent in the same announcement. In terms of sharing files and avoiding malware, BitTorrent does really well.

This recent malware attack revolved around people downloading files which were renamed to look like music and movies, but instead engineer a situation where lots of other stuff gets installed on the host PC, causing all sorts of problems. While viewing some of the filenames listed by McAfee, I had to remind myself that I was a novice once too – but it was still a stretch for me to believe so many people would download files that look like these:

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-peanut butter jelly amende.mp3

The good news is that the chances of these type of files appearing on BitTorrent are very low as trackers have moderators who remove such junk, something which is largely impossible on Gnutella (LimeWire) and eMule (ed2k). As long as the ‘infected’ users keep this stuff in their shared folder, there is little that can be done to stop it spreading. If they don’t clean this stuff out, no-one will, and it’s in this department BitTorrent comes out tops – again.

First of all, BitTorrent isn’t a ‘folder sharing’ client like LimeWire or KaZaA, which means that the user needs to use a torrent site to distribute (publish) his torrent. If the content is legitimate (and there are very few rules in most places, save obviously illegal material) the .torrent file will be up for all to download, with links to malware and viruses mostly filtered out by humans – otherwise known as ‘mods’ or ‘moderators’.

BitTorrent has thousands of hard working and largely unpaid moderators, who work tirelessly to make sure that files like these don’t make it to the BitTorrent user’s computer. In reality, files presented like the ones above could never slip by the site mods, they would see them a mile away and remove them quickly.

BitTorrent isn’t 100% malware free but compared to Gnutella and ed2k, it is astonishingly healthy and that is largely down to the strength of the system and the mods, who work non-stop behind the scenes to keep BitTorrent an enjoyable experience.

For the few small things that slip through the net, try our guides.

Article from: TorrentFreak, check out our new blog at FreakBits.

All of the malware we’ve reported on comes from the same 2 servers found at 69.72.144.122 and 207.44.244.86 and this new kid on the block is no different.

DomPlayer is the latest malware to get on BitTorrent user’s nerves. In the last article on this issue we already discovered that the DomPlayer domain was sitting dormant but we didn’t know what it would become. It’s live now and here’s the deal:

Someone downloads a TV show (very often an aXXo fake) via BitTorrent. When the file is played, a message appears:

This video can only be played in DomPlayer, Visit Download.Domplayer.Com

On arrival, the user is greeted with a nice shiny site to distract them from the fact this is an elaborate trick based on DRM’ing previously-free media and forcing users to take steps to unlock it.

This is where DomPlayer differs from the other malware media players we’ve report on. The site claims: “DomPlayer is 100% clean, no bundled software!” At this stage, it doesn’t appear to install any intrusive adware etc on the host PC – there is a different trick up this 945K installer’s sleeve.

When it’s run, it’s believed the software locates the user, directs him to a telephone hotline appropriate to his country and instructs him to call it via cellphone. The call leads to the ‘activation’ of the DomPlayer software but ends up costing the user money.

If the user is in a country ‘unsupported’ by DomPlayer’s payment system, he will be directed to the 3WPlayer site where he can install 3WPlayer and a load of malware onto his PC, completely free of charge.

Although fake aXXo releases are known to be a frequent target of this scam, other media is also affected so many file-sharers find it prudent to check the comments on the site before they download a torrent.

UPDATE: Reports suggest that software is now available to play 3WPlayer (and possibly DomPlayer) files without getting either player. This software is untested by TorrentFreak.

UPDATE 2: Software to crack 3WPlayer, WinZix can also be found here. Click here for the .torrent.

Article from: TorrentFreak, check out our new blog at FreakBits.

However, there are companies out there who give you ‘free’ software (like a torrent client) but at the same time install some of that extra stuff you don’t want too. We have regularly reported on BitTorrent clients which also install this malware such as Torrent101, BitRoll, TorrentQ and GetTorrent. These are just a handful of bad clients currently available online.

It didn’t take much research to discover that a Swedish company called Wakenet is behind the enterprise, a company that made news on lots of spyware sites due to its Anti-Leech plugin.

Wakenet has a new domain called uvTorrent.com (currently diverting to their Cash4Downloads site) – no prizes for guessing the planned confusion with novices and the official ‘uTorrent’ client. They also have a new (fake) ‘compression’ utility called Winzix, obviously named to be confused with Winzip. Unfortunate downloaders will download something from BitTorrent, only to learn that it needs to ‘decompressed’ with Winzix in order to work. Installing Winzix again results in malware getting onto the host PC.

Our investigations revealed two major servers carrying the malware-ridden clients, media players, compression utilities and other sites supporting the enterprise:

IP: 69.72.144.122

1. netpumper.com (there’s even a link to this from Wakenet’s homepage)
2. bitgrabber.com
3. bitroll.com
4. c4dl.com
5. cash4downloads.com
6. download.play3w.com
7. get-torrent.com
8. playon.play3w.com
9. winzix.com (additional information from Symantec)
10. bitdownload.org
11. divoplayer.com
12. plugindl.com
13. torrent101.com
14. torrentq.com
15. torrentsoftware.org

IP: 207.44.244.86

1. bitroll.com
2. c4dl.com
3. cash4downloads.com (Click here for removal instructions)
4. download.netpumper.com
5. Uvtorrent.com
6. playon.play3w.com
7. wakenet.se (WakeNet’s own homepage is on the same server)
8. bitsofporn.com
9. domplayer.com
10. gamingtorrent.com
11. kitplayer.com
12. torrentmusic.org
13. torrentgamers.com
14. Torrentspeeder.com (different server currently)

We suggest that everyone stays well away from every site on the above lists. Use uTorrent or Azureus to download and if you ever download anything that requires anything other than a standard media player or WinRAR in order to play, be a little suspicious. Checking the comments to the torrent you plan to download is always a good idea.

For the little more adventurous reader, it’s possible to use the Windows HOSTS file to block the activity caused not only by the malware listed above but also that from hundreds of other sources. We recommend the excellent guide from MVPS, “Blocking Unwanted Parasites with a Hosts File”

UPDATE: Reports suggest that software is now available to play 3WPlayer (and possibly DomPlayer) files without getting either player. This software is untested by TorrentFreak.

UPDATE 2: Software to crack 3WPlayer, WinZix can also be found here. Click here for the .torrent.

Article from: TorrentFreak, check out our new blog at FreakBits.

A good way to check whether a torrent is legit or not is by looking at the comments. If people found the torrent to be fake, it will probably reported there. But up until now there was no central database for checking fake and spam torrents – TorrentSpam is trying to fill this gap. A search for the torrent name on TorrentSpam will return a list of torrents, and the score each torrent has indicates how likely it is that this torrent is actually SPAM.

Some administrators of BitTorrent sites (not all of them) already spend hours every day removing and blocking these fake or malware ridden torrents, but it is nearly impossible to have a 100% clean site at all times.

TorrentSpam will be really useful if admins of BitTorrent sites have access to their database, something that will happen in the near future. The site is currently working on an API section so all torrent sites can utilize TorrentSpam. In the meantime they obviously need you to fill (and check) the database.

Or as the admin of TorrentSpam puts it: “The more reported torrents the better the P2P experience! By letting people know of invalid torrents, the less data will be jamming the networks.”

Article from: TorrentFreak, check out our new blog at FreakBits.

Various forum threads, even on TorrentSpy, warn naive users about these clients. Still, TorrentSpy is actively advertising Get-Torrent, and infecting hundreds of their users’ computers, resulting in a torrent of annoying popups.

Unlike TorrentSpy, most BitTorrent site admins refuse to advertise these clients. The Pirate Bay and mininova successfully banned these malicious clients from advertising through Adbrite, and BTjunkie and many other sites wont let them on their site either.

The malware bundled with BitTorrent clients like Get-Torrent, Torrent101, TorrentQ and BitRoll is a sponsor program called “Cidhelp”. Apparently, it can be easily removed from the Windows Control Panel. However, in most cases your anti-spyware or anti-virus program damaged the files, leaving them impossible to uninstall, while they still cause numerous popups.

In April we ran a Google Adwords campaigns on the Bitroll, Torrent101 and Torrentq websites warning users not to install these clients. Even though it was fun and probably prevented a couple of hundred people from installing the clients, it is far from an ideal solution. The best way is to spread the word, start forum threads and write blog posts or emails to warn others.

Article from: TorrentFreak, check out our new blog at FreakBits.

Unfortunately, as fast as we report such things, the malware peddlers create yet more bad clients with new names, but carrying the same bad story. However, these guys are very determined to get software such as CIDHELP on your machine, ready to watch your activities and to this end have become quite creative. Recently BitTorrent users are reporting that they have downloaded various pieces of video (usually a TV show) only to be confronted with a message during the first few seconds of the video which advises them to download a new media player called 3wPlayer, in order to view the rest of the file.

The displayed url directs the unsuspecting to the Play3W site, where they are given the chance of installing a shiny new media player.

From the screenshot you will see that there is a ‘more’ button and when you install this player ‘more’ is exactly what you get – more malware in the form of CIDHELP, yet again. It can be difficult task to uninstall it too, especially when you consider the veiled legal threat on the CIDHELP site – the vendor warns you could be in breach of the EULA if you try to remove it with your anti-spyware software. To get rid of the software, they advise to first turn off your anti-adware/spyware software and re-install the software, something that rings a few alarm bells!

It may seem that every pusher in the world is getting involved in the BitTorrent malware scene but a simple WHOIS on all the domains hosting the torrent clients listed above, (Torrent101 for example) including the 3wPlayer site, reveals that they are more than likely the same outfit, exploiting the less experienced members of the BitTorrent community. Anyone concerned about a particular torrent should take the time to read the user comments on the site where the torrent was downloaded from. Very often problems such as fake files are spoken about there.

Anyone needing a media player that will deal with almost any video format should consider the excellent VLC Media Player, available for free download. Those who still haven’t settled on a quality BitTorrent client will find everything they need by getting uTorrent. No spyware, adware or malware present in either product.

Article from: TorrentFreak, check out our new blog at FreakBits.

Unfortunately, several popular torrent sites carried advertising for these bad clients but thankfully, sites like The Pirate Bay saw the damage these things can cause and removed the adverts. TPB’s brokep wrote, “We’re getting a lot of email about people downloading torrent clients that are advertised on the site. Do not download them! We have put a ban for the ad companies to sell ads for these clients on our site.” Mininova and Snarf-it also blocked the adverts.

In February, we reported on yet another client, TorrentQ after a tip-off from the owner of BT-Junkie. Of course, this wasn’t a new client but the old one with a new name.

In April, in order to try to save unsuspecting file-sharers from installing malware, we ran Google Adword campaigns on the BitRoll, Torrent101 and TorrentQ websites, informing people of just how bad these clients are. Google apparantly doesn’t like to be associated with bad news and a few days later, Adsense adverts disappeared from the sites.

Disappointingly, we are now exposed to yet another ‘new’ bad torrent client. Get-Torrent is the latest in a sequence of malware-laden torrent clients, cloned from the same infected DNA as BitRoll, Torrent101 and TorrentQ. As can be seen from the client’s ’skinning’ pages, these products are identical;

As we promised in our earlier posts, every time a bad client appears we will do our best to let the BitTorrent community know about it. Anyone thinking of installing a BitTorrent client should stay away from these products and install a free, clean client, such as uTorrent.

Article from: TorrentFreak, check out our new blog at FreakBits.

First the MPAA’s DVD sniffing dogs, now a trojan that’s targeting P2P content. Although the creators of the trojan are unknown until now, my guess is that the MPAA will be quite delighted.

Graham Cluley of Sophos, the company that discovered the virus, commented:

“The Erazer Trojan is a vigilante worthy of a Charles Bronson movie, taking the law into its own hands. However, it’s perfectly possible for the Trojan to aim poorly and wipe out innocent files too”.

As far as I know BitTorrent is safe, for now.

Article from: TorrentFreak, check out our new blog at FreakBits.