Malware that blocks access to popular torrent sites is being disseminated via Discord and in infected pirated video games downloaded from BitTorrent repositories
The anti-piracy malware was uncovered during research performed by the cybersecurity company Sophos. Once infected, the exploit prevents the user from visiting over a thousand websites relating to torrenting and piracy.
According to the security firm, the vigilante-style malware is relatively non-complex and can be fixed pretty easily to recover access to the torrent and privacy-related websites it blocks.
In their blog post on the subject, researchers at Sophos note that the unconventional malware departs from accepted norms for exploit behavior:
Instead of seeking to steal passwords or to extort a computer's owner for ransom, this malware blocks infected users' computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.
According to Sophos, the irritating payload has been making its way onto people's machines via fake downloads for pirated versions of "popular games, productivity tools, and even security products".
Lead researcher at Sophos, Andrew Brandt, stated that the primary purpose of the malware is "pretty clear". It is designed to prevent "people from visiting software piracy websites (if only temporarily)".
Anybody infected with "vigilante" malware can remove it using Sophos antivirus according to the company. Other popular antivirus programs should also be able to successfully detect, block, and remove the exploit because it can be discovered using its "unique runtime packer, which is the same as used by an unrelated malware family, Qbot," Sophos said.
That said, anybody who has been infected will also need to manually update the HOSTS file on their operating system to regain access to the blocked torrent and piracy sites.
The HOSTS file is an operating system resource that maps human-friendly hostnames contained within URLs (www.bla.com, for example) to the numerical value used in routing to identify and locate a host in an IP network.
When infected by the anti-piracy malware, popular hostnames for piracy websites like the Pirate Bay are altered within the HOSTS file to purposefully point to the IP address 127.0.0.1. As a result, the computer is blocked from accessing the genuine IP addresses for piracy and torrenting services.
Fortunately, undoing the negative effect of this malware is relatively straightforward. Anybody who has become infected can manually access their HOSTS file to either return it to its default state or to manually clean up any entries that have been set up to point to 127.0.0.1. Sophos explains:
Users who have inadvertently run one of these files can clean up their HOSTS file manually, by running a copy of Notepad elevated (as administrator), and modifying the file at c:\Windows\System32\Drivers\etc\hosts to remove all the lines that begin with '127.0.0.1' and reference the various ThePirateBay (and other) sites.
What's more, the virus has no persistence mechanisms, so once you have updated the HOSTS file (as long as you do not run the executable again) you will no longer have any issues. For more information on cleaning up your HOSTS file or returning it to its default state visit this Windows blog on the subject for more information.
Non-persistence aside, we do highly recommend that you use an antivirus program to ensure that you do not become infected with this kind of malware in the future and to ensure that you can properly detect and remove it from your system if you have been victimized.
Who's behind the malware?
For the time being it is unclear who is behind this malware. However, the exploit (which is described as being "oddball" by its discoverer) certainly raises an eyebrow.
On the surface, the vigilante malware seems most likely to have been disseminated by a hacker whose primary motivation is to support copyright holders and content publishers whose work is being pirated and shared for free on Torrent websites. This stands in direct contradiction with the will of the majority of cybercriminals – who are generally in favor of piracy.
This implies that the hacker may be working on behalf of copyright holders who feel they have been wronged by torrent and piracy sites. Specifically (because the malware appears mainly in fake downloads for pirated computer games) the hacker could be working within the computer games industry, perhaps for a game studio that has suffered at the hands of pirates.
It is also worth noting that during its research, Sophos found a .nfo text document within the payload; presumably there to make the archive appear more legitimate. BitTorrent files often contain bundled files including a .nfo file that provides additional information about the software.
The presence of these kinds of bundled files can help trick victims into downloading the malware. However, on closer inspection of the .nfo file bundled with the malware, Sophos found it to be filled with racist slurs. The company said:
Padding out the archive with purposeless files of random length may simply be done to modify the archive's hash value. Padding it out with racist slurs told me all I needed to know about its creator.
As noted, the presence of racist content within the malware reveals that it was created by an extremely unsavory individual.
Thus, if this was produced and disseminated by somebody working for a specific game studio (or some other copyright interest); consumers would be highly interested in knowing exactly which company or copyright holder that is – so that they can boycott it on moral grounds.
Finally, it is worth noting that while the malware does not appear to steal any passwords or other personal information from infected machines, it does send some information back to the hackers.
The exploit was found to send information back to the domain controlled by the hacker with a message that contains the name of the software that the victim attempted to pirate. This information could be useful to copyright holders seeking to find pirates for the purpose of litigation and remuneration, or even, potentially, prosecution.
As always, we recommend that anybody considering accessing piracy websites or wanting to download torrent files does so while using a VPN to conceal their home IP address. For more information on using a VPN to gain privacy, head over to our Best VPNs for Torrenting guide.