Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Spyware Floods In Through BitTorrent



 By: Ryan Naraine
2005-06-15
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Spyware Floods In Through BitTorrent
  2. ' Aurora Installed with Full '

Rate This Article:
Poor Best
Spyware Floods In Through BitTorrent
( Page 1 of 2 )

Anti-spyware advocates cry foul as the popular peer-to-peer protocol becomes the latest mechanism for the stealthy distribution of adware/spyware bundles.BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles.

Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma.

Not any more, anti-spyware advocates warn.

According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.

"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.

To read about spyware threats associated with file-sharing program Kazaa, click here.

Resource Library:
In an e-mail interview with Ziff Davis Internet News, Boyd said rogue files have popped up occasionally in BitTorrent land but those were usually just random executables. "This is the first time Ive seen a definite money-making campaign with affiliates, distributors and some pretty heavy-duty adware names," he added.

Boyd, widely known for chronicling spyware, hacking and malware exploits, has published details of the BitTorrent distributions and identified Direct Revenue and Marketing Metrix Group as the companies responsible for the rigged files.

Boyd said he got the first inkling that BitTorrent was a major adware distribution vehicle while searching for the source of Direct Revenues Aurora, an adware program that includes the prevalent "nail.exe" component. Sifting through mountains of HijackThis logs posted on security forums, Boyd said the answer was staring him in the face. (HijackThis is a popular freeware spyware removal tool that keeps detailed logs of Windows PC scans).

In the logs, he found that "nail.exe" and "aurora.exe" were always listed alongside "btdownloadgui.exe," the user interface that downloads/uploads when using BitTorrent.

"I checked hundreds of those logs, and more often than not, [btdownloadgui.exe] was chugging away in the background. No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming from—there was no site. It would have never occurred to the end users that it could have crept in by another means altogether," he said.

Because BitTorrent strips digital files into tiny shreds and reassembles them locally once a user completes a download, it has emerged as the perfect place to bundle adware programs among the bits, without the end user ever knowing.

A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing.

Officials from MMG did not respond to queries for comment. On its Web site, the company lists BitTorrent as a lucrative adware distribution vehicle. "Although Bit Torrent is a file format and not a P2P Network … [it] is the fastest growing protocol for file sharing online. Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily," said MMG, which lists PartyPoker.com and Hotbar.com among other clients on its roster.

Symantec strikes back at adware vendor Hotbar. Click here to read more.

Boyd said his interest in Aurora increased because it "is absolutely everywhere at the moment, though no one could work out where the infections were coming from."

"I had heard rumors that there was something in peer-to-peer land, but I didnt expect it to be on the BitTorrent network, and finding these files has been surprisingly difficult," he added.

Boyd said BitTorrent was currently "overwhelmed" with multimedia files rigged with adware bundles, adding that the file sizes vary from 3MB to 175MB.

"I expect well see more of this, and if the first ever 1GB malware/adware install has a chance of happening anywhere, it will be on file-sharing networks where programs are broken up into pieces. The problem is, you never know whats going to come out the other side," he said.

Next Page: Aurora is installed with full disclosure, the company says.





  Reader Comments: Spyware Floods In Through BitTorrent
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}kwH9q\ =0GAl2SrP oT| 0tTǖþ=a]%S5EhDԤ#|xR0?ȀYFz.Qu^Vڮq 4]b'(cO^2jc㕨 aTb\9t} ^- G7J;v˿x'MNfI%p/0Q#@PpmׇjsTfFԲ;o tG ob=uק&Y! bS R3MuN_FBS I-f+ka̋V#vRA'ס" '嶯5]q;ݙcoE-]NDo~cn!LjZE&>5JؗYͲ`F3l˸-;4 PS}mOQ+ھ$ߗ-trfNeW6OF}޹RS5MQ/z ? n0uh;̡m5kms|uO}~A6ox9vtx/πY_KMDի`ZU*4_::~\B^,9@FI?nny#ܲ_P(.{F[V@a`%pfQUe>e}}uI}|vti",k3sA5 ̠Vt?#;ˠrqszr|qӹwIIʱ,O;Be}Y"Wʮ?R(e34Ki[2)>-L9X@/@שS"44X 4C+D_x0ND1cfM5J,eg05@M)51tGv!fB;M?r@U@ZZ~V$EW甆ٛ"O;zT"ʥcp 3UT9/4l=.k\G.כEsLt];3yя1Up3n[һ^>aE}PhDvZM]qsu\R_tt ZY %ww*DU, FKP̶#ؠe)u{iNmNR;SjZic;Ni$|NI}ѦMޣ] #RRQ$S$!hI#r Bг,`@o%`G`[Xgw$]VwVphVݞH:w@Vh&3au7cb -d[b}IlΌ e&3Mf XUG D`v9J,L.i)c je[Uj"4Tx_Cs2 =cWVUEU}`HLMqGr`!gg37HO8'Âןs|{4 Z|'1sD& f+Lo? `b!#>Xl~teٌi8(SA0>A̞,jr 6,_zt?cMEi跚^s_o2IS|Vn^ßf1_w\ճ&AB glh(b'0ߡPZZ22;= MO-YXX`~wRd0q6i SXh8G/C4꾶#~ 4ykCW{%UsoH_ƠZ?ujeG,ohko՜[aל. .P|<,)R ʒal`c1 "sz QI~xuY MܛwXTM_`}dҶ鍬5m X;l ʸ3MVRQy5:ǮAwm0H{{L'|rf:g3?'نdp$D80V2PaI{dg`m1Jx>x# d\46L Ğ?z8]8,ݙ_X⚲+]5&@0oEʵ;Luh< VȲi@Xc?7:Hy5՝үfZUjB4P/#[յ ;rm۽/ sDq,-CZ%3 `myT8_.O#B]&De ӠҐap‘"=j4> \Qbr>+juH`S@AkSU ӄ.E^yv VWKt갢zԘ}Qː 0gted->흧 ^}R٫'WCj~uJ.ςwq)4G @rFg}qs`ٛx?Sc`9[?7`3|x+ߙ3[`eƘ]H`._GkOW݄2)N<:a򞢩#Ïn 7OQGA.C;a&:pBTnІ{egjڳt_ۭ,E~J5'؀5_њ nE`9^R˶nZYŢ&@u(Dka43~Sb_@7TWQ+{9i`7,mB[$ zDÈ i{qņZ *'~pߎ3 Hk+sD ü z32Jј<`*=:^4AYdye3isS"ڪ+_MˀeyM?ڛZJ="JM7Ϧ<sƇ~7"YHF N|Ds?noxPBৣjZ59dLfaNg1•0ck&&w LٔY6{=05rzďtv'@d􁯌C-sZ# dK0=sK䮛NZPn3i`e|P._+>;lv'< hrյm7fDv?)sc'Ym\ ܮ:RUiդ r=cte>u'c5Z8,*z)cʌʟP@hOXM\?]fRvQNlvLTSdaƭZ_ayV:쩵C#,ͦ'0k(j'?F>nk-Gڽv?aIG{EY]T'7-FnRWJJЛgQ!ݓXm2B0qrhs)p}/O&ZO+0uhzGSYIzQ\L Cn/$h ^!1Me(@=6{]M;o]1Tuf?ºe&q`u\צLDt Z:LT)OLۓ^ERE'vu(|cK uṚ?TTs7÷ G L)߭~*9惪AJl(v5mb[k>"i!`dVwS=+W_t2{Rn8Lg$,$P Yx[!6E),8{ ޠKPJc, ,"z⨵j3y{D,u.O? CO/OEcjFyn8F&{Pv4#7?$YCOVճ]UsQuѳi? `yBѨQ^8돝K%y;$˶u߽79$!;/XzF]9>oOM19Ak=d4 3uX#axK#&WDHATK}͙C碮9ki.Dz={j,r9Eψaa. ۯukIw}eYLoH:<\ߣC (ʡ=`` 鈓N5>̝\bϻAB 0F_Th)4J>:M<;iw[)5[ EGW%'s;t{-f[K7S+t,GD_q)=?EU.k't!/4zYA$ r.W`.A)6ҾN9 4sJd":A;V?[ħ{, /䎑D=:d =HgP'im.Z7t[bă)s݌Nxsyؠ#%tB]YyYMzFSTcD$PDKI39IuEVFRwպ\4<5ޤMƙWxvImc%Ryt2ű"kE9e85(~uMHmQFiIw3DJ^KkhVˮ H tD#(Zw{.z|(=}!GzepF.[۾u e'3 C?UAmiVw74-7UFyB J~l+t:D(je[g[{C9Ȫ̅S.{Rڊ'G#3~`q8-:`tH_/lFځ;-3x;9f׍[sgcF0[~E2c/44*]cBMmV[!ykE7_SEs%o>_'ky^z} m$6Fsk"fcME[<ק;cgf7F?mxnnRqaKڶh4jܣ-^kI>tB?G|N]f?l7_"ŌِK6DD\B(gKzO)Ԃa^bU:*y la&G|kPیpۇ[)wFiΑayDZGNvxL1N|u$d0>3V*{%ViӮe޾O̤f)L&"A/i!WyYa gw[Hע&M\`Y*iw89yAY²>=$x Cؐ:`æz@XxKZiNJPcQZ=[ͬ0uiRԓ E-Q=) =`bPY8Cd]=gӔ~oDTy,^ض|)JUR%>}C-0tfKQJ'xPơ ]RDD縉R<EyلJLJ61h.}X%eWRK8U6`D܊]x3fۍ&TQxށ + Ø@'x%XaAXDcBŰX‚%O ED1on\esv󕺧D@lxf\(R勲"U:4)4D" S "IC$1ķcO&KDRĊrJZe] g棄y &۳-OOXgֲw1d"|FhMJoR` mRa '&"Zs!6#IfG52f\[w^|:Ec$j$)\Q2JGz("tHܴ."\SJbnj];a^׌o[ŅK:krhdO}whw1I{JvM1ᵈEX-g/~c[d*+ ,KQ{ L(v'ҥrF$f od$73Bqjd(`N?J-%xZ: ` ,e{} 0xȌ b q-yu{c1(E'kr;^NulTLMKw$L\MD0-a-"ͷW[+j( etS`i?谾mf;}3-q5`fU%+xB`FID))J5gI*Q@6~E%.\l'=`y8k,%jbyL"(F`0#/},*ڠ`cq&Ext4^9t@>IS@X@ j1cLkh5޼ܰ\ tMl@=588;x@"簾1k\.{Y` 1-͓0Y0qt! Cq^%U xOb"C׽e+eJx_Qg5IRon؟y*ZKt[t0d^xvVfr/b#S ϚY_=Ƨnzd-po6`h%Ѽu:\Ϝ $̌Ki@-Π6k_)=jy4SI-ںCl(N#x ۀښűsU|^T1EZqmĬө{GN/zˎoZa}?SgNMx؆__  M.2D樕4t86f/tL)w! ^=|.G98X O}@5ol6o ΝkxA{_Zk_ڋK[_?{yߒh`=`83e?@{'Iq5 C &pP]}zUct0lc3th5U(UM~lw <:.N-ãE( x'-Dz=qGgưfÜYHn J]>ыʟ"^tE7'yHd⅏,h6Ed`a6Dy7꤯ 7ήMLGuT[q*]5\?ԝ(n)LE|<2A$ZD0--Q)䗲B=bNޤ$Oyf-q%_Src[Ais;ս"n?̞@~{-F8ɠabh!K ylXr~r~`[qflB7N'N:H>0mf4>(C^P"^%~ aI{E6le߽gL2ԍ۱Gs8RG{KJj%1w  բ~~9fl O]c)i@%+ƘKjtS QK.K\G" *;&/ czRO&w2Sj9) O=#Ԥ6FZ!դFKV|^kpes̴5̈ Rka,fBvpU;byW6n&J5S]<_q=%o7/ݝCgnVt:7.:೐oE=ee\Fܥ˲b"H } :tk6fLµwA*e 8Ih7VaJk:]N`/R>^SޮԾsk9|z`[g`җ9EdcuWne#?R!x+=ߤ3H ,sG :|Ţ8b!E0|s\۵{/kzvGG<]D7= (;+^MZ^!gY,t:s8_rB+vb"mknAzT>#Թ|INf?ݽ: cStXޘ+ 6Ƕlkvn|Duv7H Xp,PQqok G>ެF0'Zcd P6lδ&F:#Zi9J;Y_'Ƅ}c |)W'v,.'>aK/>VH)S[uYS趩_Dl_t[6bc*눎p#}^8#S]E٩wT>uk,՜Fd>QVhTIӑu ۲>m;A=~_LL'vL+V{@\q 81q,j Ye!.փފ> -sF@Yf!s$4O]YEc `F8 q?:};ozxX2k `vXȟZ(@S$죇B oca{aƒsH ]\VL@wFnI=˘NJC~!M5,P.9$#MY[Ѿt}S ^\aHp=Sќ-(ȘhD MQ ҖHxL~1&IJE< ,iM YC) \TeVWbZŘ!&"c36#|- vQ$mCcН8{|v0[/ T6CĊ1gOi\&c(;3D: (bU IVXP؟S?^KM)Qw3a/xa 3 s`EPJM\ XIqw6'+gACj5 S ZgkQ6閣F]Qvp#ߛ~Sg8 X"*S[7ei1I)t#K/HxzsJ^ZZщzo~&Jb+ zob RXb֕j$2|:P*|ΈoQ%j5鲪]-^xmA7kDDz+YTs%I+;}*w!&a@}lFLr,5[WW_iuMzzם+@_rLJ%}폺Qw'_W_O;eSR0cAl\_d _T Q9l]28SΘksYx9ƥy=< /%Lqx&0<>N|D(/& ƅ^-ӄ-xec.urrbj%N N|vuIc,:jcVDN^^[+(9iz47a\nq4ħyOR32yT}Qux^Tgxskx w}=rz? ]?#cA?~ߟuJͳNI9)x3˂NA?JO_>v͋/ E\(?/?/ e/K3xV/E{˂,K˂B.n~*+UP纀z+/\__ߗ)h࿛KuT0Vpv}<*j EQ:S{XB]߇~v[5X^йV)5V +kҿ2~2A\wO aqʍx^S_xڞꖝk8&ֳ۸/6h}/1*-#yioĦBt(^xXJyE#.ȭ-'Hl]=g%x=0?Mu{.1پWߕ\)ܼ}:qObMedGE⬎G\%[n3'rU?%]#=Dԡ`[YwI89{7].6pqS0no) 4` }果y緶xvYyUFKp'k͠6K(W̫>y}2oفOh] %OsWY-*J`aPĝC_/@/뵽?f6>|eOCvHu>j}llڨO6Tq4 5RYu8% {Y@Y8'}(hعkjzGrfhNo4pʜö0AJl(v5mWoVk俐k$2 C0cHMj.Քn`"=#x|D4|OݴW]7tS+sc<{{i8n[z"z5|B@- 1& &T2cy3s aw8ci%n$I <[,(s0ܚ_FlelO]BfC&w 8YǤK4l&%`ډe:`̎I8SkB3ӄ7Y D˼f\Mz4z<8ֿacx eY<X!ꞠW_SI" 9oޔ_gCǓH,_b[edIk`Ver-c6O-5U,%7B;\JN,7}8#Xb̜CM^`PM/ }% ]O&EZ㌵7Kg䃴3#i^rIc:̸&$C.u01rxc>}r)1-XthmЁu]I5;~î<݂ţ2a&8Mx1dA(7e6L6u;ݙX\ؓʞq}b8=;ztF"2 ]͸3CK~;RxR Hf2%IBOk&g2"xY~1~%pIi`^f=IBl`Z(>/A>K^=v`&.MKcg%^#%&a"c'x M?XN.zǞ"(ـħ%IA3WgAg|bOhVMxYeu& ܇Д2\"v:쭨D\1SzA۹cوY?(xcläL(TǨz1>IϐTt(E,Mwt[.Y{N6 )4M˚HμYS3Iew)W*QʹԛM1v+2ZVAxWvx*D0)n973D:[DyPީ!/v2R*4%NSЌxK:xEy?_;+C[^p㩎TU|JA1Y9M1xu!A]?_v}[u2 TxWI;s_A _ =[>܋;ʾFN|L/X}sxur!}/őW,,L[˅Z']XomE!ya4,Lb1"[\'QI 8`Z6X3"@a)5|d~ӧf<˜4W6YĶqytʵ-˱=RU9sm j r+kTcdX$_֬LE"a:('= zBk|FvXK]s&&tĵa}ar8Lt4QS|J)Km)胇Ƚoz`Z.<',x Y-f1%Dv$8ґCB؞B*>e31C7Dn0RrH d[H_مu3\j೐r,/A-xr&r*]xD4Nb‚ g_yf/ȅ^`\YG7XCp1Vꇿe_:m]tοJ;`ggäFs;*O(ߊx7dzu mݸoZǟ>^w?_HQAe鑢%!tOY B*E+w:9\~Lz C$ȕ/g2F#|oUAYfCjZ=Nh|ӷۊ#iQg8&rYOݽZn}p(1{l~Jk)CUs̥D5^JCLs ųiS}*^&N⇥ wm&l2)v}mb-c6C-[2