BitTorrent serves malware directly from website - no need for P2P!

Filed Under: Featured, Malware

Back in 2001, when BitTorrent was first announced, it seemed inevitable - and, at the same time, implausible - that a commercial company based around its social approach to file sharing would emerge and succeed, despite its novelty.

Inevitable, because the sheer popularity of peer-to-peer file sharing means that the potential return for any company successfully commercialising a popular P2P client is enormous.

Implausible, because the indelible association between P2P and piracy means that potential risk of burning out in lawsuits from copyright holders is vast.

But the creator of BitTorrent, Bram Cohen, did create a company out of his codebase, and BitTorrent, Inc. is effectively today's Torrent mothership.

The company is also the custodian of two popular Torrent clients: the so-called Mainline version, and its extremely popular compact cousin, uTorrent.

(The character u is commonly, if confusingly, used in Latin alphabets to represent the Greek letter μ. Short for micro, it's pronounced in English as mew, as in cat. So much for internationalisation.)

In its ten-year history, BitTorrent - the protocol, not the company - has become well known for facilitating the unregulated sharing of arbitrary material. Indeed, it's become quite the way to find all the ripped-off software, films, TV shows and porn you might need. Unsuprisingly, the cybercrooks love that sort of neo-anarchic mix, because it makes it easy for them to expose you to your fair share of malware.

Unfortunately, however, even if you are one of the several many entirely law-abiding users of BitTorrent, the folks at BitTorrent, Inc. may recently have put you in harm's way.

According to a really-ought-to-be-more-visible warning on the download pages of and, a breach of the two servers resulted in a two-hour window in which downloading BitTorrent's software would have given you a fake anti-virus program instead.

This morning [13 Sep 2011 on the US West Coast] at approximately 4:20 a.m. PT, the and Web servers were compromised. Our standard software download was replaced with a type of fake antivirus "scareware" program.

Just after 6:00 a.m. PT, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally

BitTorrent, Inc. identifies the malware as belonging to the Security Shield scareware family. Program files under this "brand" of fake anti-virus should be mopped up by Sophos Anti-Virus as CXmal/FakeAV-A.

Confusingly, the BitTorrent blog has recently been updated to claim that the software available from the URI was not affected, implying that only those who downloaded utorrent during the infection window would be at risk.

Since the two sites share the same network infrastructure - both resolve to the same IP number in Limelight Networks' cloud - you might want to ignore that blog update and assume that any recent downloads from Bittorrent, Inc. were dodgy and give yourself a thorough anti-malware checkover.

I'd also ignore the time window, since BitTorrent used the annoyingly ambiguous abbreviation "PT" to denote the timezone. I'm guessing they meant to say UTC-7, but they didn't.

Update. Allison at BitTorrent got in touch to say she's updated the official report to make it clear: Pacific Daylight Time, UTC-7. Thanks for listening, Allison!

PS. If you will forgive some mild commercialism, you can download a fully-functional trial of Sophos Endpoint Security and Control - with detection AND cleanup included, unlike with scareware! - from our website. Registration is required, and you will get contacted by Sales. But for one month, you can use the product as widely as you like at home or in your business. And you're entitled to our award-winning 24/7 support by email and phone throughout. Give it a go. You know it makes sense. (Did I get that right? Is that how salespeople speak?)

, , , , , , , , ,

You might like

7 Responses to BitTorrent serves malware directly from website - no need for P2P!

  1. 2001?

    "This morning [13 Sep 2001 on the US West Coast] at approximately 4:20 a.m. PT, the and Web servers were compromised. Our standard software download was replaced with a type of fake antivirus "scareware" program."

  2. Jason Argonaut · 1486 days ago

    Thanks for the sales pitch. Now go polish your sports car. I'm well-familiar with how to protect myself from spyware, and I trust no one. Clearly, you trust only your corporate masters. Thanks for wasting my time on something I already knew.

    • Paul Ducklin · 1485 days ago

      As I live in a densely-populated part of an already-crowded city which has a satisfactory, albeit not quite world-class, public transport system, I don't own a car.

      But thanks for wasting my time on a fatuous suggestion which I couldn't possibly follow even if I wanted to.

    • Mark · 1485 days ago

      Why on earth are you reading a blog by a person in the employ of an "evil" corporation if that offends you so much and you know so much about malware you don't need any help to protect yourself from it? This blog clearly isn't directed at you.

      Paul, and Sophos, I jest above obviously. Thanks for your hard work educating people about malware as most people don't get to learn about this stuff other than through people like you.

    • Nigel · 1485 days ago

      @ Jason Argonaut:
      Wow..."corporate masters"??

      The implication is that anyone who works for, uses the products or services of, or otherwise voluntarily interacts with any corporation is ipso facto a slave to "corporate masters".

      ...oh, wait...but that would mean that the computer you're using, the clothes you're wearing, the food you eat, the job you work (assuming you even have a job) and every other product or service that you use or consume make you a slave to corporate masters, too.

      Way to peg the hypocrisy meter, dude.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog