Earlier today, the websites of BitTorrent Inc. (utorrent.com and bittorrent.com) were hacked.
In what would seem (but isn’t) to be a vindication of the many ‘studies‘ equating P2P with malware, downloads of the torrent clients µTorrent and BitTorrent (aka mainline) were replaced with malware downloads.
Shortly after this had happened, BitTorrent Inc. took the servers offline, to both investigate and fix the issues.
“This morning at approximately 4:20 a.m. PT (11:20 UTC), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard software download was replaced with a type of fake antivirus “scareware” program,” BitTorrent’s VP of Software Simon Morris told TorrentFreak
“Just after 6:00 a.m. PT (13:00 UTC), we took the affected servers offline to neutralize the threat. Our servers are back online and functioning normally.”
“We have completed preliminary testing of the malware. Upon installation, a program called ‘Security Shield” launches and pops up warnings that a virus has been detected. It then prompts a user for payment to remove the virus,” Morris said.
“We recommend anyone who downloaded software between 4:20 a.m. and 6:10 a.m. PT run a security scan of their computer. We take the security of our systems and the safety of our users very seriously. We sincerely apologize to any users who were affected.”
The malware was downloaded approximately 28,000 times, but would have been many more it hadn’t been swiftly dealt with.
One of the reasons for the prompt response is the involvement of the community. Initial reports via IRC and Twitter enabled a speedy reaction, despite the early time.
In addition, the forums have been taken offline while their security is investigated. BitTorrent inc. has told TorrentFreak that while forum usernames might have been accessible, the passwords are encrypted. µTorrent Remote servers are not affected at all, as they are completely separate.
UPDATE: it seems that downloads for the BitTorrent (‘mainline’) client may not have been affected after all. However we would still recommend anyone who has attempted to download the client today to run system scans, and we will update this article as more news becomes available.
UPDATE: File Removal Instructions
This particular piece of malware renames itself as a different .exe file every time it installs on a new machine. Therefore, first you need to determine the file name. To do this, visit the following File Directory on your Windows hard drive:
Windows XP: Click Start, click Run, and then type in “%USERPROFILE%\Local Settings\Application Data\” without the quotes. The file will be called [random].exe
Windows Vista and Windows 7: Click Start, in the search box type in “%localappdata%” without the quotes. The file will be called [random].exe.
To delete the file, first you need to make sure to kill the application first:
– Open your Task Manager (Control-Alt-Delete), select the [random].exe (the name you found in the file directory). Click “End Process” and select “Yes.”
– Next: select the file name (or right-click on the name) and hit Delete.
– Empty your trash.