A group of malicious hackers is using the BitTorrent peer-to-peer software to push copies of movies and Disney cartoons onto infected machines.
A group of hackers in the Middle East is believed to be responsible for the BitTorrent infections, which were observed on a network of computers infected by a recent instant message worm.
It is the first known instance of the popular P2P software being used by hackers for malicious purposes, according to researchers at FaceTime Communications Inc., an IM security company.
BitTorrent is a popular, free, open-source file sharing software program that allows users to share files on a distributed network of computers.
In November, FaceTime staff noticed that modified versions of the BitTorrent client were being distributed to machines that had been infected with the lockx.exe rootkit by an IM worm that spread over the AIM (America Online Inc.s Instant Messenger) network the month before, said Tyler Wells, senior director of research and development at FaceTime.
That worm infected tens of thousands of machines world wide. Those machines—up to 18,000 at a time—are now being controlled by an IRC server, which distributes commands from the attackers to the lockx Trojan, Wells said.
“These machines are on all the major ISPs in the United States, on networks owned by schools and various businesses here and there,” he said.
The BitTorrent client was distributed to thousands of machines from the IRC server in late November, and then used to push various video files to the machines that installed the BitTorrent host.
The version of BitTorrent distributed by the botnet is unique, with a signature that doesnt match other, legitimate versions of BitTorrent, said Chris Boyd, security research manager at FaceTime.
Boyd has studied the BitTorrent variant and doesnt believe the hackers have added malicious features to it. A new version may have been created to fool security programs, he said.
The group running the botnet may hope to use BitTorrent as a vehicle for distributing very large files to infected machines on their botnet without attracting the attention of the computers owner, Tyler said.
“You could seed these machines with a one or two megabyte bundle of adware or [malicious software], unbeknownst to the user,” he said.
However, BitTorrent is just one of many programs that are being distributed to the lockx-infected machines.
More recently, the group of hackers running the botnet has begun distributing versions of the FU rootkit, as well.
FaceTime, of Foster City, California, has reported the botnet to the FBI, which is investigating the group running the network.
Researchers believe the group is based in the Middle East because of telltale “signatures” found in scripting files used by the lockx rootkit and in binary files distributed by the group, Wells said.
He declined to name the group, noting the ongoing investigation by the FBI.
This is not the first time that BitTorrent has been linked to malicious software.
In June, Boyd noted that spyware from advertising software vendor Direct Revenue LLC and Marketing Metrix Group were being distributed over BitTorrent to machines running the software. The new threat is more nefarious, however.
“[The spyware incident] was nowhere near as complex as this,” Boyd said.
FaceTime researchers have not seen evidence that the BitTorrent clients have been used to push malicious software to victim computers yet, but said that they could be used to seed the BitTorrent network with bogus files that are infected at any time.
The group running the botnet also hosts a Web site that has BitTorrent torrents on it and hosts running the modified BitTorrent software are indistinguishable from legitimate BitTorrent clients, Boyd said.
The behavior could complicate cases against alleged pirates by groups such as the MPAA and RIAA, Boyd said.
He has already received reports from BitTorrent users about mysterious movies that were uploaded to their machine without their say-so.