Spyware Floods in Through BitTorrent 457
solareagle writes "Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma. Not any more, anti-spyware advocates warn. According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC."
Oh, the Irony! (Score:5, Funny)
On the other hand who could I complain to? Bittorrent? Adobe? Direct Revenue?
Yes, once again Slashdot comes to the rescue! Where else can I gripe about companies that try to exploit my illegal activities!
Re:Oh, the Irony! (Score:2, Insightful)
They SHOULD get into trouble... (Score:5, Interesting)
You bring up a real issue, not from an end-user standpoint, but from major corporations. Shouldn't these companies get into serious legal trouble? I can think of two ways right off the top of my head.
First, if they're sticking adware on an illegal file and uploading it, don't the same laws apply to them uploading the illegal file? Is the **AA suing these companies along with 12-year-old kids? After all, it's adware-infested, but it's still an illegal file, right?
Second, if they are modifying warez software, not only does the previous apply, but doesn't it fall under the protection of software that outlaws modifying binary code and distributing it without the publisher's consent? I mean think about it, this kind of thing not only supposedly denies companies revenue, but it can give them a serious black eye. What if people get the incorrect impression that an adware-infested version of a respectable piece of software is the real thing? All of a sudden, you have a really bad--and undeserved--reputation for distributing spyware on everyone's computers.
Re:They SHOULD get into trouble... (Score:4, Interesting)
- Better yet, if a 12yo or younger downloads one of these and gets greeted with the installer are they making sure they conform to COPPA? COPPA's a pain in the ass, you have to provide a physical address, phone number, fax number, full disclosure of all personal information collected, how it's used, etc. and provide for forms that the parents of the 12yo and younger folks have to send in before they can use your site. Since they're pushing ads _and_ they're likely collecting statistics to "target" said ads, then I'm betting that COPPA applies to them. Looking at the screenshots of the install it doesn't ask what age you are. Ooops, big mistake there. Maybe someone should tell Spitzer about this, I'm sure he'd love to nail some companies for COPPA violations too.
Second, if they are modifying warez software, not only does the previous apply, but doesn't it fall under the protection of software that outlaws modifying binary code and distributing it without the publisher's consent? I mean think about it, this kind of thing not only supposedly denies companies revenue, but it can give them a serious black eye. What if people get the incorrect impression that an adware-infested version of a respectable piece of software is the real thing? All of a sudden, you have a really bad--and undeserved--reputation for distributing spyware on everyone's computers.Re:Oh, the Irony! (Score:3, Interesting)
On one hand, it really irritated me to discover that the app I downloaded (for testing purposes only!) would also install spyware.
It's not just apps - I downloaded a family guy episode, unrared it, and it was an executable. 170 megs of executable, so it was probably the spyware piggybacked onto the data that was the video, but still.
I mean, I know better, and I almost clicked it. Since the only thing I download anymore is video files, I'm used to them being clean, and I'm used to sites not posting cont
Re:Oh, the Irony! (Score:4, Informative)
YMMV
Re:Oh, the Irony! (Score:3, Interesting)
That way I can see a comment and if there is a bad torrent [fake] usually it is comented.
I think that was one of the advantages of bittorrent over other p2p protocols no?
Re:Oh, the Coincidence! (Score:3, Insightful)
Re:Oh, the Irony! (Score:2, Informative)
If you are uncomfortable with DOS then use WindowsKey+E to open an explorer window.
Re:Oh, the Irony! (Score:5, Informative)
These spyware programs that use the Registry to spawn renamed multiple copies of the spyware programs are a nightmare to get rid of.
I had a client last night with the Backdoor.Agent.BA trojan which is incredibly hard to get rid of. There are plenty of varied instructions on the Net on how to detect it and find it, but the problem is deleting the DLL file. You can't delete it from the command line or from Windows - in Safe Mode or not (and of course if it's an NTFS system, DOS can't touch it - Linux with the Captive utility might be able to). Not only that, but the DLL does not EXIST in Safe Mode! It can ONLY be created and accessible during a normal boot - by which time you're screwed.
The only way to delete it is to get a program called KillBox which will prompt for the filename, set itself to run on reboot before Windows is fully loaded, and then reboot Windows, deleting the file before Windows can lock it down.
You also have to get into the Registry and delete a key which has an invisible value which is what causes it to recreate itself.
I get my hands on the asshole who wrote this thing, he's gonna need medical life support for the rest of his life.
Re:Oh, the Irony! (Score:4, Insightful)
DOS can delete them if you feel like paying for the NTFS dos drivers which support both read and write. (read is free).
This kind of thing really strikes me as a virus and why don't more AV programs stop it?
However, if it is listed as a program adaware cannot remove it will attempt to insert itself as the first program run to clean the system.
Yeah, it's a nightmare that I've dealt with, but why don't more AV companies recognize it as a virus rather then adware.
Re:Oh, the Irony! (Score:3, Informative)
Another option is to us a knoppix disk and boot to Linux. There is an article at http://www.planetfez.net/engl223/archive/page2.ht
Deleting the file (Score:5, Informative)
A simple solution is to remove execute permissions on the file. I've run across malware that doesn't like you accessing the permissions dialog, so I typically use the command line CACLS.exe. Then I reboot, get a few errors since it is trying to execute a file that no account has permission to access. Now you can restore the delete permission and remove the file since it's not locked.
Re:Oh, the Irony! (Score:3, Informative)
Re:Oh, the Irony! (Score:3, Interesting)
Who designed this crap that allows such rubbish to exist in the first place?
Why would there ever be a need for invisible values in the registry?
Is this a joke?
Re:Oh, the Irony! (Score:3, Insightful)
Re:Oh, the Irony! (Score:3, Informative)
08048000-080b8000 r-xp 00000000 03:0a 171032
080b8000-080be000 rw-p 0006f000 03:0a 171032
What's different is that Windows has a "delete" function while Unix has an "unlink" function. In Unix, a file doesn't get truly deleted until all references to it are gone, including open f
Re:Oh, the Irony! (Score:3, Informative)
The difference is that unix file-model is a lot more flexible than the model in dos (now largely inherited by Windows)
In Windows, a "file" is a collection of bytes with one name.
In Unix, a "file" is a collection of bytes with zero or more names.
Simply put, unix uses reference-counting, the actual blocks on disk are only freed when the last reference is gone. Thus it's unproblematic to allow deletion of an open file -- the delet
Re:Oh, the Irony! (Score:3, Informative)
Deleting files that are "in use" (Score:5, Informative)
This technique is a little shaky because those running programs that have handles to the DLL might be a little upset that it the handle is suddenly closed, but just reboot after you complete the process if something breaks or crashes.
-fren
Re:Oh, the Irony! (Score:3, Informative)
One of many methods to remove files:
I had a bunch of remote boxes that I needed to get rid of those pesky "won't go away" trojans.
Fortunately the box had cygnus
I just kicked off
while [ 1 ]
do
rm filename
done
Then I rebooted the box and the file was gone for good.
Re:Oh, the Irony! (Score:3, Insightful)
Doh (Score:2)
I wonder how NYC bigwigs managed to convice these companies to buy ad space... "Yes you will have very good coverage amonst 13-26 year olds... we have their attention, and HOW!"
Re:Doh (Score:2)
Re:Doh (Score:2)
No need for an army.
One or two (very busy) assassins ought to handle it - you just need to whack the few guys who own the spyware companies.
Of course, there will always be more, so it's job security.
The REAL answer of course is to use nanotech to wipe out the thousands of morons who actually click on spam ads...
Re:Doh (Score:3, Insightful)
Re:Doh (Score:3, Interesting)
Of course, how does that explain Coldplay selling 740,000 copies of their new album in the first week [latimes.com]. Who is buying these, all the damn 40 year olds? Wonder if my grandma's picked up her copy yet?
Maybe X&Y isn't out on the torrent sites yet.... nope, there it is. My favorite torrent search engine has at least 5 very active trackers. Strange, why would ANYONE purchase it, especially those evil 13-
Re:Doh (Score:3, Informative)
=Smidge=
Re:Doh (Score:3, Informative)
It can't but that's not what's happening, people are used to downloading ZIP files, which are often self-extracting; so double click the file, which is executable i.e. self-extracting, the custom extractor, throw up a alert-box says extracting "suzie does donkies" checkbox "I agree to terms" and ok. users never actually reads the terms which says something like I agree to install software, give my first born son ect
And the day has come... (Score:2, Informative)
Re:And the day has come... (Score:2)
How long... (Score:5, Interesting)
The MPAA cartel have been more than public about their conspiracy to poison p2p networks.
Re:How long... (Score:2, Funny)
you mean less than secretive?
Re:How long... (Score:2, Interesting)
This is Dumb (Score:3, Informative)
-Jesse
Re:This is Dumb (Score:2)
Re:This is Dumb (Score:3, Insightful)
There is plenty of crap being seeded. Being able to tell crap from real, proper releases is not rocket science.
Re:This is Dumb (Score:2)
You really need to know what to look for to avoid the sort of thing.
Re:This is Dumb (Score:2)
You really need to know what to look for to avoid the sort of thing.
Actually, you really need to not use the internet to avoid the sort of thing.
A smart user can go for a long time without getting infected, but even the best users will pick up crap from time to time.
P2P, porn sites, warez sites, and silly AIM addons (great for the office chicks, not so much fun for the nice IT folk who allowed them to run AIM and then had to clean up the mess) are all great ways to pick up spy/ad/malware.
Re:This is Dumb (Score:4, Interesting)
Most of my clients are picking up spyware from going to SPORTS sites. I got a client whose kids keep checking out Nike shoes at sleazy commercial sites and going to sports sites. It's sleazy commercial sites that are using spyware and spam software to hawk their products and sell marketing info.
And why would a warez site install spyware? What's in it for them (unless they're big enough to make deals with sleazy marketing operations)? They're distributing FREE illegal stuff to begin with! Again, they KNOW what you're there for. Sure, some of them are probably crackers who are looking to spread viruses and the like, but a lot of people using warez will spot that in a hurry and spread the word and then they're out of business (on that site at least.)
Even this BitTorrent thing - it's not the "legitimate" sharers doing this - it's COMPANIES seeding the torrents with crap. It's the companies that need to be targeted and shut down, regardless of their legal excuses.
Ultimately I think that since the law can't work - because it's mostly unenforceable - it will have to be hackers who start finding and (illegally) targeting these companies for DoS attacks and the like that will have to solve this.
And of course, better tools and better user education is needed to stop people from clicking on spam and installing crap.
Even so, a certain level of crime is a given and security is an issue that won't go away (until humans do, which fortunately is a given as well.)
Re:This is Dumb (Score:3, Insightful)
-Jesse
Re:This is Dumb (Score:3, Informative)
You missed the point. Your 'torrent client isn't the one installing the adware.
Adware companies are hosting up files that they've corrupted by adding in thier own files.
So when you think you're downloading a linux .iso, or something else ... you MAY be getting more than you bargained for if one of the sources of the .torrent is hosting one of these corrupted pieces.
Then, when the download is complete and is reassembled ... the spyware gets installed on your machine.
The scary bad thing here, th
Re:This is Dumb (Score:5, Insightful)
Re:This is Dumb (Score:3, Informative)
Re:This is Dumb (Score:3, Insightful)
Re:This is Dumb (Score:3, Interesting)
My thought is, if it's illegal for a Virus writer to pull this off, it should also be illegal for the SpyWare community to do it.
We should stop acting like spyware deserves some kind of special, dignified status, different from "viruses", just because they're created by companies and not by some guy in his basement. They aren't different. They're
Re:This is Dumb (Score:2)
It's crappy spyware-infested downloads. Boyd used a standard client and found an infection in a bundle that claimed to be a TV episode. Open the archive, get a misleading license agreement, and boom.
Re:This is Dumb (Score:3, Interesting)
-Jesse
Re:This is Dumb (Score:3, Insightful)
Perhaps I'm betraying my own ignorance (who, me?), but I've never heard of this guy, I don't particularly respect people who flog their MS MVPness as a qualification, and a quick look on Google shows his general tone to be somewhat...hysterical. The spywares are coming to get us! Run away! Run away!
Am I missing something?
Re:This is Dumb (Score:2)
I do admit that I did just scan the article and misread some things. It isn't about clients being full of crap, it's about downloading unknown software AND THEN RUNNING IT, WHICH IS EVEN MORE STUPID than my initial thoughts, because it actually requires the user to run the malware; the same pro
Sites? (Score:3, Insightful)
Re:Sites? (Score:2)
Shrug (Score:5, Insightful)
Of course this won't stop some people from blaming Microsoft somehow.
Re:Shrug (Score:3, Interesting)
It just as easily be a reverse connect trojan that modifies ~/.profile or other login startup files, no admin privileges needed.
If a user runs something bad, they can be screwed no matter what OS.
They're number one financial backers (Score:5, Insightful)
Re:They're number one financial backers (Score:2, Insightful)
Re:They're number one financial backers (Score:2)
Do you really think those executives are actually sampling music all day to see what's good for consumers? They are spending their day wrecking havoc online, offline so they can protect their cash cow... while maintaining employed with zero skills.
Re:They're number one financial backers (Score:2)
I call BULLSHIT (Score:5, Insightful)
None of the real proper releases are 'infected'. Only way to get spyware is to be a moron and download some 'hot_paris_hilton_sex_video.exe'.
There is no magic way to 'insert' spyware in bittorrent transfers. Tracker has the hash of the file, you cannot modify it. This is just a marketer seeding crap, hoping that idiots bite. Hook, line, sinker -style.
Re:I call BULLSHIT (Score:2)
The example in the fine article is
Re:I call BULLSHIT (Score:4, Insightful)
If you actually unpacked the rar using winrar, that wouldn't happen.
In any case, it wasn't a proper release. Proper release = bunch of identical-sized partfiles,
DL crap, and you probably get crap...
Re:I call BULLSHIT (Score:3, Insightful)
or, to put it calmly, "the fabuluous article is completely unclear on how Boyd got from a RAR file to the opening screen of the 'MMG Installer' "
Re:I call BULLSHIT (Score:5, Insightful)
Such torrents would quickly die from lack of seeders.
So far, very few (if any) BT clients are bundled with spyware. Perhaps if you got them from an untrustworthy mirror, this would be different, but nearly every client is adware/spyware-free if you download it from a reputable source.
With the exception of downloading warez (games/apps), there's almost no way anyone could sneak spyware/adware into a BT download. You just simply can't infect AVI/WMV/MPEG/MP3 files. Probably 50% of BT traffic (or more) consist of media files. Another 30-40% (at least) are Linux ISOs, which are also pretty damn hard to infect with spyware/adware.
Re:I call BULLSHIT (Score:3, Funny)
Re:I call BULLSHIT (Score:4, Interesting)
Can we please stop including WMV in the list of difficult to exploit media files. It has already been pointed out that a WMV file is completely unsafe. Once I foolishly downloaded one and it opened a website in my browser when I tried to open it. After that I deleted every single WMV file on my computer and will never download one again. They are quite scary.
Re:I call BULLSHIT (Score:4, Informative)
You see, Windows has this lovely feature known as "Hide file extensions for known file types". And guess what? One of these extensions is
Easy like that.
Re:I call BULLSHIT (Score:2)
Ummm... considering it takes skill to find an infested BT client, that would require even more moronic user intervention. DL a known good client(!)
Well, what do you expect... (Score:2, Funny)
If it did, we would have to call it BitDribble or something.
windows problem (Score:2, Insightful)
I hate to point out the obvious, but users that don't pay attention to what they are installing deserve their pop-ups.
Not a windows problem (Score:5, Insightful)
It's not a Windows problem.
First of all, I can't think of anything stopping the same thing from happening with Linux software. Although it's ever elusive, if Linux does eventually become the desktop standard, do you think that average Linux users will conscienciously check every MD5 hash for every binary they download? Probably not. Even if some external means of verification exists that a program is authentic, it adds a layer of complexity to using the system that most average people, given the choice, simply won't use.
Which brings me to my second point, that if you have to blame anything you mentioned, the emphasis should be on the USER, not the operating system. And personally, I don't blame the average user because I think that there's no excuse for computers and software not being easy and intuitive enough for average users to use without having to spend hours and hours learning it. So who does the blame lie with? Primarily, the developers of virii and adware. Secondarily, the developer community (closed AND open source) for not putting enough emphasis on security with ease of use. And the problem with feeling that they "deserve their pop-ups" is that they're not just hurting themselves by throttling their own bandwidth, they are collectively throttling the bandwidth of the entire Internet, and that makes it your and my problem, too.
Third, I am a Windows user for around twelve years, and a damn competent one, if I do say so myself. I have never once been hacked, infected, or adwared (can that be used as a verb?) without it being a deliberate action on my part for academic purposes. If Windows were such an insecure operating system, it seems that no amount of virus and adware protection would prevent me from eventually getting some nasty bug. The fact is that with a few simple actions, Windows is as safe and secure for an average user as any other OS.
In addition to pointing out the obvious (which I'm not criticizing you for, sometimes things need to be said), please do something about it. A nice start might be what I did: Buy a spindle of CD-R's and burn a copy of a FOSS antivirus program, adware detector/remover, Firefox, etc. and start handing it out to your friends and family, and offer to help out in giving their machines a periodic tune-up (or overhaul, as the case may be) to make their lives--and by extension, your life--a little easier and better.
The only problem with this... (Score:5, Informative)
is that Bittorrent is really not the problem here. The adware isn't coming from a Bittorrent client, or being 'snuck in' over the protocol instead of or alongside a file you're downloading, it's coming in the file you're downloading! It's the same way adware gets into a host of other files we've been told to be careful of, like email attachments.
Bittorrent is simply used to add a bit more hype and FUD to the same old same-o.
Info Direct From Vital Security (Score:3, Informative)
Re:Info Direct From Vital Security (Score:2)
I'm confused. How does this installer crapola get bundled with a copywritten show?
Either they're doing something illegal, or they have the tv network's permission to bundle this stuff together.
Very shady. I suspect that its just an automatic script designed to run when you open the archive.
I know that you can open any winrar archive (and lots of exe's) without triggering any auto-run nonsense.
Anyways, I thought everyone knew that proper warez come
Aurora (Score:2, Informative)
Bah, big deal... (Score:3, Insightful)
Not a problem if you're sane either, really.
Bittorrent is *STILL SAFER* (Score:5, Informative)
Plus, even if you DO download a file that ends up being spyware, when you download the torrent from most sites, they allow you to give comments like "I FOUND SIXTEEN HUNDREN VIRUSES IN THIS TORRENT", and although some people lie, if people are complaining about stuff like that, you can usually guess that it is a spyware infested torrent.
Of course, even this only matters when you download something containing an
If I'm reading this right (Score:2)
This is ridiculous. (Score:2)
Re:This is ridiculous. (Score:2, Funny)
Whoa hold your horses there Charlie. Remember that according to some RIAA lawsuits, we're talking about grandmothers, dead people and family pets here...
Idiotic... (Score:2)
I won't even mention distributing spyware using a bittorrent tracker...
Yeesh. (Score:2)
Media files only for me thanks.
So why not go after Direct Revenue for piracy? (Score:4, Insightful)
EXE files? (Score:5, Insightful)
Yeah...but those movie files tend to be .exe files, right? How can you install spyware if you're just playing an avi file? And when you're downloading a bittorrent file you can go into your directory and SEE what files you're getting! I sometimes click on torrent files and yes it might be an .exe even though I was expecting an .avi. but then I just cancel the download and grab something else.
Maybe this will get people who don't really know anything?
Brother (Score:3, Interesting)
That was until my brother showed me a ligitimate site (forget which) that required their own "player" to view a trailer or something. As far as I could tell (verified by ad/spyware checks afterwards) it didn't leave anything. So I guess there are companies stupid enough to make those things, and people stupid enough to use them, but at least now I have a connection.
The cool thing about bittorrent is that although it doesn't have a built in moderation system per se (although the trackers often do), you can generally tell if a file is the correct version or not based on how many people are downloading/seeding. Yeah, its not always accurate, but if you see several releases of a movie, and there's one or two seeds on one link, and over 500 on another, you'll pick the latter because you're going to get higher speeds, and presumably it is the correct file.
THIS JUST IN-- (Score:5, Insightful)
Fight back against Direct Revenue LLC (Score:5, Informative)
Direct Revenue LLC is VC backed. Please, complain to the right guy.
Insite Venture Partners
Mr. Deven Parekh
His desk number is 212-230-9216 and his real email address is dparekh@insightpartners.com
May we waste as much of his time as he has of ours. How many people here spend hours "helping" their non-tech friends remove this crap . . .
RTFA (Score:3, Informative)
The story says that torrent files are being bundled with adware programs, not BitTorrent clients.
How can this happen? Again RTFA.
If seeing is believing, look at this link from the news story:
Vitalsecurity [vitalsecurity.org]
You'll see a RAR--not an exe--for an episode of Family Guy. When you try to open it, you're faced with a licensing annoucement, which if you agree to it, will pack your Windows system full of spyware.
Would this fool someone who knew what they were doing? No.
Would it fool a lot of users just looking for a cheap thrill? Oh yeah.
Does this make it a real problem--as the article suggests--I certainly think so.
Maybe not for me, maybe not for you, but for those millions of clueless users, yes, oh yes it does.
Steven
The Real Problem? (Score:3, Interesting)
Or is it the new "trackerless" BT that has opened this door?
BitTorrent Trackers (Score:3, Interesting)
I don't see that changing - as long as someone's accountable for the content (and can lose tracker privileges for bad content), I don't think it will.
Re:Practical solution to spyware and p2p executabl (Score:4, Insightful)
Re:Practical solution to spyware and p2p executabl (Score:3, Funny)
Excellent idea; anyone know where I can get a torrent of VMWare?
(For those conserving humor filter battery power, I'm kidding--please don't reply...)
Re:Warm and Fuzzy?? (Score:3, Insightful)
almost (Score:2)
The only thing I've use bt for, so far, is getting Project Gutenberg (http://www.gutenberg.org/ [gutenberg.org]) stuff.
Re:Warm and Fuzzy?? (Score:5, Funny)
How does it feel to get hoist by your own petard now?
Feels just like making my bed and lying in it or lying with dogs and getting up with fleas. But not as embarassing as painting myself into a corner or being caught with my pants down. A bird in the hand is wor#*NG(*(JF>SA
POST TERMINATED: Cliche limit reached.
Re:Warm and Fuzzy?? (Score:3, Insightful)
You mean the about 60gigs of linux install images and live disks for x86 and amd64 I download monthly to keep an always uptodate collection is a unique event occuring only once a month on this planet and only I do it.
Ok, I know, I also get some series episodes from somewhere. Still, you and the like just LLLLove trashing the whole damn city out with the bathing water, not
Re:Not so big of a deal (Score:5, Informative)
Um...this is wrong. Perhaps you missed the part that said the client isn't the infection path?
Oh, guess you didn't read TFA.
The infection path is simply a self-extracting file that contains the content you wanted, along with a spyware tag-along. It can be downloaded with any client, they just happen to be seeding them as torrents.
Re:Not so big of a deal (Score:2)
Excuse me, wasn't this called "virus" in the old napster times?
Re:Not so big of a deal (Score:2)
Re:Kind of funny (Score:4, Funny)
Look up the definition of irony sometime. I think you'll find it illuminating. Then read TFA.
Re:be smart (Score:4, Interesting)
All that does is block bad IPs. That won't do squat if you're downloading and running an application with malware inside. The real solution is to use something like bitzi [bitzi.com] which lets you check if a given file/app you are downoading is known to have "issues."