CyberInsecure.com

Archive for the ‘BitTorrent’ Category

Websense Security Labs has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Adobe Acrobat Reader and Adobe Shockwave.

According to Websense, the malware has an extremely low detection rate, with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims’ machines. If the user’s browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The file is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP. This IP address has ties to the Russian Business Network.

This isn’t the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack, according to Dancho Danchev.

Credit: The Register
Credit: Websense Security Labs

Cross-site scripting flaw on the web sites of the Motion Picture Association of America (MPAA) has been abused to inject listings from controversial torrent links site The Pirate Bay.

Vektor, a member of the Team Elite group of hackers, smuggled links culled from the The Pirate Bay into content served up when surfers visited the MPAA’s recommended list of sites. The MPAA’s legal action against The Pirate makes the supposed endorsement ironic and embarrassing, if not completely unexpected.

Cross-site scripting (XSS) security flaws on websites are all too commonplace and the MPAA is a high-profile target, especially after the four defendants in The Pirate Bay trial were found guilty in a recent high-profile trial. So it was only really a question of time until hackers managed to find a chink in its armor to exploit.

Earlier denial of service attacks against entertainment industry websites scored limited successes in the aftermath of The Pirate Bay verdict on 17 April.

According to Vektor, the Recording Industry Association of America (RIAA) website is vulnerable to similar flaws as those he exploited to embarrass the MPAA earlier this week, Softpedia reports. Vektor used this flaw to inject a listings from Mininova, another well known torrent tracker, into pop-up windows displayed when users visited portions of the RIAA website.

Although the MPAA has reportedly addressed the flaws on its main website following the attack, other MPAA-controlled websites involved in movie ratings remain vulnerable to much the same type of exploit.

The vulnerabilities create a means for rogue iFrames from third-party servers to be presented to surfers as if they came from the site they are visiting, when in reality they come from locations determined by hackers.

XSS flaws on both the MPAA and RIAA websites have cropped up from time to time in the past, a quick search of security website XSSed reveals. Security suppliers, such as application security firm Fortify, said that Vector’s attacks against the RIAA and MPAA were each effectively accidents waiting to happen.

“That such sites are open to XSS-driven incursions and alterations comes as no surprise, given the fact that so many sites are poorly programmed and therefore open to such attacks,” said Richard Kirk, a director at Fortify. “The MPAA is lucky that Vektor’s attack was a proof-of-concept one, and intended as something of a joke. The next time they - and other organizations whose sites are vulnerable to XSS-driven attacks, may not be so lucky,” he added.

Credit: The Register
Credit: Softpedia

Hacktivists have launched denial of service attacks against music industry association IFPI.org and lawyers involved in the prosecution of the four Pirate Bay defendants in the wake of a guilty verdict against the quartet last Friday. The four Pirate Bay Defendants - Peter Sunde, Fredrik Neij, Gottfrid Svartholm and Carl Lundström - were found guilty, sentenced to one year in prison, heavy fines but intend to appeal.

The assault has rendered IFPI.org - the main website of the International Federation of the Phonographic Industry - intermittently unavailable or sluggish for a time on Monday morning. Discussions involving 250 hackers on irc.anonnet.org talk about retaliation on the IFPI and lawyers involved in the case and a desire to take the website off the internet throughout Monday, at a minimum. Discussion on the attack can be found at irc channels at anonnet.org.

“They want to get the message across that the IFPI can not mess with the internet and that the internet is serious business,” coldblood, an admin at anonnet.org told El Reg. “This is very much like the Scientology thing started more than a year ago now,” he added.

Operation Baylout, as the attack is called, also involved the reported defacement of the Swedish website of the IFPI.

Meanwhile limited distributed denial of service attacks against some Torrent tracker sites continued in the wake of guilty verdict against the four defendants in the high-profile Pirate Bay trial last Friday.

The main victim of attacks by as yet unidentified vigilantes (or possibly simple griefers) was free-torrents.org, reports security tools firm Arbor Networks. The assault against free-torrents.org has been going on for around a month, and so is hardly a new development. Arbor’s findings (below) contradict rumours that large-scale denial of service attacks against multiple Torrent trackers were underway.

All in all, except for free-torrents.org getting attacked by a Black Energy botnet run out of China (using the C&C at hack-off.ru), we can’t corroborate this spate of attacks. Free-torrents.org has been getting pounded by this botnet since mid March, 2009, in fact. But none of the other major sites appear to be receiving such packet love.

Jose Nazario, manager of security research at Arbor Networks, notes that the trial involved the people who ran Pirate Bay, not the site itself, which remains operational. Even if The Pirate Bay was taken down something else would surely replace it. Nonetheless The Pirate Bay is a major interchange (most of the Pirate Bay swarms also include other trackers), so disrupting TPB may have an impact on BitTorrent traffic as a whole, at least for a short period.

Credit: The Register

One of the leading BitTorrent sites, Mininova, has been suffering from a massive DDoS attack over the past few days. Originating from a botnet spanning three continents, the attacks vary in strength and are causing the site to be completely inaccessible at times.

Mininova co-founder Niek confirmed that they have been suffering from a DDoS attack over the past few days. The site is currently being pounded by a botnet of hundreds of computers which is slowing the site down significantly and at times making it completely inaccessible.

Niek said that he has no idea who’s behind the attack or why they chose to target Mininova. This is not the first time the site has had to deal with a Denial of Service attack, but they haven’t witnessed one of this magnitude before.

It started on Thursday originating from three different continents, but seemed to wear off in the hours that followed. Today it’s back in full force. Mininova is used to serving millions of visitors a day, but even they are not equipped to handle an attack like this.

Today’s attack originates from Germany and Argentina and is 2 Gbit strong. The DDoS attack is maxing out the entire uplink and is hard to filter since it uses UDP connections.

The Mininova team is working on a solution. Niek told TorrentFreak that they are working on a solution at the moment, and he hopes things will be back to normal soon.

Credit: TorrentFreak.com

Pirate Bay co-founder Peter Sunde has pleaded with fans to stop attacking official entertainment industry websites after the Swedish wing of the The International Federation of the Phonographic Industry’s (IFPI) site was hacked yesterday.

Sunde, who is among four men facing prosecutors representing the likes of Sony, MGM and Universal in the already infamous Pirate Bay trial, uncharacteristically put the boot in yesterday against the hackers.

“Our case is going quite well as most of you have noticed. In the light of that it feels very bad that people are hacking web sites which actually puts us in a worse light than we need to be in,” he said in a post on his “Copy Me Happy” blog.

“If anyone involved in the acts going on is reading this - please stop, for our sake. We don’t need that kind of support,” he added writing under his brokep moniker.

The trial underwent a dramatic turn of events on Tuesday when chief prosecutor Håkan Roswall scratched copyright infringement allegations against Sunde, Carl Lundström, Frederik Neij and Gottfrid Svartholm Warg from the charge sheet.

Meanwhile, ifpi.se remains out of action as day four of the case gets underway in the Stockholm district court.

The self-titled group The New Generation (Den Nya Generationen) was behind the website hackery and claimed it had attacked the website to show support of the defendants in the case.

According to Sunde, IFPI’s official Swedish website was not the only address targeted by internet intruders. He claimed hackers also gained access to ifpi.org and Sunde’s old domain ifpi.com, where a sneering broadside against the entertainment industry was displayed.

An IFPI spokesman confirmed that the Swedish site had indeed been hacked but claimed that both ifpi.org and ifpi.com had simply been hit by denial of service attacks.

Researchers at Intego are reporting that malware hidden in Apple’s iWork 09 productivity suite is targeting unsuspecting Mac users foolish enough to install pirated software downloaded on warez sites.

Once installed, iServices.A has unfettered root access, which it promptly uses to connect to a remote server over the internet, according to Intego, which sells anti-virus software for Macs. A secondary download installs malware that makes victims part of a botnet that’s attacking undisclosed websites.

The malicious file, dubbed OSX.Trojan.iServices.A, was found on BitTorrent trackers and other sites containing links to pirated software.  The booby-trapped version of the iWord 09 productivity suite is complete and functional but the installer contains an additional package called iWorkServices.pkg, Intego said.

When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request). This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

More than 20,000 people have already downloaded the rogue installer, which is bundled with a complete and fully functional version of iWork. Intego didn’t say how many of those marks have actually installed the program.

Intego’s advisory is the latest reminder that the growing popularity of Apple’s OS X hasn’t been lost on malware developers. Over the past 18 months, a variety of trojans and exploits have increasingly targeted the Mac.

Intego’s advisory an be found here.

TorrentFreak reported today that the website of the Arabian Anti-Piracy Alliance, which represents the MPAA and a wide range of copyright holders in the Middle East, has been defaced by hackers. The entire news section was wiped out a week ago, and it hasn’t recovered since. It seems like this anti-piracy outfit doesn’t even visit its own site.

The Arabian Anti-Piracy Alliance (AAA) was founded in 1996 by the Motion Picture Association (MPA), and has turned itself into a profitable business since. In 2007 the company even received a nomination for the prestigious Lloyds TSB Small Business of the Year Award, but unfortunately for them they didn’t win.

The outfit sees itself liaising with the authorities, tipping them off and assisting in raids. Scott Butler, the CEO of the company who’s obviously from the U.S judging from his accent, said in a radio interview last year that his company assists in hundreds of raids a month.

Butler proudly added that, contrary to the situation in the U.S, everyone they catch violating copyrights in the United Arab Emirates goes to jail. “Amazingly, every single copyright case within United Arab Emirates resulted in imprisonment,” he said.

While the AAA might do a good job at protecting the intellectual property of their clients, preventing their own website from being hacked seems to be a real challenge. For days now, the news section of the site has been stripped of all its content, displaying the following message: “hacked by ashiyane security team”.

When it comes to securing websites, anti-piracy outfits seem to fail time and time again. Last year, the RIAA website got hacked, and the IFPI and a Lithuanian anti-piracy outfit both lost their domain names to BitTorrent sites after they failed to renew their registrations. Perhaps they should consider investing a few of their hard earned dollars in a proper sysop.

In the meantime, perhaps the Arabian Anti-Piracy Alliance should consider checking their own site every now and again.

Credit: TorrentFreak.com Blog

Norbits, the largest Norwegian BitTorrent tracker is going through some rough times. For several days now, the site has been offline due to a DDoS attack. The site has allegedly been hacked by a group called MORRADi, which is also speculating that it has managed to compromise the tracker and is threatening to release personal details of its users including IPs, until the tracker is closed.

Norbits is a medium sized community with over 10,000 members, most of them from Norway. Norbits has suffered downtime because of DDoS attacks before, but this time the threat may be more serious than that.

A group called MORRADi takes responsibility for the attack on Norbits. A message released by the groups says (translated): “Once again we show our power! Once again we show your foolishness! This is not the first time we have done it, and it won’t be the last. Enough is enough, you are becoming a real nuisance, and you are also a bunch of idiots that try to hide, so it’s high time we punish you! P2P is not something we want, when will you understand that? Do we have to take it as far as publishing your user database online?”

The message seems to suggest that “sceners” are behind the hack and the attacks, since they don’t want their releases shared on BitTorrent trackers.

This is the second time the tracker has been under a DDoS attack for the past two years, and no matter how futile the ambitions of the attackers are in respect to targeting the tracker due to the fact that it’s promoting the use of P2P, the success of Norbits seems to have already pissed off the local warez scene.

Further investigation indicates a conflict of interest on the Norwegian warez scene, with old school FTP warez groups. The attack is very similar to an apparently still active campaign courtesy of old school warez traders, named “Destroying The P2P’s, One Step at a Time”, whose objective is to expose the owners of BitTorrent trackers, compromise their security and leak personally identifiable information of its users in order to damage their reputations.

DDoS attacks are not an unusual event for many private BitTorrent trackers. Although they are sometimes used as an excuse for server issues, most of the larger trackers have been subject to such attacks at least once.

Spammers are now targeting BitTorrent users and have sent out millions of emails that claim to come from MediaDefender. The fake emails warn the receiver that he or she has been logged using BitTorrent and points them to an attachment supposedly containing evidence which is in fact a virus.

The e-mail looks like it comes from Los Angeles-based MediaDefender (using their logo), the Hollywood’s company that is hired to fight online piracy by harassing and suing heavy downloaders/uploaders of copyrighted content. The e-mail is sent out at random, victimizing the unsuspecting users who might get scared and open the infected attachment that supposedly contains more details about the infringed material.

It has been getting a lot of people’s attention because millions of people use BitTorrent trackers to download free games, music and movies. The e-mail says:

We have attached a report about the copyrighted movies, music, software you
downloaded or searched on these web pages. We strongly advise you to stop any
future activities regarding the downloading of illegal content or you can
expect prosecution by 17 U.S.C. §§ 512, 1201?1205, 1301?1332; 28 U.S.C. §
4001 laws.

The attachemnt contains mytob worm (W32.Mytob@mm) that installs a trojan, and allows outsiders to gain access to victim’s computer. Systems affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

Such scams can be avoided easily when a few simple rules are followed, but thousands of novices are tricked into opening the infected attachment daily. BitTorrent has become very popular among millions of users worldwide and as any other large group of users, they become an interesting target for email spammers.

Popular BitTorrent client µTorrent has silently patched a vulnerability that created a means for hackers to load malware onto PCs of file sharing users by persuading them to open a poisoned Torrent file. The vulnerability has been confirmed in version 1.7.7 of µTorrent. Earlier versions may also be vulnerable.

News of the bug emerged in a posting by Rhys Kidd to a security mailing list on Monday. He claimed that the flaw had been present as a zero-day vulnerability in the software for the last two years. The flaw is caused by a stack-based buffer overflow vulnerability and offered far more potential for damage than either salted (empty or impossible to play) files or media files that attempt to induce users to install fake codecs (often contaminated with malware) once users attempt to play downloaded content.

BitTorrent Mainline version six and beyond are also vulnerable because BitTorrent, Inc. makes use of µTorrent source code. The two software packages make up over 18.8 percent on the installed P2P client base, creating plenty of scope for mischief even though the bug would have been far from straightforward to misuse, since reliable exploitation is difficult although not impossible.

The new version of µTorrent, released earlier this month, fixes the flaw, even if release notes fail to mention this point. Version 1.8 RC7 of the software silently patched the flaw, according to security notification service Secunia, which advises users to update to version 1.8.0 of µTorrent. BitTorrent is also vulnerable but yet to deliver a patch, according to Secunia.