By Andrew Brandt
A week since the file-sharing clearinghouse Mininova changed its business model and deleted links to copyrighted material being shared over the peer-to-peer Bittorrent network, malware distributors continue to exploit the confusion as people who download movies, TV shows, and other shared files seek out new sources for those files.
As a torrent search engine, Mininova had to deal with a significant number of malicious torrents posted to their site each day. The service had a reputation for rapidly deleting torrents which led to Trojaned applications, or maliciously crafted media files that lead file-sharing enthusiasts into infections. But in the ensuing frenzy to find a new home, torrent downloaders may encounter more than they bargained for.
In a desperately unscientific test of torrents retrieved from several of the sites that have popped up to replace Mininova, we retrieved a significant number of malicious Windows Media Video files, as well as torrents that contain a password-protected archive (supposedly containing the video file) and malicious HTML file which the malware distributor claims contains the password, but actually leads the viewer into a morass of advertisements. The WMV videos spawn a “License Acquisition” window in Windows Media Player that prompts potential viewers to download a video codec installer; The file is, in fact, a dangerous Trojan.
We used the torrent search engines’ own lists of “most popular” search terms to pull down the malicious files. Top among the popular searches on many sites was the phrase “new moon” or “Twilight” — a reference to the recently released teen-vampire-heartthrob cinematic sparklefest. The people who posted these malicious torrents claimed that they contain a video of the movie, ripped from a DVD screener — the discs that film studios distribute to members of the Academy, who need to watch the movies prior to casting their Oscar ballots. Screeners typically pop up on torrent sites around the end of the year.
In the case of the malicious “password protected” video files, we discovered that the entire scheme is just a ruse to draw victims into disclosing their personal information on randomly-linked sites of the “win a free iPod” or “register to win a free (something of significant value)” variety. The sites that appeared during our tests included “contest entry forms” for free electronics, college scholarships, and retail store gift cards.
The more dangerous files, however, were those WMV “videos” that open a License Acquisition popup within Windows Media Player.
The popup informs the victim (in characteristically pidgin dialog-box-English) that
The Video/File you have downloaded needs additional codec. Install free codec to Watch the Video.
Of course, the “codec” files (with names like “License.v.3.Setup.exe”) aren’t codecs at all, but Trojan horse applications.
And to add insult to injury, these “video files” themselves are simply files roughly 700MB in size that contain about 1kB of License Acquisition code, linking to the malicious site, while the rest is filled with the words “PADDING.” (Then again, that’s a pretty accurate description of the actual film.)
Until the dust settles from the Mininova shakeup, torrent fans and file-sharers would be well advised to stay away from “Twilight: New Moon” torrents of any variety, and especially from video files that are encoded in the .wmv format. And never, ever download or run a codec installer that claims to be “100% checked by Anti Virus” — it’s essentially a giveaway that the file’s bogus.