p2pnet - rss feed: ‘Whacked by a creepy Rootkit’
p2p news / p2pnet: Chris Boyd aka paperghost is now FaceTime Communications’ security research manager.
But that doesn’t mean he’s stopped posting on Vitalsecurity..
Au contraire >>>>>>>>>>>>>>>>>>
BitTorrent Reloaded: Unauthorised installs lead to pirated movie files on victim’s PCs
By paperghost - Vitalsecurity.org
Yep, the title is a mouthful but you heard it correctly: those crazy guys behind the Middle-East connected Rootkit-powered Botnet (phew! mouthful alert) experimented with something I haven’t seen before, and we have the details over at Spywareguide.com.
In short - along with the second wave of installs that prompted FaceTime to go public with their findings (that would be my guys), the group behind all this auto-installed a version of BitTorrent onto the PCs already infected with the Lockx.exe Rootkit - crazy enough, yes? But then they went one further and started pumping movie files down the pipes, onto a sizeable chunk of those infected machines. You can, of course, see some of the BitTorrent files placed onto the PC in the lovely picture.
Why? Not sure. Some kind of proof-of-concept test-run? Highly likely. Especially as they cut it short, and went back to goofing around with more rootkits. Thing is, I’ve heard rumours (on the Internets) that some other hacking groups have picked this technique up, and will be running with it shortly.
Better to prepare the troops, right?
Bad enough these creeps are whacking PCs left, right and centre with Rootkits. Even worse that it looks like they’re messing with BitTorrent and pumping movies all over the place. There’s so many issues with that, I don’t know where to start. What would the RIAA angle be on it? Or the other “kill the pirate” type groups? Would they crash down on anybody unfortunate enough to have ended up with this on board, their only “crime” to be whacked by a creepy Rootkit via IM?
Well, seeing as stories are currently flying about regarding people being sued for file-sharing (with no PC!), and Pearworks being rugby-tackled for providing a lyrics search facility, it’s quite probable.
Now, last time I covered BitTorrent, everything went nuts and lots of people thought I had some kind of crazy “anti-filesharing” thing going on - because we all love BitTorrent forums being splattered with large Adware bundles, right? Dvorak - whoops. When the great “Avalanche” invasion begins, I’ll let you know.
Doh.
The sad thing this time round is, I’m not even that surprised by this latest development - when you think about it, it’s quite a shocker - but as this “top ten” list of spyware installs graphically illustrates, there’s not a lot left to slap us upside the head anymore.
As an example of the kinds of crazy things people are now trying out, using infected PCs as guinea-pigs for whackjob experiments with BitTorrent, it deserves a mention at the very least.
This time round, we can be thankful it was just copies of Mr Bean(!) and Disney cartoons(!!). How about next time? If they’re really malicious, they could pipe a user pretty much anything they feel like.
Illegal porn for the win? Quite possibly. Or how about some of those lovely spyware infected media files that were dug up not so long ago?
See where this one could go? The more you think about it, the nastier it gets.
And as we have seen with these guys (who are currently under investigation from the FBI and other Federal Authorities) - they don’t get bored and go home. Hacking groups in the East are experiencing something of a Digital Renaissance at present - they’re talented, they have the cash to fund their little games, and they’re out to prove a point.
The whole Rootkit-powered Botnet thing that FaceTime cracked was amazing for it’s depth of attack and the sheer cheek of what they were up to - but this takes things to a whole new level.
2006 - bound to be a vintage year. And I ain’t talking about the wine…
Also See:
Paperghost - Neil Diamond and Firefox infection, March 11, 2005
manager - paperghost joins FaceTime, August 16, 2005
December 21st, 2005 at 6:32 pm
Now my question on this is what will the RIAA and the MPAA do when this is the situation? Will they still try to sue the customer into submission?
Personally, I don’t think that any judge will hold someone responsible if it turns out that the computer was hacked into.
December 21st, 2005 at 8:06 pm
I am in agreement with the poster above. At every point the **AA’s have tried to say that each case of infringement was willful or at least they have done their best to paint it that way.
Now a rootkit is just plain stealthy. One never knows without the tools that it is there. I dislike the use of rootkits in the extreme but anyone can now install the rootkit and have a reason for files to be on their computer, as a defense. No computer user is demanded to have a degree in computer science to operate one. Short of some sort of malware remover, most won’t be able to get it out of their computers or even know it is there.
What it does do will be to force the MPAA to show proof of download as now there is reason to have infringement without willful intent. Since the rootkit is beyond the scope of the average user to find or remove, should this infection spread far, it will both give defense to the victim and push the MPAA into the proof that it isn’t the rootkit that caused the infringement.
Malware is always nasty stuff but for now this one has one small bright spot. l would imagine there is another problem child with this for the one that gets it. Movies are fairly large; if something is downloading to your computer, it is going to eat some hard drive space.
December 21st, 2005 at 8:11 pm
Well time to go dig up my spare hard drive and get a sony BMG CD and get my self infected with this thing. Thanks for the excuse who ever made this LOL
December 22nd, 2005 at 9:50 am
Loss of HD space would not be an issue if the space was rotated - you get pumped a movie, be a seeder for a week or two and then that movie would be replaced with the next group release…
On a 300 or 400 Gb disk (and this is slowly becomig standard size) would you really notice 5Gb missing?