TorrentReactor Users Suffer Rootkit Attack
Written by Ernesto on July 02, 2009With millions of pageviews every day TorrentReactor.net is ranked in the top 5 of all torrent sites in terms of traffic which makes it a lucrative target for malicious attacks. The site is currently suffering from a serious security breach resulting in a rootkit being installed on the computers of some of its visitors.
Aside serving torrents the TorrentReactor team launched TorrentPrivacy last year, a service that allows BitTorrent users to download torrents anonymously. Unfortunately, the site itself now poses a security threat of its own.
Websense reports that TorrentReactor has been injected with an IFrame that connects to a malicious site full of exploits. The exploits affects various applications including Internet Explorer and Adobe’s Shockwave and Acrobat Reader.
Once the user is successfully exploited a Trojan Downloader with an extremely low anti-virus detection rate will download and install a rootkit on the user’s system, after which more evil is bound to happen.
TorrentReactor’s founder Alex told TorrentFreak that they are looking into the matter and hope to fix the vulnerability as soon as possible. Alex further told us that he has no clue who’s behind the attack.
This is not the first time that TorrentReactor has suffered from an IFrame injection as The Register points out. Last year it dealt with a similar security breach.
Needless to say, TorrentReactor users may want to avoid the site for the time being if they’d rather not have a rootkit on their system.
Update: Alex told TorrentFreak that the problem has been addressed. “It was sql injection which was fixed the same day. Now we do everything to prevent it in the future. We’re very sorry.”
TorrentReactor, now with Rootkit
Previously: Mininova Demands Rectification from Dutch Parliament
Next: BREIN Demands $70,000 Per Day Penalty For Usenet Community
92 Responses
Yikes, better avoid that.
might as well avoid it all together, maybe I’m alone, but I found torrentreactor to be the worst for fakes, I’ve spent countless times looking for a specific torrent there, only to find various copies, all of which are packed inside an .exe
PASS
I suggest anyone that does use the sites to get and run some rootkit revealers, as you may already be compromised
serves you pirates right, enjoy your rootkits
suffie to say that it affect windows users, not linux users
anyone know the name of the rootkit/trojan or how to remove it?
Everything In This Articale is True my system became unstable,i was forced to reformat.yet i still dont feel safe.i wont use the reactor for a long time.the torrents suck anyways.lot of shit going down on these sites..aXXo Probaly in jail why we aint herd from him?
its only popular because it’s full of fake torrents by media defender so what’s the point of downloading from their you wont find any real torrents
Use Sandboxie – then you won’t have any issues with rootkits!
…Or perhaps don’t use an operating system which allows user processes to install rootkits. ;)
torrentreactor isn’t even that good….
sandboxie wont work on 64 bit system @rabbit80 but thanks for the info..
Torrent Reactor totally sucks. Largely fake shit on there.
J.
Lol owned.
well seeing as rootkits were a unix deal until recently when people started making them for windows, what os would that be?
unix, what do you think linux is based on?
If you honestly think linux protects you from rootkits you are poorly informed
As far as I know, TorrentReactor was never a ‘clean’ site at all. I clearly remember some spyware ads on the site in the last years.
The kind of ads of TPB, MN & IH are nicer :)
Torrentreactor was a useless piece of fake laden shit anyway. I never even found a single working torrent on that site. Just die already.
@banghard
’tis not necessary on Vista x64 since patchguard protects the kernel and as long as you leave UAC enabled everything runs in a protected environment anyway!
@ Anonymous your such a geek !chill out bro go smoke a joint and stop the hate.fill your life with peace and love not hate.(Gosh)
torrentreactor site load of old wank
Torrentreactor makes me want to punch babies.
torrent who?
@ rabbit80 sounds good makes me feel better.i hope when i did reformat it enabled the uac cause i dont even know what that is..lol thanks rabbit my system is runing much better since the format.I hope i dont come home and find my kitchen door in the living room>>>>lol…..thank you god bless
Whoever uses that hell-hole is insane anyway.
and how is a rootkit gonna install on linux without root privilege?
So Windows user, a little chilly out there in the internet ;)
To bad your naked and vulnerable to virus, rootkit and other diseases…
Go TPB and download Ubuntu..Now !
Sorry for trolling but stop whining about infected computer when their are plenty of other secure OS.
@25
you are sooo lame
don’t download a trojan-ed / rotkit-ed unbuntu from TPB – LOL
go to http://www.ubuntu.com/getubuntu/download
it is MUCH safer!
@26
I must remember to turn on the spell checker – LOL
@25
poor steve
by nature rootkits exploit various vulns to GET root … and they are darn good at hiding too!
@ swopyl Naked ! I feel Ass Raped your right windows does suck :( not whining at all just agree wit the story….how do iknow ubuntu will work on my system? wit all the shit going on i rather buy it then get it from TPB Right now…but thanks
People who use Internet Explorer almost deserve it…
@26 or he could just use an md5 checksum to check the file from the pirate bay to make sure it was valid :)
I guarantee this was a test performed on a site with extremely high traffic of all OS platforms and next to nil chance of government investigation. They’ve already gathered enough data to find and track down some bugs. A very similar, less detectable, possibly even more infective version of this is going to end up in more dangerous locations to steal credit card information, bank credentials, stock credentials, … fuck, if it makes money, this thing will steal your credentials for it. Prepare yourself and warn others.
The Iframe sees all. Do not look into the Iframe.
@banghard
im in the same boat im sick of windows, im switching to ubuntu as we speak but installing it in a 4gig stick and running it thru Virtualbox
TorrentReactor is a piss poor torrent site thought in my oppinion, the only reason a person would use it is it flags a lot of google hits when your looking outside your usual sites.
TorrentReactor sucks anyways, but I had a rootkit installed on my system from TPB… so I know how much it sucks! I had to re-install windows!
also ,never been there , guess i aint gonna go there………….
never went to torrent reactor but i’ll know not to trust content from it. Thanks for the heads up guys.
@ banghard
Ubuntu is free, and can be obtained from http://www.ubuntu.com at no charge.
Never heard of this place, too much time spent under a rock in private trackers I guess :P
Thank god only unix users were giving the whole “we are safe from virus’, trojans etc” schpeel. I was going to kill myself if some Mac fag came on here & started posting
Web malware depends exclusively on JAVA(JAVA and Javascript are two different things), Flash or other script, if you don’t have them the chances somebody will do you harm is next to “nada”, zero, zilch LoL
Solutions:
- Use an integrity checker if you have an anti-virus you probably have one as all suites today have this basic feature in linux you will have to install one.
ps: Don’t save the database from the integrity checker on the same computer for God’s sakes.
- Use virtualization you can use “forcefield” from the zonealarm guy’s, or use a complete virtual machine(VM) like Qemu, virtualbox, vmware(this one is good for noobs very friendly). There is even a rollback app that the “packers” use to test malware on their computers and roll it back to normal after I just don’t remember the name right now.
- Use tools like “NLite” to make a automated installation CD for windows in linux you can do it too and is much more easier in this aspect in some versions.
- Make a backup of your entire system in a state you feel confortable having it. It takes 10 to 15 minutes to copy the data back to your HDD and have it good as new you can even clean your system everyday.
- Use and old school web browser like “lynx” that have support for SSL(encryption) but have no support for scripts of any kind and it will download everything you highlight on it. It is great for internet banking there is no phising if you pay attention to the links you click.
Some procedures are not “easy” but if you follow them you will be 99% secure “today”.
can you get this from just VISITING the site or do you have to actually download/install something ?
@42 Jul 03, 2009 at 05:02 by Anonymous:
Yes you can, flash and JAVA have the ability to download, save and start programs in your computer without ever you seeing a warning.
Why are you blaming torrentreactor for everything?? All big public torrent sites are full of fakes. And absolutely all the sites can suffer an attack!
Personally I found the site pretty good. If you know what you’re looking for, read comments and pay attention to details, you will always find yourself a good torrent!
For those that know a bit more I do recommend using Git, subversion, bazaar or other version control system it’s great to for backups and rollbacks and is even better to see the modifications in a system or website you can see exactly what changed and if it is bad.
“serves you pirates right, enjoy your rootkits”
Tell your master enjoy your B troll!
Good advice Rabbit!!
Someone else who use’s Sandboxie @ last.
Noscript for FF or even using a VM should be a tepid bath that all torrent d/loaders should dip their toes in at least once.
Or, for the nix point of view…a Live CD should also be tried.
Ha, stuff ya rootkits!
Linux ftw. :D
@Robbing Hood
Been using Sandboxie for a while now – I even BOUGHT it :D
One of the best ever utilities for 32-bit Winblows systems – well WORTH the £25 for a lifetime license! And for those who want FREE, the unregistered version still offers great functionality with just a 5 second nag screen after it has been installed a month!
tell brein did it, like we supposedly took down there website
hahaha, up yours morons, enjoy your rootkits dumb f**cks
@52 yo mama enjoyed my root kit, sukka
thanks TF for telling us what to do if you visited the site !!!!
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
WHAT DO WE DO NOW ?
linx,unix are also exposed to rootkits constantly. who cares who uses windows and who cares who uses linux.
backtrack is the best linux anyway ;p but i still use windows. i dont like ie. iframe injections are like little script kiddies. they probably dont know what to do with rootkits except sit and stare and call their mom and say wow mom look what i did, “thats great honey, im doing the laundry right now”
and besides, we can all speculate: was it the mpaa/riaa? was it torrentreactor to catch the mpaa/riaa? or was it some little script kiddie who is trying to look cool and talks like l3370 H4×02
@55
heres the windows rootkit revealer.
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
you can also google it, it comes up in google. there are several but i think ms would know their own system better than some other commercial ones. there’s also another good one called blacklight i believe.
ARRRGH!
Torrentreactor shows up in Scrapetorrent searches,
so I (by accident) occasionally end up on the site. But I have never ever (ever, EVER) used (sh)it beyond that. Its obviously sharing fakes! I felt its bad karma the very first time I encountered its “radioactive” waste of (cyber)-space.
good luck Alex..
I want to punch babes!? HAHA made me laugh on a friday lunctime.
I root for the pirates
I WANT A ROOTKIT …AND I WANT IT NOW…….
so i accidentally visited the site then closed my browser in firefox..does that mean im infected now?
torrentreactor is a ad bloated piece of cr*p. No reason anybody should be using that site in the first place.
@14 stupid.
Rootkits originated on unix (IN 1990 or earlierish — when it was a LOT more widely used) to give root access, yes — for a productive purpose. Unresponsive system… needing just to get in when you have no way of doing so. And now they’re being written maliciously and therefore they target Windows. IT TOOK SOME TIME to get malicious, and when it did, it targeted the most profitable system. And what would that be, billyboy? Anyway, most people running *nix are smart enough not to get a rootkit installed in the first place. How the crap does this attack WORK anyway? If your browser is properly set up, you DON’T get affected by drivebys.
Sigh.
torrentreactor, thoe many may not understand. i know your true purprose. there arent many bitorent sites out there standing. im glad ur one of the ones that has enough guts to.
I have the FF add-on McAfee Site Advisor which shows torrentreactor as a red-site which “breached browser security”. Just an FYI.
@3: Troll FAIL – if you’re using Firefox and NoScript, the attack won’t work unless you do something dangerous like allowing scripts on all sites.
I stopped using them more than a year ago when it seemed to me that there were too many fakes on there.
I still had them bookmarked, but now that’s been deleted.
That depends on:
- your browser settings.
- your security measures(using sandboxes or virtual machines or virtual appliances).
- that you have some sort of security suite not just and anti virus scanner. I do like the suites because they come with everything this days(integrity checker, MAC-Mandatory Access Control, firewalls, filters and is starting to include sandboxes).
If you never bothered with anything then your chances of being infect are very good.
TorrentReactor is a dump anyway, always trying to direct you toward paying sites.
There’s anyway that I can verify if I was infected?!
There are several virtual environments that can be run on 64bit machines. Alternatively you can run your browsers in a virtual machine. Once you have finished downloading torrents or such you can easily copy them over to the host machine. Another very important item is to make sure your system has the latest patches and updates installed. Torrent sites also need to maintain security on their boxes better. Some of these exploits have been patched months ago, but you will see some sites who haven’t patched their software since they installed it.
Malware bytes is great at discovering and removing rootkits. In my experience it’s better then most larger and better known AV solutions.
AT ONE POINT I WAS PLAYING CRYSIS ONLINE AND SOMEONE TOOK OVER THE GAME…SO I JUST LEAN BACK CRACKED OPEN A BEER SAID WTF AND LET HIM PLAY FOR A WHILE…..REFORMAT HELP ME OUT….I WONT GO BACK TO THE REACTOR FOR A LONG TIME…
24HRS LATER MICROSOFT SENT ME A LETTER SAYING I HAD PIRATE SOFTWARE….I SHIT U NOT! SO GOT RID OF IT….PAID FOR WHAT I HAVE RUNNING NOW……..WHEN aXXo Comes back then i will feel safer on these sites……he gives good advise so does torrent freak…
it never fails to amaze me how many people turn around and say they got a virus or they got hacked because they are either to stupid to get a decent anti virus and firewall or because they think “it will never happen to me”
SORRY BUT I GOT A GOOD VIRUS PROTECTION..IT WAS MY BAD< I LET THEM IN WIT TRUST FOR THE DOWN LOAD…..HAPPY 4TH OF JULY EVERYONE LOVE YA MUCH….
banghard i very much doubt you have a good anti virus and a pre installed copy of norton doesnt even come close to counting. btw USING CAPS IS CONSIDERED SHOUTING!!!
torrent reactor is 100% scam site n00bs. If you people are downloading enough there to be ranked in the top 5 there are a lot of stupid people in this world.
@ katrizzle (not stupid, just uninformed, most linux geeks are, i’m dating one)
keep telling yourself just cause you use linux you are safe, enjoy the pain, my windows box is just as secure as any linux box, and *most* linux users know how to protect themselves, until you start spreading false info about how secure it is and people with no clue how to secure it start installing it. And downloading it from torrents when all linux distros are available via SECURE torrents, no TPB infected crap.
“How the crap does this attack WORK anyway? If your browser is properly set up, you DON’T get affected by drivebys.”
Lets say you allow scripts on your favourite site, blocking most ads, but allowing scripts. Then, unbeknown st to the site owner an ad is replaced with malicious code, or even the site itself.
Lets say you need capcha or some other bs to login, that’s where they get you. I can’t speak for this case, but as most people know, torrentreactor is a bs site with nothing but fakes and crap anyways.
That’s how this stuff usually works.
Use FireFox in whatever OS you use, if you use windows, make sure you secure it, if you migrate to linux, LEARN how to properly use it.
For windows to linux noobs, i suggest ubuntu or Fedora Core, as they are very very easy to use and most windows users will feel at home.
If you want a linux distro that’s actually good for something other than coding, Backtrack is the shizzle
damnit ad an edit option or something, i wasn’t done…
katrizzle is bang on saying that most people code to attack windows machines, they pwn the market share it only makes sense, BUT, there are plenty of nasties for linux, and if you don’t believe it, google for the security patch statistics, might be a little skewed now as MS has like 3 main os’s all going, but linux always wins, which is good, they fix shit quick, but the totally dominate in numbers of fixes.
Whens the last time you downloaded any linux distro and didn’t have to install package updates?
Hmmm…I say the following:
“If you want a /win/mac/linux distro that’s actually good for something other than coding learn to debbug that’s the shizzle and will not matter what OS you choose.” LoL
YES! there is but I do not know of any automated system or easy way of doing it and to keep it simple I will just point you in the direction so you can research on your own.
- Hash the entire file system before any infection can occur this means before you connect to the internets LoL
- Have a live CD. Can be windows, linux or other thing you like. And yes you can make liveCDs from windows it’s just hard to do it.
ps: to make the database you can use an integrity checker or GIT. GIT can check differences in under a minute in the entire OS
- Run the LiveCD and confirm if anything have changed in the system on your HDD with the hashs you did before and look for suspicious files added or modified without any updates being made.
You see rootkits or what people understand to be rootkits cannot run without accessing the main hard drive if you boot from something else and preferably a different OS than the one you have installed, you can scan that disk and not have the rootkit have a chance to disguise itself. Use a virtual machine(VM), hash it and get it infected so you can see exactly what changed and what to look for in your main system.
ps: The first couple of times this will be hard very hard to do it but as you learn what to look for and what to ignore it becomes easy and easy or pay someone to do it for ya.
And people interested in those kind of stuff can research “digital forensics”
The easiest way to guarantee that you are not infected without having to know anything is.
- Make a backup of your pristine OS right after installation before you connect anywhere including the internet. Norton Ghost is great for this task.
- Have a LiveCD to boot from and to do recovery tasks like SystemRescueCD or backtrack, I do use SystemRescueCD though.
- Using your LiveCD backup all your data to a safe place and restore the HDD with your pristine backup and put back all your data in it and that is it, doesn’t get more easy than that.
Security doesn’t depend on just your hardware and software, it depends on good pratices too.
@3
So, how much are you paid per comment?
I infect linuxfag machines all the time. Luckily for me most linuxfags sit in a little delusional bubble that they aint a target, meanwhile I steal their monies to buy coke and hos. Lol linuxfags, go back to being useless on the ubuntufag forums.
never use torrentreactor but 2 words
noscript & host file
code {font-size:1.2em;
color: #008099}
[QUOTE/]regxzrexg[QUOTE]
bla.blaa
1
2
3
@phishybongwaters
Thank you, a longer post let me almost “get to know you” betterish and I apologize for any harsh tone. Sometimes I’m just bitchy, and the Interblags bring that out in me. Sorry if I had a lack of respect.
But yeah, no matter what you’re running it’s pretty much mandatory to… well, know what you’re doing. Yeah. (Working on it!) Like, don’t let yourself ever use IE, don’t even think about connecting to the Interwebs on Windows without an AV prog already installed… av crap on flash drive… goodstuffs.
SQL Injection?! Idiots, it’s the first rule in the bloody book! Always use addslashes(), it’s that easy.
No operating system is safe from root kits Morons.
and everyone pointing to ubuntu as a way to avoid them really needs a frickin clue, using precompiled source that does shit to your system you have no clue about is just asking for trouble. And before you say ‘oh but it’s all checked before sent to repositories’ just check the bug traq’s to see the number of exploits that get approved and sent into the repositories only to be discovered later on.
>>83
@3
So, how much are you paid per comment?
Just 50 cents :(
we @ Torrentzap.com suffered from a similar attack but managed to fix it within seconds ..
there is only one program that would remove the rootkit. I had to use avenger.zip . Search Google download study install and run it.and it worked fine for me.
@24
With an exploit. Ever heard of root
privilege escalation? Try a secure OS
like OpenBSD. 2 remote exploits in over 13 years.
@88
You seem to misconstrue what exactly
a rootkit is. It’s not an exploit as
a result of some programming error,
it’s a means of maintaining access
to a system, preferably unintrusively and undetected. The rootkit itself doesn’t provide a
means to compromise a system, an
vulnerability does.
For that matter, operating systems
like OpenBSD have their source so heavily scrutinised that remote exploits are very few and far between. Not only that, but the way
the kernel is designed, it actively
prevents processes that are not executed as root to run without some sort of privilege escalation. So, with programmes such as chkrootkit and rkhunter taking care of the current generations of rootkit signatures, most Linux/BSD users with a clue about their operating system shouldn’t have any trouble with rootkits.
Try reading a book before posting
about topics you clearly know nothing
about.
2 references to this post
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.