In fact, many of these buttons link to advertisements of some sort, ranging from relatively harmless download managers to dubious services that ask for one’s credit card details.

A new report backed by the UK entertainment industry has looked into the prevalence of these threats. The study, carried out by the anti-piracy analysts of Intelligent Content Protection (Incopro), found that only 1 of the 30 most-visited pirate sites didn’t link to unwanted software or credit card scams.

According to a press release released this morning, the research found that of the 30 top pirate sites, “90% contained malware and other ‘Potentially Unwanted Programmes’ designed to deceive or defraud unwitting viewers.”

The “Potentially Unwanted Programmes” category is rather broad, and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud.

“The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,” the press release states.

While it’s true that many pirate sites link to malware and other dubious products, the sites themselves don’t host any of the material. For example, none of the top pirate sites TorrentFreak tested were flagged by Google’s Safebrowsing tool.

This nuance is left out of the official announcement, but the executive summary of the report does make this distinction.

“We did not encounter the automatic injection of any malicious program on the sites that we scanned. In all instances, the user must be tricked into opening a downloaded executable file or in the case of credit card fraud, the user needs to actively enter credit card details,” Incopro writes.

Most of the malware and “potentially” unwanted software ends up on users’ computers after they click on the wrong “download” button and then install the presented software. In many cases these are installers that may contain relatively harmless adware. However, the researchers also found links to rootkits and ransomware.

The allegation of “credit card fraud” also requires some clarification. Incopro told TorrentFreak that most of these cases involve links to services where users have to pay for access.

“There were 17 separate credit card schemes that were detected through our scanning, with many appearing to be similar or possibly related. Five of the sites had instances of two credit card fraud/scam sites, with the remaining 15 containing one credit card fraud/scam site,” Incopro told us.

“An example is someone visits one of the pirate sites and clicks a ‘Download’ or ‘Play now’ button, which is actually an advert appearing on the page, which then asks for payment details to access the content.”

This is characterized as “fraud” because these “premium” streaming or download services can result in recurring credit card charges of up to $50 per month, without an option to cancel.

The report, which isn’t available to the public, was commissioned by the UK film service FindAnyFilm and backed by several industry groups. Commenting on the findings, FACT’s Kieron Sharp noted that those who fall for these scams are inadvertently funding organized crime.

“Not only are you putting your personal security at risk, by using pirate websites you could be helping fund the organised criminal gangs who run these sites as a front for other cyber scams,” Sharp says.

It is clear that the research is used for scaremongering. Regular users of these sites know all too well what buttons not to click, so they are not affected by any of the threats.

However, there’s no denying that some pirate sites deliberately place these “ads” to confuse novice and unsuspecting visitors. Those visitors may indeed end up with adware, malware or run into scam services.

This isn’t in any way a new phenomenon though, it has been going on for more than a decade already. Ironically, the same anti-piracy groups who now warn of these threats are making them worse by cutting pirate sites off from legitimate advertisers.

—

Photo: Michael Theis

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The company, whose products are installed on millions of devices around the world, added a new feature to its anti-virus suite which can block copyright-infringing content.

The new feature, which is included in the latest release of Dr.Web 9.0, is the first of its kind. Unlike other blocklists Dr. Web’s database of pirate URLs is built based on reports from copyright holders.

Rightsholders can submit “takedown” notices to the antivirus vendor, who will then block access to the URLs if the copyright claim holds up. TorrentFreak talked to Dr. Web CEO Boris Sharov who sees the new feature as a natural extension of anti-virus products.

“Antivirus products have a built-in web-filtering system, therefore it’s no problem to block URLs. In the parental control module many malicious URLs have already been blocked for years,” Sharov tells TF.

According to the CEO, the purpose of the new feature is to not only prevent piracy, but also to minimize security risks for users.

“Copyright protection is not just about blocking some URLs. In fact, the new feature is completely in the line of our main functionality – we warn users about possible fraud when they access a copyright-infringing site.”

The company explains that the public is sometimes unable to distinguish infringing files from legal ones, which can lead to all sorts of problems.

“It is both anti-phishing and anti-malware protection – we let people know that someone is going to fool them,” Sharov tells us.

Several copyright holders have submitted takedown requests to Dr. Web recently, and more are expected to follow in the near future. However, the anti-virus company says that it isn’t necessarily out to block all pirated content.

“We have just launched the service and there are some copyright holders who have already asked us to include URLs that are infringing on their copyrights,” Sharov says.

“It’s not our goal to include as many URLs in the database as possible. We just want copyright holders to know that there is a service for them in Dr.Web products,” he adds.

Dr. Web stresses that it will only add URLs to the database upon request from copyright holders. The company won’t use algorithms to detect and block infringing content, such as McAfee recently suggested.

Copyright holders who are interested in the feature can file requests on Dr. Web’s Brand Protection page. Users of the software who prefer an unfiltered web have the option to disable the feature at their own risk.

Whether other anti-virus vendors will follow Dr. Web’s example has yet to be seen.

_{Photo: Dan Zen}

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Anyone familiar with Internet piracy in the 90s will be aware of the perils of crack sites. They weren’t selling the potent cocaine derivative of course, but a promise that the download of a small program would unleash the full potential of a previously restricted software package.

The lure of free software dangled by these sites proved too great for millions of Internet users. They naively entered crack portals but often didn’t make it out unscathed after being tricked into installing viruses, keyloggers and other malware on their machines.

The bad news is that 20 years on and delivery mechanisms aside, not a lot has changed.

“Cybercriminals consistently take advantage of consumer interest around award shows, new movies and TV shows as well as the latest cultural trends driven by celebrities,” McAfee reveals in its latest annual malware study.

“These criminals capitalize on the public’s fascination with celebrity to lure them to sites laden with malware that enables them to steal passwords and personal information. This year, searching for a celebrity name coupled with the search terms ‘free app download’ and ‘nude pictures’ resulted in the highest instances of malware-laden sites.”

McAfee offers some tips to stay safe, some which are particularly useful for novice torrent users faced with downloads that claim to need other software installed in order to play.

“Beware of content that prompts you to download anything before providing you the content,” the security company warns. “Don’t download videos from suspect sites. This should be common sense, but it bears repeating: don’t download anything from a website you don’t trust — especially video. Most news clips you’d want to see can easily be found on official video sites, and don’t require you to download anything.”

The McAfee report can be downloaded here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Enter the multi-million dollar business of P2P-scammers.

For more than a decade all sorts of shady companies have been ripping off novice file-sharers by tricking them into downloading scam products. Their sites appear to offer downloads for software such as uTorrent, Vuze, LimeWire and FrostWire, but the free clients come with a twist.

In some cases people have to pay for the download ‘service’ while others simply install a malware-infested program on users’ computers. There are even scam outfits that do both.

Talking to TorrentFreak, FrostWire‘s Angel Leon explains that because of these scams they get loads of refund requests every day, hurting the company’s reputation. The scammers on the other hand make huge profits.

“The big harm done here is to our trademark,” Leon says.

“They blatantly use our logo and our name, they’ve also managed to game Google big time with a shitload of content farm websites to the point that they’re placed 2nd in Google’s search results, so they must be making a killer.”

The pictures on the right are just a few examples of the thousands of scam sites on the Internet. All of them rip-off novice consumers by letting them download rogue versions of FrostWire.

“The damages we feel are basically our users being victims of these people and threatening us for something we haven’t done,” Leon told us.

“Then there’s all the work we do to promote our brand as the way to use P2P for legal purposes gone to hell, because of the way the scammers encourage copyright infringement,” he adds.

Unfortunately, there is not much file-sharing companies can do about these scams. FrostWire actually went as far as hiring a company that’s specialized in sending takedown requests, but without results. And even if one scam domain is shut down, another will replace it the day after.

Scammers know how to route around censorship.

According to Leon, Google isn’t very helpful either. While the legit version of FrostWire is not allowed to advertise on Google’s Adwords, the scammers are slipping through by the dozens.

“It’s very interesting to notice that somehow they manage to go past the Google AdWords guidelines and they spend a lot of money on advertising everyday on the “frostwire” related keywords,” Leon told TorrentFreak.

“On the other hand, if we try to advertise FrostWire as a file sending application, we get a boot from Google saying that we are P2P software.”

FrostWire and other file-sharing companies hope that enough people ask for a refund from the credit card companies so the scammers have a hard time accepting money. Other than that there’s not much they can do. Or is there?

Reading the above shows that the problems FrostWire and others face are similar to those described in the pro-SOPA talking points of the entertainment industries.

There is one major difference though. Unlike Hollywood, file-sharing companies such as FrostWire fully realize that such a broad censorship law would do more harm than good. Also, P2P scammers actually cause millions of dollars in damages to the public.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

In what would seem (but isn’t) to be a vindication of the many ‘studies‘ equating P2P with malware, downloads of the torrent clients µTorrent and BitTorrent (aka mainline) were replaced with malware downloads.

Shortly after this had happened, BitTorrent Inc. took the servers offline, to both investigate and fix the issues.

“This morning at approximately 4:20 a.m. PT (11:20 UTC), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard software download was replaced with a type of fake antivirus “scareware” program,” BitTorrent’s VP of Software Simon Morris told TorrentFreak

“Just after 6:00 a.m. PT (13:00 UTC), we took the affected servers offline to neutralize the threat. Our servers are back online and functioning normally.”

“We have completed preliminary testing of the malware. Upon installation, a program called ‘Security Shield” launches and pops up warnings that a virus has been detected. It then prompts a user for payment to remove the virus,” Morris said.

“We recommend anyone who downloaded software between 4:20 a.m. and 6:10 a.m. PT run a security scan of their computer. We take the security of our systems and the safety of our users very seriously. We sincerely apologize to any users who were affected.”

The malware was downloaded approximately 28,000 times, but would have been many more it hadn’t been swiftly dealt with.

One of the reasons for the prompt response is the involvement of the community. Initial reports via IRC and Twitter enabled a speedy reaction, despite the early time.

In addition, the forums have been taken offline while their security is investigated. BitTorrent inc. has told TorrentFreak that while forum usernames might have been accessible, the passwords are encrypted. µTorrent Remote servers are not affected at all, as they are completely separate.

UPDATE: it seems that downloads for the BitTorrent (‘mainline’) client may not have been affected after all. However we would still recommend anyone who has attempted to download the client today to run system scans, and we will update this article as more news becomes available.

UPDATE: File Removal Instructions

This particular piece of malware renames itself as a different .exe file every time it installs on a new machine. Therefore, first you need to determine the file name. To do this, visit the following File Directory on your Windows hard drive:

Windows XP: Click Start, click Run, and then type in “%USERPROFILE%\Local Settings\Application Data\” without the quotes. The file will be called [random].exe
Windows Vista and Windows 7: Click Start, in the search box type in “%localappdata%” without the quotes. The file will be called [random].exe.

To delete the file, first you need to make sure to kill the application first:
– Open your Task Manager (Control-Alt-Delete), select the [random].exe (the name you found in the file directory). Click “End Process” and select “Yes.”

- Next: select the file name (or right-click on the name) and hit Delete.

- Empty your trash.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

A Google search on the same pages returns, “This site may harm your computer.”

So what exactly is the problem? TorrentFreak spoke with Peter Sunde (brokep) who told us that right now they don’t have a clear idea of what is causing the problem although they are working hard on fixing it. Current thinking by some says that the problems are being caused by malicious ads from third parties which are embedded in the site.

Google has made its own analysis and is reporting that the /user sections of the TPB site were listed once for suspicious activity, yesterday 14th March 2009. Of 699 pages tested, it found that 2 pages resulted in malicious software being downloaded and installed without user consent. Google goes on to say that the malicious software includes 68 scripting exploits although they report that a successful infection resulted in zero new processes on the target machine.

The malicious software in question is said to be hosted on 3 domains; savelocity.com, seekerfeed.com, and xoads.com, with another 6 reported as distribution intermediaries including parkneed.com, yieldmanager.com and zxxds.net.

This type of problem is nothing new on torrent sites. Last year we reported how Google and Firefox blocked Empornium, the world’s largest porn tracker, when they suffered similar problems at the hands of outsiders. Just yesterday, the h33t.com torrent site suffered a similar problem, but that now appears to be fixed after we tipped off the staff there.

We will add to this post during the day to include the latest updates.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

One of the main drawbacks of using P2P software such as Limewire, is that the content on the network (Gnutella) is unmoderated – anyone is free to put up whatever they like, be it music, movies or TV shows. Of course, others use this lack of moderation as a green light to upload viruses, spyware and other malicious software. Equally, one of the great strengths of BitTorrent (at least from a harm-reduction point of view), is that .torrent files are uploaded to torrent sites where staff work hard to filter out as much of the malicious software as they can, making BitTorrent relatively malware-free.

Of course, this great system falls apart if you can’t trust the people running the site. People expect anti-pirates like MiiVi to be ‘the enemy within’, but who needs those when you have ‘friends’ like the guys at new torrent site, TrafficLoader.com.

TrafficLoader.com (and its forum, pdls.info) hasn’t been setup for the benefit of BitTorrent users, it will be used by spammers, scammers and virus peddlers to spread their malicious software among the community (and make money off it). One of the admins called ‘Satty’ says that no registration is needed to upload torrents to the site and none will ever be removed. The site does have a notice – ‘Viruses, spyware, affiliate links and everything related is strictly prohibited’ but don’t believe it – Satty says these rules don’t apply to his friends in the PPI (Pay Per Install) community.

A few days ago the site was pretty bare with relatively few torrents and it was clear that most of them contained malware. It was suggested to Satty that it might be a good idea to have some genuine torrents too, to help disguise the bad torrents. Now things are starting to ‘improve’ on the site with many more torrents added recently which don’t immediately appear to be malware.

In the last few days, TrafficLoader cosmetically ‘cleaned up’ the site to remove porn adverts in order to appear more genuine but unfortunately, someone as well as TorrentFreak noticed that they made a big mistake:

“Why would you [Satty, admin] put a forum for ppi on a publicly scraped site, a.k.a here?? Do you just want ppl to find out shit is full of malware?”

Just in case they did want people to find out, hopefully this post will help them get the word out.

For those that want advice on how to avoid bad torrents in the future, try one of our guides.

Update: The site was taken offline a few hours after this article was posted, that’s our good deed for the weekend.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

However, in a testament to its structure and security, BitTorrent is almost immune from these type of attacks and that is why you never hear the RIAA and IFPI talk about viruses and BitTorrent in the same announcement. In terms of sharing files and avoiding malware, BitTorrent does really well.

This recent malware attack revolved around people downloading files which were renamed to look like music and movies, but instead engineer a situation where lots of other stuff gets installed on the host PC, causing all sorts of problems. While viewing some of the filenames listed by McAfee, I had to remind myself that I was a novice once too – but it was still a stretch for me to believe so many people would download files that look like these:

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-peanut butter jelly amende.mp3

The good news is that the chances of these type of files appearing on BitTorrent are very low as trackers have moderators who remove such junk, something which is largely impossible on Gnutella (LimeWire) and eMule (ed2k). As long as the ‘infected’ users keep this stuff in their shared folder, there is little that can be done to stop it spreading. If they don’t clean this stuff out, no-one will, and it’s in this department BitTorrent comes out tops – again.

First of all, BitTorrent isn’t a ‘folder sharing’ client like LimeWire or KaZaA, which means that the user needs to use a torrent site to distribute (publish) his torrent. If the content is legitimate (and there are very few rules in most places, save obviously illegal material) the .torrent file will be up for all to download, with links to malware and viruses mostly filtered out by humans – otherwise known as ‘mods’ or ‘moderators’.

BitTorrent has thousands of hard working and largely unpaid moderators, who work tirelessly to make sure that files like these don’t make it to the BitTorrent user’s computer. In reality, files presented like the ones above could never slip by the site mods, they would see them a mile away and remove them quickly.

BitTorrent isn’t 100% malware free but compared to Gnutella and ed2k, it is astonishingly healthy and that is largely down to the strength of the system and the mods, who work non-stop behind the scenes to keep BitTorrent an enjoyable experience.

For the few small things that slip through the net, try our guides.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

All of the malware we’ve reported on comes from the same 2 servers found at 69.72.144.122 and 207.44.244.86 and this new kid on the block is no different.

DomPlayer is the latest malware to get on BitTorrent user’s nerves. In the last article on this issue we already discovered that the DomPlayer domain was sitting dormant but we didn’t know what it would become. It’s live now and here’s the deal:

Someone downloads a TV show (very often an aXXo fake) via BitTorrent. When the file is played, a message appears:

This video can only be played in DomPlayer, Visit Download.Domplayer.Com

On arrival, the user is greeted with a nice shiny site to distract them from the fact this is an elaborate trick based on DRM’ing previously-free media and forcing users to take steps to unlock it.

This is where DomPlayer differs from the other malware media players we’ve report on. The site claims: “DomPlayer is 100% clean, no bundled software!” At this stage, it doesn’t appear to install any intrusive adware etc on the host PC – there is a different trick up this 945K installer’s sleeve.

When it’s run, it’s believed the software locates the user, directs him to a telephone hotline appropriate to his country and instructs him to call it via cellphone. The call leads to the ‘activation’ of the DomPlayer software but ends up costing the user money.

If the user is in a country ‘unsupported’ by DomPlayer’s payment system, he will be directed to the 3WPlayer site where he can install 3WPlayer and a load of malware onto his PC, completely free of charge.

Although fake aXXo releases are known to be a frequent target of this scam, other media is also affected so many file-sharers find it prudent to check the comments on the site before they download a torrent.

UPDATE: Reports suggest that software is now available to play 3WPlayer (and possibly DomPlayer) files without getting either player. This software is untested by TorrentFreak.

UPDATE 2: Software to crack 3WPlayer, WinZix can also be found here. Click here for the .torrent.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

However, there are companies out there who give you ‘free’ software (like a torrent client) but at the same time install some of that extra stuff you don’t want too. We have regularly reported on BitTorrent clients which also install this malware such as Torrent101, BitRoll, TorrentQ and GetTorrent. These are just a handful of bad clients currently available online.

It didn’t take much research to discover that a Swedish company called Wakenet is behind the enterprise, a company that made news on lots of spyware sites due to its Anti-Leech plugin.

Wakenet has a new domain called uvTorrent.com (currently diverting to their Cash4Downloads site) – no prizes for guessing the planned confusion with novices and the official ‘uTorrent’ client. They also have a new (fake) ‘compression’ utility called Winzix, obviously named to be confused with Winzip. Unfortunate downloaders will download something from BitTorrent, only to learn that it needs to ‘decompressed’ with Winzix in order to work. Installing Winzix again results in malware getting onto the host PC.

Our investigations revealed two major servers carrying the malware-ridden clients, media players, compression utilities and other sites supporting the enterprise:

IP: 69.72.144.122

1. netpumper.com (there’s even a link to this from Wakenet’s homepage)
2. bitgrabber.com
3. bitroll.com
4. c4dl.com
5. cash4downloads.com
6. download.play3w.com
7. get-torrent.com
8. playon.play3w.com
9. winzix.com (additional information from Symantec)
10. bitdownload.org
11. divoplayer.com
12. plugindl.com
13. torrent101.com
14. torrentq.com
15. torrentsoftware.org

IP: 207.44.244.86

1. bitroll.com
2. c4dl.com
3. cash4downloads.com (Click here for removal instructions)
4. download.netpumper.com
5. Uvtorrent.com
6. playon.play3w.com
7. wakenet.se (WakeNet’s own homepage is on the same server)
8. bitsofporn.com
9. domplayer.com
10. gamingtorrent.com
11. kitplayer.com
12. torrentmusic.org
13. torrentgamers.com
14. Torrentspeeder.com (different server currently)

We suggest that everyone stays well away from every site on the above lists. Use uTorrent or Azureus to download and if you ever download anything that requires anything other than a standard media player or WinRAR in order to play, be a little suspicious. Checking the comments to the torrent you plan to download is always a good idea.

For the little more adventurous reader, it’s possible to use the Windows HOSTS file to block the activity caused not only by the malware listed above but also that from hundreds of other sources. We recommend the excellent guide from MVPS, “Blocking Unwanted Parasites with a Hosts File”

UPDATE: Reports suggest that software is now available to play 3WPlayer (and possibly DomPlayer) files without getting either player. This software is untested by TorrentFreak.

UPDATE 2: Software to crack 3WPlayer, WinZix can also be found here. Click here for the .torrent.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.