Torrents Uploaded Today Thousands of Seeds Small File Size

Today, it'due south very easy to share any kind of content through simplified file-sharing services, making it easy to obtain copyrighted material and pirated copies of pop applications. Peer-to-peer networks such as BitTorrent leverage a decentralized structure to allow users commencement sharing files with millions of peers worldwide. Peer-to-peer technologies like eDonkey, BitTorrent and Gnutella allow anyone to connect with those networks and download whatsoever kind of media material, every bit easily as clicking a download button.

The usage of file-sharing services had exponential growth across the years at the aforementioned time as the risks for users were dramatically increased.

Torrent

BitTorrent is a protocol for distributing files. It identifies content past URL and is designed to integrate persistently with the Web. Its advantage over plain HTTP is that information technology allows multiple simultaneous downloads of the same resource. The downloaders upload to each other, making information technology possible for the file source to support very large numbers of downloaders with only a pocket-size increase in its load.

Today, BitTorrent is the almost common technology to share digital materials in spite of any type of limitation imposed by the copyright regulations. Through BitTorrent, it is possible to download every type of files: movies, Television receiver shows, songs, software and games. Unfortunately, the liberty and the ease of downloading desired content could pose serious risks for unaware users. They oft get infected with malicious code hidden backside a torrent.

Before starting with the assay of the content that could exist downloaded by users, allow's introduce the meridian BitTorrent search engines. Anybody who wants to download media from the BitTorrent infrastructure has to search for the desired content using specialty search engines, the most popular one beingness The Pirate Bay:

Figure i: Case of torrent search engine

The Pirate Bay is historically the about famous and important torrent search engine, due to its history and all the legal issues it faced in the last decade. The site has been seized and reopened many times over the years due to legal disputes with private firms and the Swedish government. However, The Pirate Bay is yet alive today.

Effigy two: Alexa ranking of The Pirate Bay

By analyzing the statistics reported by Alexa, it'southward like shooting fish in a barrel to decide the volume of traffic associated with the website. The site has over 2.8 million visitors, with 2.vii one thousand thousand unique visitors. Each user visits 5.2 pages on average, indicating the fact that a unmarried person searches about v torrents per twenty-four hours. Other popular famous torrent search engines are 1337x, Rarbg and LimeTorrents.

Torrent categories

Equally previously described, by using the BitTorrent network information technology's possible to download every type of media content. Nonetheless, at that place are many dangers for unskilled users, and it is quite easy to get in problem. Downloaded material oftentimes includes malicious code that could evangelize malware or allow crooks to carry out other unsafe activities.

With the support of my team of researchers at the Yoroi/Cybaze ZLab, I'm going to show how it's easy to find a malicious file when unwise users search for the latest flick, a re-create of a pop video game or a copy of a piece of commercial software.

Games

The most popular game of the past twelvemonth is Fortnite. It has not been officially released on the Android Market and today is however in Beta release and available merely for few device models. But, despite that limitation, many users try to search for this game on illegal channels in order to download it and play on their smartphone.

Let's search for Fortnite on The Pirate Bay search engine:

Figure 3: Fortnite research on The Pirate Bay

By clicking on the highlighted detail, nosotros take the following description:

Figure 4: Fortnite Android APK description

Information technology presents itself as the beta version of Fortnite, but when we insert the hash of the downloaded file on VirusTotal, we have the following consequence:

Figure five: VirusTotal result of Fortnite-bet APK

No dubiety, it'southward a fake app spread via the torrent network that includes spyware. Reverse engineering the app, we noticed that the app requests all permissions, even the ability to access critical ones similar sending and receiving SMS, photographic camera, Bluetooth, fix wallpaper, manage call, kill other applications and and so on.

Figure vi: Android permissions for fake app

Digging farther into the analysis, we decompiled the application and studied its source code. We discovered a routine used by the malware to plant the connection with its Command and Control:

Figure 7: Connexion institution of the C2

The malware is also able to intercept the incoming messages, collect them and store them in its private repository, which is sent to the server:

Figure 8: Sending the incoming messages

Film

How many times someone did you lot download from the Web? Peradventure for some of you, the answer is "very ofttimes." In fact, information technology'south easy to download films from the torrent network.

Permit'due south on Google search for the torrent of ii of the well-nigh predictable films of 2019: "Avengers: Endgame" and "Joker."

Effigy 9: Results for the Avengers moving-picture show

Figure x: Results for the Joker movie

By clicking on the highlighted results, we are redirected to the following webpage where information technology is possible to download the torrent:

Figure eleven: Torrent download web page of "Avengers: Endgame"

Figure 12: Torrent download page for "Joker"

The two pages are quite similar. In that location is a short clarification of the film with a big and evident push to download the torrent file. After downloading the films, we are presented with a folder containing the movie and an executable with the Codec pack that enables the view of the movie:

Effigy xiii: Event of downloading the movies

If nosotros effort to open the video without starting time installing the Codec Pack, an mistake is displayed informing us that the file is corrupted. So the user feels compelled to install the Codec Pack. In reality, it is a well-known bot linked to a botnet already analyzed past security experts at ESET Researchers.

Effigy 14: VirusTotal detection of the fake Codec Pack

Software

Another category of interest for mutual users is commercial software. Many users search for them in the hope of downloading a pirated copy. This is the easiest method for installing malware, considering the user has to install a patch is used to replace the paid license but also installs malware on the motorcar.

Nero

Nero is the most famous program for making optical authoring software and is a leader in the market. So we'll search for Nero on The Pirate Bay:

Effigy 15: The Pirate Bay results for Nero

By clicking on the selected result, nosotros have the clarification page of the torrent:

Figure 16: Description of Nero Called-for ROM software

Effigy 16 shows the description of the torrent. In the area reserved for the details of the software, there is a minimal guide to install it. All the same, information technology is immediately visible that something is suspicious: the dimension of the file is quite small. So after downloading the file, we have the following binder on the computer:

Figure 17: Nero software downloaded from TPB

The file size is nearly 15MB, and it is not much for a complex plan like Nero. In fact, the installation file of the software is virtually hundreds of megabytes or even in the order of gigabytes. To settle any doubts most the untrustworthiness of the program, we executed it and were shown the following window:

Figure 18: Simulated login screen for The Pirate Bay

It is very suspicious that a Nero installer asks for the credentials of a Pirate Bay business relationship, pretending to be an anti-bot check. The reality is that it is a phishing program developed to steal user credentials. Indeed, uploading the file on VirusTotal platform, we have the following results:

Figure 19: VirusTotal results of Nero software downloaded from The Pirate Bay

VirusTotal as well confirms that information technology is a form of Trojan malware. A real Nero installation asks for an installation path, key activation key and other legit information, not for the credential of an illegal service.

Adobe photoshop lightroom

Some other widely used plan is Adobe Photoshop. Created in 1988, this software has become the de facto industry standard for image editing and post-processing. In fact, everyone who wants to share paradigm processing piece of work uses the file formats defined past Adobe. For this reason, information technology is another attractive means to spread malware, so nosotros decided to search for Photoshop on LimeTorrents:

Figure twenty: Photoshop search results on LimeTorrents

We downloaded the third upshot. The small size led us to think to something malicious was hidden in the files. This is only an indicator used to rapidly place malicious files; we cannot exclude the possibility that fifty-fifty files with a bigger dimension could hide a tainted version of legitimate software.

Effigy 21: Downloaded files from the torrent

The executable is again a classical Trojan, equally reported in the VirusTotal report. The good news is that the majority of antimalware solutions listed in VirusTotal are able to detect the file as malicious software.

Figure 22: VirusTotal results for Adobe Photoshop

Malwarebytes premium

Another popular software downloaded past many users is, curiously, the pop antivirus software Malwarebytes. Information technology has a gratuitous version that is bachelor for download on the vendor'southward official site, only it is express in some of import functionalities such every bit real-time protection. Withal, we constitute a cracked version of Malwarebytes Premium online; information technology promises to implement all the functionalities included in the paid version. So nosotros searched for it on LimeTorrents, obtaining a huge amount of results:

Figure 23: Results for Malwarebytes on LimeTorrents

We've chosen the outset i corresponding to one of the latest Malwarebytes versions, which has an excellent Wellness score due to the high number of seeds. Later downloading information technology, nosotros are in front of a series of files — including the installation executable, some "README" text files and the cardinal generator, which will be able to instantiate a valid anti-malware license.

Effigy 24: Downloaded files from the torrent

Ane of the files necessary to crack the software, "URET NFO v2.2.exe", immediately attracted our attention. We uploaded information technology on VirusTotal and discovered that information technology is detected every bit malicious adware by most antivirus solutions.

Figure 25: Adware detection charge per unit

Adware is an annoying program that is designed to display advertisements on the victim's motorcar, modify and redirect search requests, hijack Web navigation to advertizing websites and collect information nigh the victim's preferences — for case, the types of visited websites and the queries searched through the search engine. All this information is necessary to customize the advertisements and consequently to allow the adware to become more pervasive.

Analysis of a torrent threat

While we were analyzing the Torrent network, we decided to dissect an interesting sample of malware related to a huge botnet spreading in the wild. This has been dubbed Sathurbot. This malicious lawmaking was one of the numerous types of malware distributed through torrents, pretending to be a Codec Pack necessary to display the video just downloaded past the victims. An older version of it had already been analyzed by ESET researchers in 2017. The new malware variant shows some different behavior from the older one.

The primary purpose of the bot is to compromise every bit many machines as possible. In order to do this, it leverages vulnerable WordPress websites to spread online. When a site is compromised, the malware uploads a torrent file pointing to a copy of itself. Then it creates a new webpage that has a title containing tendency words (eastward.g., pop names of movies such as "Avengers 2019 torrent"), and that embeds the link to download the malicious torrent file.

Effigy 26: Example of compromised WordPress website

When the user clicks on the fake Codec Pack, the malware shows a faux window, simulating a program installation. This terminates with an error message.

Effigy 27: Error bulletin box after fake installation

The unaware user will think there is a trouble with the setup and never doubtable that something malicious has happened, while the malware gain with its operations in a stealthy way.

All the useful artifacts are extracted into the %appdata%Local path, creating a new directory named "Android." The proper name aims at beingness related to the popular mobile operating arrangement, keeping itself under the radar.

Effigy 28: Malware artifacts

The process "capdrv.exe" runs several processes in guild to beginning the brute-forcing phase confronting a huge gear up of WordPress websites which is created at runtime. In fact, the malware combines some different substrings inside "gdh" and "gyk" to apply as query strings on Google, Bing and Yandex. The results returned by the queries are parsed in society to extract the websites to hitting. Using a large initial set up of substrings to combine, this strategy allows it to obtain several targets.

Patently, the bot must determine if the target site is WordPress-based; this can be washed using a unproblematic HTTP Go request towards "/wp-login.php," the canonical WordPress login class path. When it finds the correct target, it starts to brute-force some pages related to website login such as "xmlrpc.php" or "WPSecurity/load.php." It does this using Post requests which include credentials retrieved from a archetype wordlist (among them: "admin," "root" and and so on).

Figure 29: Example of animal-forcing requests

Below is a sample of a POST request used by the malware to endeavor to login into the website. Fortunately, the credentials are incorrect, so the response message contains the "incorrect username or password" string.

Figure 30: Example of HTTP request response

The malware persists on the victim'southward motorcar, creating a new fundamental in the Windows Registry "HKCUSoftwareMicrosoftCurrentVersionRun11f86284," where the key name is randomly generated. The key value is set with the malware file system path. Using this pull a fast one on, the malware is able to start itself at every motorcar reboot because the "CurrentVersionRun" RegKey specifies programs to run each time a user logs on.

Figure 31: Registry cardinal set by the malware to ensure persistence

The main purpose of Sathurbot (like any other botnet) is to extend its network, involving as many machines as possible and consequently increasing its attack power. When the network is big enough, it can be exploited to perform new malicious actions, such as a massive DDOS set on against a target specified by the botmaster.

At the fourth dimension of writing, the Control&Control'south URL is not known because the bot directly starts with its fauna-forcing beliefs. Probably this evidence is embedded into the malware body in an encrypted way and will sally only after a specific condition it satisfied, such as a time-based logic bomb.

How piece of cake is it to spread a torrent into the network?

The huge number of threats in the torrent landscape is surely related to the ease of creating a file torrent containing malicious artifacts. To do this, information technology is not necessary to be a hacker or have advanced skills. Using μTorrent, the pop torrent customer, the malicious file tin exist created in a few steps. We can only click on "Create New Torrent" on the tiptop menu, provide the file path to the malware executable and click on the "Create" button.

Figure 32: "Create New Torrent" window

Voilà, we have created a torrent file pretending to be related to the "Avengers" moving picture just actually containing malware. With more endeavor, we could use some tricks to obfuscate the malicious file in order to persuade the user to click on it and kickoff the infection chain.

Effigy 33: Deceiving the user into clicking

Obviously, after creating the malicious file, the adjacent step is to spread the torrent on the Cyberspace to infect as many machines as possible. Zilch easier: We should register an account on one of the torrent sharing sites, such as The Pirate Bay, and upload our file. We proper name it using some trendy terms, e.g., "Avengers," as shown in the higher up figure.

Conclusion

Fortunately, most of the torrent sites, such as RARBG, inspect the files uploaded on their platform and search for malicious artifacts and other security problems which could harm the users. Unfortunately, this is not universal, and torrenting still carries a high level of adventure.

provostthessell.blogspot.com

Source: https://resources.infosecinstitute.com/topic/torrent-content-downloading-risks/