Anti-malware software MalwareBytes has proven somewhat of a hit with pirates lately following a rather generous offer.
Rather than punishing people who use unlicensed versions of their software, MalwareBytes’ creators ran an amnesty program through which people could receive a premium product for zero cost.
It’s likely that many of those now using a free key will have accessed their previously unlicensed version from a torrent site. However, a feature present in the premium edition means that at least two of the world’s most popular venues are now completely off-limits to users of the software.
As can be seen from the screenshots below, visitors to Isohunt.to and LimeTorrents.cc – two of the world’s largest torrent sites – are currently rendered inaccessible by MalwareBytes’ “Malicious Website Protection” module.
Puzzled at why the software should take this approach but noting the similarity between the IP addresses used by both sites, TorrentFreak approached MalwareBytes for comment.
“We’re blocking the IPs (amongst others) because there’s a plethora of IPs on the [same network] housing a ton of malvertising and fraud sites,” Malware Intelligence Analyst Steven Burn told TF.
“The ASN involved is thus far unresponsive and has been since March,” he added.
So, while neither Isohunt.to nor LimeTorrents are considered harmful by MalwareBytes, the company has chosen to block their IP addresses due to their proximity to others that are allegedly behaving maliciously.
These two sites are not the only ones affected either. Torrentdownloads.cc, Megafilmeshd.net, ebooks-gratuit.com plus a range of other sites hosted in Ukraine are all blocked by MalwareBytes’ Web Protection module.
While it’s easy to regain access to any blocked site by selecting the appropriate button in the corresponding MalwareBytes popup box, many users are likely to consider blocked sites as dangerous, despite them essentially being victims of someone else’s wrong doing.
Speaking with TF, Isohunt.to told TF that the blocked host in question actually provides a good service.
“These guys webcare360.com provide great hosting that is bulletproofed against different kind of abuses. So a lot of websites around the world use their service,” the site explains.
“Looks like MalwareBytes simply blocked all IP addresses that belong to this hosting provider.”
Another issue that raised its head during our tests is the seemingly random IP addresses MalwareBytes blocks while connecting to certain torrent swarms. On numerous occasions the software flags IP addresses as malicious and denies connections to them. Intrigued, we asked MalwareBytes for an explanation.
“Our main goal is to protect our users from malicious hosts that could either be servers participating in drive-by downloads or even home computers spewing spam,” Jérôme Segura, Senior security researcher at MalwareBytes, told TF.
“So the block of only certain IPs within that pool is simply that. We are blocking the ones that we have identified for malicious activity, which also happen to be torrenting.”
The blocking of these IP addresses raises an interesting dilemma. Due to their connections to suspicious activity elsewhere, MalwareBytes considers them malicious and excludes them. However, it’s worth noting that despite their potential bad deeds elsewhere, peers in a torrent swarm go through a kind of vetting process based on the hash content of the material they’re carrying.
Put simply, while they possibly cause mischief elsewhere, these peers can’t do any real harm to the swarm. Blocking them won’t cause any really serious problems either (unless they’re the only seeder) but since they don’t need to be blocked we asked MalwareBytes about their policy.
“You bring up a very valid comment and something that many people might wonder about. I will pass this information along to see how we can manage this in a better way,” Jérôme Segura notes.
In conclusion, both scenarios (site and peer blocking) are caused by the blocking of IP addresses either directly or loosely connected to malicious activity elsewhere. MalwareBytes users will have to use their discretion when deciding whether to block or allow those connections in future.