CyberInsecure.com

Archive for the ‘BitTorrent’ Category

The Pirate Bay has been compromised by an Argentinean hacker who made off with usernames, email and internet addresses of more than four million people signed up to the BitTorrent tracker site.

KrebsOnSecurity.com reported yesterday that Ch Russo broke into TPB’s system and grabbed the info from the notorious website, which might amuse some pro-copyright groups.

Russo had considered selling the private data, but in the end decided to go public about TPB’s shaky security credentials. He accessed the information via the site’s user database by exploiting its weakness to SQL injections.

“We wanted to tell people that their information may not be so well protected,” Russo said.

Meanwhile, it may be a coincidence, but The Pirate Bay is currently out of action and carried the following message:

“Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

At this moment the website appears to be offline.

Credit: The Register

A sneaky new Trojan attempts to extort money from BitTorrent users under the guise of a fictitious copyright infringement lawsuit. Malicious pop-up messages generated by the malware, which is being spread via fake files offered up for download through BitTorrent, seeks to bully victims into agreeing to pay out for a “pre-trial settlement” of $400 in order to avoid possible prosecution over supposed copyright piracy violations.

Both the Antipiracy foundation scanners that supposedly identified pirated content on the PCs of targeted individuals and ICPP Foundation “law firm” are fakes.

Infected users receive warnings every time they reboot their system, warns net security firm F-Secure. The scammers have sought to lend credibility to the ruse by setting up an official-looking but bogus website at icpp-online.com, which was taken offline on Monday afternoon.

The domain was registered to “Shoen Overns”, using an email address previously associated in the registration of domains associated with the Zeus information-stealing Trojan and Koobface scams.

Credit: The Register, F-Secure

Over the years would-be game pirates have been targeted in a number of ways such as through draconian DRM schemes and even viruses. Now it appears that file-sharers who thought they were going to download a high-profile interactive erotic novel have been instead treated to a security and privacy breach of epic proportions.

Cross Days, am erotic visual novel game from developer 0verflow, was released just a few days ago. Not everyone would acquire the game through the official channels and many turned to file-sharing networks for their erotic gaming fix. Some, who were not particularly careful about the item they were downloading, were in for a pretty big shock.

Alongside the pirated versions of Cross Days can be found some software which claims to be the installer for the game, but is actually a piece of pretty vicious malware which appears to try to punish would-be pirates. When run, the installer pretends to be the game but using personal information gathered from the victim’s computer (including IP address), it presents a survey which asks for more personal information – including their email address and password.

Once completed, the information is uploaded to a website for all the Internet to see – accompanied by a screenshot of the victim’s desktop. Samples of the information uploaded by the trojan can be viewed here and although much of it is in Japanese, there’s enough pictures and English text to entertain most readers.

Adding insult to injury, according to a report the installer’s terms of service agreement actually states that all these things happen, but as we all know, hardly anyone reads them.

Although it is possible to have the would-be pirate’s personal information taken down from the website, first the user has to effectively apologize for having tried to illegally download Cross Days.

Adding to the confusion, developer 0verflow are reporting that users of Avast! anti-virus software receive a false-positive warning (Win32: Trojan-gen) when installing the real game.

This isn’t the first time Japanese file-sharers have been targeted by malware writers. In 2007 a bizarre virus was released which threatened to kill people who illegally download using P2P.

Credit: TorrentFreak.com

Websense Security Labs has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Adobe Acrobat Reader and Adobe Shockwave.

According to Websense, the malware has an extremely low detection rate, with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims’ machines. If the user’s browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The file is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP. This IP address has ties to the Russian Business Network.

This isn’t the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack, according to Dancho Danchev.

Credit: The Register
Credit: Websense Security Labs

Cross-site scripting flaw on the web sites of the Motion Picture Association of America (MPAA) has been abused to inject listings from controversial torrent links site The Pirate Bay.

Vektor, a member of the Team Elite group of hackers, smuggled links culled from the The Pirate Bay into content served up when surfers visited the MPAA’s recommended list of sites. The MPAA’s legal action against The Pirate makes the supposed endorsement ironic and embarrassing, if not completely unexpected.

Cross-site scripting (XSS) security flaws on websites are all too commonplace and the MPAA is a high-profile target, especially after the four defendants in The Pirate Bay trial were found guilty in a recent high-profile trial. So it was only really a question of time until hackers managed to find a chink in its armor to exploit.

Earlier denial of service attacks against entertainment industry websites scored limited successes in the aftermath of The Pirate Bay verdict on 17 April.

According to Vektor, the Recording Industry Association of America (RIAA) website is vulnerable to similar flaws as those he exploited to embarrass the MPAA earlier this week, Softpedia reports. Vektor used this flaw to inject a listings from Mininova, another well known torrent tracker, into pop-up windows displayed when users visited portions of the RIAA website.

Although the MPAA has reportedly addressed the flaws on its main website following the attack, other MPAA-controlled websites involved in movie ratings remain vulnerable to much the same type of exploit.

The vulnerabilities create a means for rogue iFrames from third-party servers to be presented to surfers as if they came from the site they are visiting, when in reality they come from locations determined by hackers.

XSS flaws on both the MPAA and RIAA websites have cropped up from time to time in the past, a quick search of security website XSSed reveals. Security suppliers, such as application security firm Fortify, said that Vector’s attacks against the RIAA and MPAA were each effectively accidents waiting to happen.

“That such sites are open to XSS-driven incursions and alterations comes as no surprise, given the fact that so many sites are poorly programmed and therefore open to such attacks,” said Richard Kirk, a director at Fortify. “The MPAA is lucky that Vektor’s attack was a proof-of-concept one, and intended as something of a joke. The next time they - and other organizations whose sites are vulnerable to XSS-driven attacks, may not be so lucky,” he added.

Credit: The Register
Credit: Softpedia

Hacktivists have launched denial of service attacks against music industry association IFPI.org and lawyers involved in the prosecution of the four Pirate Bay defendants in the wake of a guilty verdict against the quartet last Friday. The four Pirate Bay Defendants - Peter Sunde, Fredrik Neij, Gottfrid Svartholm and Carl Lundström - were found guilty, sentenced to one year in prison, heavy fines but intend to appeal.

The assault has rendered IFPI.org - the main website of the International Federation of the Phonographic Industry - intermittently unavailable or sluggish for a time on Monday morning. Discussions involving 250 hackers on irc.anonnet.org talk about retaliation on the IFPI and lawyers involved in the case and a desire to take the website off the internet throughout Monday, at a minimum. Discussion on the attack can be found at irc channels at anonnet.org.

“They want to get the message across that the IFPI can not mess with the internet and that the internet is serious business,” coldblood, an admin at anonnet.org told El Reg. “This is very much like the Scientology thing started more than a year ago now,” he added.

Operation Baylout, as the attack is called, also involved the reported defacement of the Swedish website of the IFPI.

Meanwhile limited distributed denial of service attacks against some Torrent tracker sites continued in the wake of guilty verdict against the four defendants in the high-profile Pirate Bay trial last Friday.

The main victim of attacks by as yet unidentified vigilantes (or possibly simple griefers) was free-torrents.org, reports security tools firm Arbor Networks. The assault against free-torrents.org has been going on for around a month, and so is hardly a new development. Arbor’s findings (below) contradict rumours that large-scale denial of service attacks against multiple Torrent trackers were underway.

All in all, except for free-torrents.org getting attacked by a Black Energy botnet run out of China (using the C&C at hack-off.ru), we can’t corroborate this spate of attacks. Free-torrents.org has been getting pounded by this botnet since mid March, 2009, in fact. But none of the other major sites appear to be receiving such packet love.

Jose Nazario, manager of security research at Arbor Networks, notes that the trial involved the people who ran Pirate Bay, not the site itself, which remains operational. Even if The Pirate Bay was taken down something else would surely replace it. Nonetheless The Pirate Bay is a major interchange (most of the Pirate Bay swarms also include other trackers), so disrupting TPB may have an impact on BitTorrent traffic as a whole, at least for a short period.

Credit: The Register

One of the leading BitTorrent sites, Mininova, has been suffering from a massive DDoS attack over the past few days. Originating from a botnet spanning three continents, the attacks vary in strength and are causing the site to be completely inaccessible at times.

Mininova co-founder Niek confirmed that they have been suffering from a DDoS attack over the past few days. The site is currently being pounded by a botnet of hundreds of computers which is slowing the site down significantly and at times making it completely inaccessible.

Niek said that he has no idea who’s behind the attack or why they chose to target Mininova. This is not the first time the site has had to deal with a Denial of Service attack, but they haven’t witnessed one of this magnitude before.

It started on Thursday originating from three different continents, but seemed to wear off in the hours that followed. Today it’s back in full force. Mininova is used to serving millions of visitors a day, but even they are not equipped to handle an attack like this.

Today’s attack originates from Germany and Argentina and is 2 Gbit strong. The DDoS attack is maxing out the entire uplink and is hard to filter since it uses UDP connections.

The Mininova team is working on a solution. Niek told TorrentFreak that they are working on a solution at the moment, and he hopes things will be back to normal soon.

Credit: TorrentFreak.com

Pirate Bay co-founder Peter Sunde has pleaded with fans to stop attacking official entertainment industry websites after the Swedish wing of the The International Federation of the Phonographic Industry’s (IFPI) site was hacked yesterday.

Sunde, who is among four men facing prosecutors representing the likes of Sony, MGM and Universal in the already infamous Pirate Bay trial, uncharacteristically put the boot in yesterday against the hackers.

“Our case is going quite well as most of you have noticed. In the light of that it feels very bad that people are hacking web sites which actually puts us in a worse light than we need to be in,” he said in a post on his “Copy Me Happy” blog.

“If anyone involved in the acts going on is reading this - please stop, for our sake. We don’t need that kind of support,” he added writing under his brokep moniker.

The trial underwent a dramatic turn of events on Tuesday when chief prosecutor Håkan Roswall scratched copyright infringement allegations against Sunde, Carl Lundström, Frederik Neij and Gottfrid Svartholm Warg from the charge sheet.

Meanwhile, ifpi.se remains out of action as day four of the case gets underway in the Stockholm district court.

The self-titled group The New Generation (Den Nya Generationen) was behind the website hackery and claimed it had attacked the website to show support of the defendants in the case.

According to Sunde, IFPI’s official Swedish website was not the only address targeted by internet intruders. He claimed hackers also gained access to ifpi.org and Sunde’s old domain ifpi.com, where a sneering broadside against the entertainment industry was displayed.

An IFPI spokesman confirmed that the Swedish site had indeed been hacked but claimed that both ifpi.org and ifpi.com had simply been hit by denial of service attacks.

Researchers at Intego are reporting that malware hidden in Apple’s iWork 09 productivity suite is targeting unsuspecting Mac users foolish enough to install pirated software downloaded on warez sites.

Once installed, iServices.A has unfettered root access, which it promptly uses to connect to a remote server over the internet, according to Intego, which sells anti-virus software for Macs. A secondary download installs malware that makes victims part of a botnet that’s attacking undisclosed websites.

The malicious file, dubbed OSX.Trojan.iServices.A, was found on BitTorrent trackers and other sites containing links to pirated software.  The booby-trapped version of the iWord 09 productivity suite is complete and functional but the installer contains an additional package called iWorkServices.pkg, Intego said.

When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request). This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

More than 20,000 people have already downloaded the rogue installer, which is bundled with a complete and fully functional version of iWork. Intego didn’t say how many of those marks have actually installed the program.

Intego’s advisory is the latest reminder that the growing popularity of Apple’s OS X hasn’t been lost on malware developers. Over the past 18 months, a variety of trojans and exploits have increasingly targeted the Mac.

Intego’s advisory an be found here.

TorrentFreak reported today that the website of the Arabian Anti-Piracy Alliance, which represents the MPAA and a wide range of copyright holders in the Middle East, has been defaced by hackers. The entire news section was wiped out a week ago, and it hasn’t recovered since. It seems like this anti-piracy outfit doesn’t even visit its own site.

The Arabian Anti-Piracy Alliance (AAA) was founded in 1996 by the Motion Picture Association (MPA), and has turned itself into a profitable business since. In 2007 the company even received a nomination for the prestigious Lloyds TSB Small Business of the Year Award, but unfortunately for them they didn’t win.

The outfit sees itself liaising with the authorities, tipping them off and assisting in raids. Scott Butler, the CEO of the company who’s obviously from the U.S judging from his accent, said in a radio interview last year that his company assists in hundreds of raids a month.

Butler proudly added that, contrary to the situation in the U.S, everyone they catch violating copyrights in the United Arab Emirates goes to jail. “Amazingly, every single copyright case within United Arab Emirates resulted in imprisonment,” he said.

While the AAA might do a good job at protecting the intellectual property of their clients, preventing their own website from being hacked seems to be a real challenge. For days now, the news section of the site has been stripped of all its content, displaying the following message: “hacked by ashiyane security team”.

When it comes to securing websites, anti-piracy outfits seem to fail time and time again. Last year, the RIAA website got hacked, and the IFPI and a Lithuanian anti-piracy outfit both lost their domain names to BitTorrent sites after they failed to renew their registrations. Perhaps they should consider investing a few of their hard earned dollars in a proper sysop.

In the meantime, perhaps the Arabian Anti-Piracy Alliance should consider checking their own site every now and again.

Credit: TorrentFreak.com Blog