05 August 2007

Malicious BitTorrent Clients: New Coat of Paint, Same Bad Story

Virus BitTorrent ClientMalware Warning in these BitTorrent Clients!!! "TorrentSpy Advertises Malicious BitTorrent Client. Running a BitTorrent site can get pretty expensive, especially when you’re caught up in a lawsuit with the MPAA. But, recommending malicious BitTorrent clients like Get-Torrent to your users is not the solution, not even if they pay $$ per install. Money corrupts? Get-Torrent is one of the many malicious BitTorrent clients that are advertised on torrent sites. The clients, and a lot of other free malware applications, are developed and spread by a Swedish company named WakeNet AB, located in City Stockholm and Berg. Their primary goal is to trap people into downloading applications that look useful, just to infect computers with adware bundles that are hard to uninstall. Various forum threads, even on TorrentSpy, warn naive users about these clients. Still, TorrentSpy is actively advertising Get-Torrent, and infecting hundreds of their users’ computers, resulting in a torrent of annoying popups. Unlike TorrentSpy, most BitTorrent site admins refuse to advertise these clients. The Pirate Bay and mininova successfully banned these malicious clients from advertising through Adbrite, and BTjunkie and many other sites wont let them on their site either.
The malware bundled with BitTorrent clients like Get-Torrent, Torrent101, TorrentQ and BitRoll is a sponsor program called “Cidhelp”. Apparently, it can be easily removed from the Windows Control Panel. However, in most cases your anti-spyware or anti-virus program damaged the files, leaving them impossible to uninstall, while they still cause numerous popups.
In April ran a Google Adwords campaigns on the Bitroll, Torrent101 and Torrentq websites warning users not to install these clients. Even though it was fun and probably prevented a couple of hundred people from installing the clients, it is far from an ideal solution. The best way is to spread the word, start forum threads and write blog posts or emails to warn others.
Unfortunately, several popular torrent sites carried advertising for these bad clients but thankfully, sites like The Pirate Bay saw the damage these things can cause and removed the adverts. TPB’s brokep wrote, “We’re getting a lot of email about people downloading torrent clients that are advertised on the site. Do not download them! We have put a ban for the ad companies to sell ads for these clients on our site.” Mininova and Snarf-it also blocked the adverts.
In February, reported on yet another client, TorrentQ after a tip-off from the owner of BT-Junkie. Of course, this wasn’t a new client but the old one with a new name.
In April, in order to try to save unsuspecting file-sharers from installing malware, there ran Google Adword campaigns on the BitRoll, Torrent101 and TorrentQ websites, informing people of just how bad these clients are. Google apparently doesn’t like to be associated with bad news and a few days later, Adsense adverts disappeared from the sites. Disappointingly, we are now exposed to yet another ‘new’ bad torrent client. Get-Torrent is the latest in a sequence of malware-laden torrent clients, cloned from the same infected DNA as BitRoll, Torrent101 and TorrentQ."

Source: http://torrentfreak.com/torrentspy-advertises-malicious-bittorrent-client/ - http://torrentfreak.com/malicious-bittorrent-clients-new-coat-of-paint-same-bad-story/

TrackBack

The clients, Get-Torrent, Torrent101, TorrentQ and BitRoll result in a barrage of annoyingTorrentSpy popups, yet TorrentSpy is actively promoting them. Underneath each download, the words "Use Get-Torrent for high speed downloads" appears, tricking users into downloading them.
The Pirate Bay and Mininova both banned the clients from advertising using Adbrite but apparently money is more important to TorrentSpy then the safety of their user's computers.

Check your files with: ExeInfo PE ver. 0.0.1.7 A - ( 289 sign ) Exeinfo for Win32 by A.S.L.
Try to unpack them cause AV scanner may not be able to detect some Virus and others and can give possible "false positive" alert by some eXe packed+protect files. Send the files before install to:
VirusTotal - analyses.

XoftSpySE 4.33.248 (ddl - mirror - mirrors) may detect most Adware, Spyware, Pop-Up Generators, Keyloggers, Trojans, Hijackers and Malware as in some RapidShare tools have been found, Kaspersky and NOD32 didn't found anything.
The story continues...
updated 06-Aug-2007 by Mods.sub.cc
New Names of the above clients with Malware, new Websites, new Webhosting...


1. New names of the Malware BitTorrent clients (all have a size of around 1 MB):
  • BitDownload (Version 3.2.0.0)
  • BitGrabber (Version 4.2.0.0)
  • TorrentSoftware (Version 4.2.0.0)
  • TorrentGamers
  • BitsOfPorn
2. New Websites
Screenshots:

Site Admins of 9TT.eu, some Net Backbone Admins and we confirm that these are the same clients all in 1MB size just with new names!

WARNING!!! BitGrabber, BitDownload, TorrentSoftware, Get-Torrent, BitRoll, Torrent101 and TorrentQ, BitsOfPorn, DivoPlayer, axdlplug, TorrentGamers, WinZix and all from Cash4Downloads (http://www.torrentmusic.org/index.php?go=programs) are adware bundler that is bundled with adware components and uses aggressive, deceptive advertising.
Don't download or use any of these Clients from Web hosting sites on IP: 69.72.144.122, 66.45.230.133,... with different Domain names and BitTorrent Client Product names!!!

Ref.: Attention aux logiciels Bittorrent et Popups CiD
Evite d'installer ces logiciels!!

Pour plus d'informations voir : Supprimer les Popups CiD et BitDownloader/BitGrabber (Instruction: HOw to remove it!)

Popup CiD et BitDownloader/Bitgrabber
Désinstaller BitDownload et supprimer les popups
  • Allez dans ajout/suppression de programmes, désinstallez si présent : CiD Help
  • Une demande pour retaper un code (voir ci-dessous) devrait s'ouvrir, ressaisissez le puis cliquez sur UNINSTALL
  • Désinstallez BitDownload ou BitGrabber par ajout/suppression de programmes, supprimer si existant ces dossiers :
    • C:\Program Files\BitGrabber
    • C:\Program Files\BitDownload
    • C:\Program Files\Multi_Media_France
  • Si CiD Help n'est pas présent :
    • Téléchargez lopremover puis inscrivez le numéro qui apparâit à l'écran puis cliquez sur UNINSTALL.
licence du sponsors de MSN Plus! 3


Vous pouvez utiliser télécharger et executer SpySweeper pour nettoyer votre ordinateur.
  • Téléchargez SpySweeper - Télécharge - Aide Spy Sweeper
  • Cliquez sur sur le lien "Free Trial" pour le télécharger tout à droite
  • Installez le et démarrez le
    • Il va demander de télécharger la dernière définition, acceptez
    • Ensuite, clic sur le bouton Options à gauche
    • Clic sur l'onglet Options et cochez ces options :
      • Sweep Memory
      • Sweep Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Contents of Compressed Files
      • Sweep for Rootkits
      • Décoche Do not Sweep System Restore Folder.
    • Clicquez sur "Sweep Now" à gauche
    • Clicquez sur le bouton "Start"
    • Quand le scan est terminé, clic sur le bouton "Next"
    • Assurez-vous que tout est coché et clicquez sur le bouton "Next"
    • Lorsque tous les éléments trouvés ont été supprimés
Lors de l'installation du programme, on peut lire (en anglais) dans les licences d'utilisation, que le programme ouvrira des popups de pubs ainsi qu'il sera ammené à modifier votre page de démarrage et de recherche sur votre navigateur WEB.

Type in Google Search box exactly this: "-setup.exe (1MB)" or some words/sentence as in the templates (Download site) of them websites are to see and identical to each other (see screenshots) The web is full of these clients!

7 comments:

Anonymous said...

They are registered to GoDaddy. Report them to GoDaddy who have a policy against hosting spam/malware and their domains will get pulled.

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: BITGRABBER.COM
Created on: 12-Dec-06
Expires on: 12-Dec-07
Last Updated on:

Administrative Contact:
Private, Registration Whois Privacy and Spam Prevention by DomainTools.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2599

Technical Contact:
Private, Registration Whois Privacy and Spam Prevention by DomainTools.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2599

Domain servers in listed order:
NS1.ZONEEDIT.COM
NS7.ZONEEDIT.COM
ref: http://whois.domaintools.com/bitgrabber.com


------------


Whois Record

Domain ID:D134326448-LROR
Domain Name:BITDOWNLOAD.ORG
Created On:04-Dec-2006 15:52:20 UTC
Last Updated On:03-Feb-2007 03:47:09 UTC
Expiration Date:04-Dec-2007 15:52:20 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:GODA-025742519
Registrant Name:Registration Private
Registrant Organization:Domains by Proxy, Inc.
Registrant Street1:DomainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242599
Registrant FAX Ext.:
Registrant Email:Whois Privacy and Spam Prevention by DomainTools.com
Admin ID:GODA-225742519
Admin Name:Registration Private
Admin Organization:Domains by Proxy, Inc.
Admin Street1:DomainsByProxy.com
Admin Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Admin Street3:
Admin City:Scottsdale
Admin State/Province:Arizona
Admin Postal Code:85260
Admin Country:US
Admin Phone:+1.4806242599
Admin Phone Ext.:
Admin FAX:+1.4806242599
Admin FAX Ext.:
Admin Email:Whois Privacy and Spam Prevention by DomainTools.com
Tech ID:GODA-125742519
Tech Name:Registration Private
Tech Organization:Domains by Proxy, Inc.
Tech Street1:DomainsByProxy.com
Tech Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Tech Street3:
Tech City:Scottsdale
Tech State/Province:Arizona
Tech Postal Code:85260
Tech Country:US
Tech Phone:+1.4806242599
Tech Phone Ext.:
Tech FAX:+1.4806242599
Tech FAX Ext.:
Tech Email:Whois Privacy and Spam Prevention by DomainTools.com
Name Server:NS1.ZONEEDIT.COM
Name Server:NS7.ZONEEDIT.COM

http://whois.domaintools.com/bitdownload.org

Anonymous said...

I'm gona download them all and install one by one to look into the code. Will post a comment with all ip's, url's in the code of these clients include the User Agent strings. Maybe a batch file can be done to uninstall easy this sh1t complete after the examinations is done.

Greez
Gerd

P.S.
Done it on my blog too

Anonymous said...

"There are several advanced and much better BitTorrent clients available today, but we still feel there is something missing in them. They don't show any ads. The other clients have tons of features and great functionality, but they all are overly complex to configure and to understand for a stupid user.

BitDownload´s and BitGrabber's purpose is to provide users with a great BitTorrent client that is clean, just some Adware and Malware will appear in the Web browser but it's easy to use, and great to get started with. While you download with this client pop up windows advertisements shown up from self. We prefer good quality Ads over quantity -- less features that work better.

With BitDownload and BitGrabber, everyone can use and enjoy BitTorrent technology without being a computer newbee to reverse engineering it's code and see the truth.

Happy downloading by automatic browser advertising pop ups!"


Team ZA Reversing Product Description corrections

Anonymous said...

1. Domain alerts to all possible website filter include Google's Firefox, McAfee,...
2. Send in the file to all Antivirus, Antispyware/Antimalware... Companies to update/include them signatures in coming updates.
3. See them websites visitors almost Venezuela on top (Alexa and other traffic measurement sites). Write on blogs and others in them Language a warning of these BitTorrent clients.

Anonymous said...

All of this clients and hosts are Registered through: GoDaddy.com, India

Anonymous said...

look at this:
http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=bitgrabber.com
Results:

TorrentPortal
(forums.torrentportal.com)

and
http://forums.spybot.info/archive/index.php/t-10259.html

+
3wplayer : hxxp://www.3wplayer.com - BitDownload : hxxp://www.bitdownload.org - BitGrabber : hxxp://www.bitgrabber.com - BitRoll : hxxp://www.bitroll.com .. ..."
www.needforspeedcarbon.fr/recherche/google-3wplayer.html
...
BitGrabber is an adware bundler that is bundled with adware components and uses aggressive, deceptive advertising. BitGrabber is an adware bundler that is bundled with adware components and uses aggressive, deceptive advertising.0
http://www.spywaresignatures.com/details.php?spyware=bitgrabber

Anonymous said...

internet is full of this stuff:
http://spywarefiles.prevx.com/RRGDEI038108841/BITDOWNLOAD+-+SOMASEX.EXE.html
http://www.bluetack.co.uk/forums/index.php?s=33d607c7f7ccd35f07b398c2b800f45c&showtopic=17080&pid=82316&st=0&#entry82316
Torrent101-3.1.0.1-setup-0283.exe
TorrentQ-2.1.0.0-setup-0350.exe
BitDownload-3.2.0.0-setup-0310.exe
Looks exactly like the "BitDownload" and "fastest_BitTorrent_downloader.zip" stuff I've been tracking for the
past three months on gnutella. Looks like they just tweaked their name a bit but the filenames are still in the
same pattern, e.g: "BitDownload-3.0.0.0-setup-0273.exe"
hxxp://www.get-torrent.com/index.php

detected: adware not-a-virus:AdWare.Win32.Lop.bo URL: hxxp://67.15.107.166/get-torrent/070520/Get-Torrent-2.0.0.0-setup-0350.exe//data0002

detected: Trojan program Trojan.Win32.Obfuscated.en URL: hxxp://67.15.107.166/get-torrent/070520/Get-Torrent-2.0.0.0-setup-0350.exe//data0013
Malware Bittorrent client:67.15.107.166-67.15.107.166
Wakenet P2P Malware:67.15.107.160 67.15.107.191

Company Name: WakeNet AB
http://www.spywareguide.com/creator_show.php?id=419


ev1s-67-15-107-160.ev1servers.net - 67.15.107.160

OrgName: WakeNet AB
OrgID: WAKEN
Address: Tanneforsv 17
City: Stockholm
StateProv:
PostalCode: S-122 47
Country: SE
NetRange: 67.15.107.160 - 67.15.107.191

OrgTechHandle: JWE65-ARIN
OrgTechName: Wennberg, Johan
OrgTechPhone: 46707756006
OrgTechEmail: johan@wakenet.se

RTechHandle: CNE36-ARIN
RTechName: Newcomb, Chris
RTechPhone: +1-713-579-2850
RTechEmail: ipadmin@ev1servers.net

main distribution nodes:

Malware Bittorrent client - DINSA, Ministry of Defence (in the UK) (25.34.12.6):25.0.0.0-25.255.255.255
(Maybe they're spoofing this address, but I'm blocking all military ranges anyway)

Malware Bittorrent client - Merit Network Inc. (Large .edu range, apparently):35.34.12.6-35.34.12.6
(I'm not going to block all of 35.0.0.0-35.255.255.255 just for this, which is probably a spoof)

Malware Bittorrent client - Saudi Data VSAT Project:62.149.120.134-62.149.120.134
(I'm not going to block all of 62.149.120.0-62.149.127.255 just for this either)

Malware Bittorrent client - Hostway Corporation (66.113.139.56):66.113.139.56-66.113.139.56
(Hosting range is 66.113.128.0-66.113.255.255)

Malware Bittorrent client - FDC Servers.net, LLC FDCSERVERS:67.159.44.3-67.159.44.4
Malware Bittorrent client - FDC Servers.net, LLC FDCSERVERS:67.159.44.100-67.159.44.129
Malware Bittorrent client - FDC Servers.net, LLC FDCSERVERS:67.159.44.160-67.159.44.190
(As for me, I block all of 67.159.44.0-67.159.44.255)

Malware Bittorrent client - FIBER TECHNOLOGIES NETWORKS BRW-15171-FIBER:67.99.176.30-67.99.176.30
(I block all of 67.99.176.0-67.99.176.255 already)

Malware Bittorrent client - Syrian Telecommunication Establishment STE ISP Network 1:82.137.205.249-82.137.205.249
82.137.200.0-82.137.207.255

Malware Bittorrent client - NTT America, Inc. NTTA-128-121:128.121.3.81-128.121.3.81

Malware Bittorrent client - Filasteen al-Muslimah (Palestinian website hosted in Myanmar):202.71.103.178-202.71.103.178

Malware Bittorrent client - IPORTENT-LAN on Bezeq International range (using 212.179.133.218):212.179.133.216-212.179.133.223

Malware Bittorrent client - PALNET INTERNAL NETWORK (using 217.66.226.15):217.66.224.0-217.66.231.127

http://forum.securitycadets.com/index.php?showtopic=2063
http://forum.securitycadets.com/index.php?showtopic=1584

http://www.bitdownload.biz/
http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=bitdownload

Post a Comment

We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.

Archive