Malicious BitTorrent Clients: New Coat of Paint, Same Bad Story

Malware Warning in these BitTorrent Clients!!! "TorrentSpy is promoting a malicious BitTorrent client. Operating a BitTorrent site can incur significant costs, particularly when involved in litigation with organizations such as the MPAA. However, endorsing harmful BitTorrent clients like Get-Torrent to your user base is not an appropriate resolution, even if financial incentives are offered per installation. It appears that financial considerations may be influencing these decisions. Get-Torrent is among numerous malicious BitTorrent clients advertised on various torrent platforms. These clients, along with a range of other free malware applications, are developed and distributed by WakeNet AB, a Swedish company based in Stockholm and Berg. Their primary objective is to entice individuals into downloading seemingly useful applications, only to infect their computers with adware bundles that are challenging to remove. Despite numerous forum discussions, including those on TorrentSpy, cautioning unsuspecting users about these clients, TorrentSpy continues to actively promote Get-Torrent, leading to the infection of hundreds of their users' computers and a proliferation of intrusive pop-up advertisements. In contrast to TorrentSpy, the majority of BitTorrent site administrators decline to advertise these clients. The Pirate Bay and Mininova have successfully prohibited these malicious clients from advertising through Adbrite, and BTjunkie and many other sites also refuse to host them.

The malware distributed with BitTorrent clients such as Get-Torrent, Torrent101, TorrentQ, and BitRoll is a sponsored program known as "Cidhelp." While it is ostensibly removable via the Windows Control Panel, anti-spyware or anti-virus programs frequently corrupt its files, rendering uninstallation impossible while the program continues to generate numerous pop-up advertisements.

In April ran a Google Adwords campaigns on the Bitroll, Torrent101 and Torrentq websites warning users not to install these clients. Even though it was fun and probably prevented a couple of hundred people from installing the clients, it is far from an ideal solution. The best way is to spread the word, start forum threads and write blog posts or emails to warn others.
Unfortunately, several popular torrent sites carried advertising for these bad clients but thankfully, sites like The Pirate Bay saw the damage these things can cause and removed the adverts. TPB’s brokep wrote, “We’re getting a lot of email about people downloading torrent clients that are advertised on the site. Do not download them! We have put a ban for the ad companies to sell ads for these clients on our site.” Mininova and Snarf-it also blocked the adverts.

In February, we received information regarding another client, TorrentQ, following a tip from the owner of BT-Junkie. This client was, in fact, a re-branded version of a pre-existing entity.

In April, to safeguard unsuspecting file-sharers from malware installations, we initiated Google Adword campaigns on the BitRoll, Torrent101, and TorrentQ websites, highlighting the inherent risks associated with these clients. It appears that Google has disassociated itself from unfavorable news, as evidenced by the subsequent removal of AdSense advertisements from the affected websites. Regrettably, we are now encountering another problematic torrent client. Get-Torrent represents the most recent addition to a series of torrent clients laden with malware, all of which appear to originate from the same compromised source as BitRoll, Torrent101, and TorrentQ.

Source: http://torrentfreak.com/torrentspy-advertises-malicious-bittorrent-client/ - http://torrentfreak.com/malicious-bittorrent-clients-new-coat-of-paint-same-bad-story/

TrackBack

It has come to our attention that Get-Torrent, Torrent101, TorrentQ, and BitRoll are generating an excessive number of intrusive pop-up advertisements. Despite this, TorrentSpy is actively endorsing these clients. We've observed that the phrase "Use Get-Torrent for high speed downloads" is displayed prominently beneath each download, potentially misleading users into installing these applications.

Both The Pirate Bay and Mininova have previously prohibited these clients from advertising through Adbrite. It appears that TorrentSpy may be prioritizing financial considerations over the security of its user base.

Please verify your files using ExeInfo PE version 0.0.1.7 A (289 signatures), developed by A.S.L. for Win32.

It is advisable to unpack these files, as antivirus scanners may not detect certain viruses or other threats, and some packed/protected executables could trigger "false positive" alerts. Prior to installation, please submit the files for analysis to VirusTotal.

XoftSpySE 4.33.248 (ddl - mirror - mirrors) may detect most Adware, Spyware, Pop-Up Generators, Keyloggers, Trojans, Hijackers and Malware as in some RapidShare tools have been found, Kaspersky and NOD32 didn't found anything.

The narrative progresses.

Updated on August 6, 2007, by Mods.sub.cc.

Revised client names associated with malware, along with new websites and web hosting providers.

1. New names of the Malware BitTorrent clients (all have a size of around 1 MB):

• BitDownload (Version 3.2.0.0)
• BitGrabber (Version 4.2.0.0)
• TorrentSoftware (Version 4.2.0.0)
• TorrentGamers
• BitsOfPorn
  

2. New Websites

• http://bitgrabber.com ( http://www.bitgrabber.com)
• http://bitdownload.org (http://www.bitdownload.org), http://www.bitdownload.biz (incl. Download Secret Version :)
• http://torrentsoftware.org
  
• and possible many more as the info of: http://www.domaintools.com/reverse-ip/?hostname=69.72.144.122 and: http://uptime.netcraft.com/up/graph?site=bitgrabber.com
• Linux, Apache, 6-Aug-2007, 69.72.144.122
• also: 3wplayer.com may follow soon.
• ...and many more... (Visitors post comments of sites/url's/IP's)

Please be advised that BitGrabber, BitDownload, TorrentSoftware, Get-Torrent, BitRoll, Torrent101, TorrentQ, BitsOfPorn, DivoPlayer, axdlplug, TorrentGamers, and WinZix, as well as all offerings from Cash4Downloads (http://www.torrentmusic.org/index.php?go=programs), are identified as adware bundlers. These applications incorporate adware components and employ aggressive, deceptive advertising practices.

It is strongly recommended to refrain from downloading or utilizing any of these clients from web hosting sites located at IP addresses such as 69.72.144.122, 66.45.230.133, etc., irrespective of their domain names or BitTorrent client product names.

Reference: Attention aux logiciels Bittorrent et Popups. CiD

• Nous vous recommandons d'éviter l'installation de ces logiciels.
• 
  
• Pour de plus amples informations, veuillez consulter la procédure de suppression des Popups CiD et BitDownloader/BitGrabber.
• 
  
• **Procédure de suppression des Popups CiD et BitDownloader/BitGrabber :**
• 
  
• 1. **Désinstallation de BitDownload et suppression des popups :**
•     * Accédez à la section "Ajout/Suppression de programmes" de votre système d'exploitation.
•     * Recherchez et désinstallez "CiD Help" si cette entrée est présente.
•     * Une fenêtre vous demandant de ressaisir un code devrait apparaître (voir ci-dessous). Veuillez le saisir à nouveau, puis cliquez sur "UNINSTALL".
•     * Désinstallez "BitDownload" ou "BitGrabber" via la section "Ajout/Suppression de programmes".
•     * Supprimez les dossiers suivants s'ils existent :
•         * C:\Program Files\BitGrabber
•         * C:\Program Files\BitDownload
•         * C:\Program Files\Multi_Media_France
• 
  
• 2. **Si "CiD Help" n'est pas présent :**
•     * Téléchargez l'outil "lopremover".
•     * Saisissez le numéro qui s'affiche à l'écran, puis cliquez sur "UNINSTALL"..

Vous avez la possibilité de télécharger et d'exécuter SpySweeper afin d'optimiser la performance de votre système informatique.

Pour ce faire, veuillez télécharger SpySweeper en cliquant sur le lien "Free Trial" situé à l'extrême droite de la page.

Une fois le téléchargement terminé, procédez à l'installation et au démarrage de l'application.

Le programme vous invitera à télécharger la dernière version des définitions, ce que nous vous recommandons d'accepter.

Par la suite, accédez au bouton "Options" situé sur le panneau de gauche.

Dans l'onglet "Options", veuillez cocher les éléments suivants :

Sweep Memory

Sweep Registry

Sweep Cookies

Sweep All User Accounts

Enable Direct Disk Sweeping

Sweep Contents of Compressed Files

Sweep for Rootkits

Assurez-vous de décocher l'option "Do not Sweep System Restore Folder".

Cliquez ensuite sur "Sweep Now" dans le panneau de gauche.

Puis, cliquez sur le bouton "Start".

Une fois l'analyse terminée, cliquez sur le bouton "Next".

Vérifiez que toutes les options sont cochées et cliquez à nouveau sur le bouton "Next".

Lorsque tous les éléments identifiés auront été supprimés.

Il est important de noter que lors de l'installation, les termes de la licence d'utilisation (disponibles en anglais) stipulent que le programme pourrait générer des fenêtres pop-up publicitaires et modifier votre page de démarrage ainsi que votre moteur de recherche par défaut sur votre navigateur web.

Type in Google Search box exactly this: "-setup.exe (1MB)" or some words/sentence as in the templates (Download site) of them websites are to see and identical to each other (see screenshots) The web is full of these clients!