uTorrent.com hacked, serving scareware

uTorrent.com hacked, serving scareware

Summary: The popular file sharing web sites were compromised for a brief period of a few hours.


The popular file sharing web sites were compromised for a brief period of a few hours, with the links to the BitTorrent client replaced by a scareware (Security Shield) download.

According to a blog post explaining the incident:

This morning on 9/13/2011 at approximately 4:20 a.m. Pacific Daylight Time (UTC -7), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard Windows software download was replaced with a type of fake antivirus “scareware” program. (UPDATE: See below for removal instructions.)Just after 6:00 a.m. Pacific time, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally.

Typically, when a malicious attacker gains access to such as high profile site, they would use it to spread a hacktivist message. However, the fact that the attacker had a scareware sample which would generate him revenue once it's downloaded, clearly indicates a degree of underground social networking, with uTorrent.com's attacker clearly involved in related spreading mechanisms for his scareware sample.

The sites are now clean, and are back to normal. BitTorrent.com or the BitTorrent Mainline/Chrysalis clients weren't part of the incident.

Topics: Servers, Malware, Security, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: uTorrent.com hacked, serving scareware

    Clearly this clearly clear attack clearly demonstrates it's clarity in clear ways.
    • RE: uTorrent.com hacked, serving scareware

      awesome! have a wonderful day :) <a href="http://www.replicachanelonline.org">replica chanel bags</a>
      Cool! I'm taking :)) Thank you! <a href="http://www.replicachanelonline.org">fake chanel bags</a>
      Downloading, thank you. <a href="http://www.replicachanelonline.org">replica chanel bags</a>
    • RE: uTorrent.com hacked, serving scareware

      This is a pretty cool post,thanks <a href="http://www.discountuggs.biz">discount uggs</a> <a href="http://www.discountuggs.biz">discount ugg</a> <a href="http://www.discountuggs.biz">discount ugg boots</a>
    • RE: uTorrent.com hacked, serving scareware

      Those were great web! <a href="http://www.watch-replica.org.uk">replica watches</a> <a href="http://www.watch-replica.org.uk">imitation watches</a> <a href="http://www.watch-replica.org.uk">replica watches uk</a>
    • RE: uTorrent.com hacked, serving scareware

      thank you so much for sharing this article <a href="http://www.bootoutlet.us">boot outlet</a> <a href="http://www.bootoutlet.us">uggs boot outlet</a> <a href="http://www.bootoutlet.us">uggs outlet</a>
  • How can this be? They run on Linux!

    We were told this kind of thing cannot happen on Linux. One fanboy even staked his reputation on it.
    • RE: uTorrent.com hacked, serving scareware

      @ye I wonder where all the Linux Dorks are today? When I saw this article, I was looking forward to seeing a lengthy debate with DTS, Linux Geek and others making all their usual excuses, and denying reality.

      Come on Linux Dorks! It Monday and we all need a good laugh! Where are you? Don't tell me you all got jobs or something?

      • RE: uTorrent.com hacked, serving scareware

        @rick@... LMAO :D
  • What OS is utorrent.com running on?

    I presume that since it was hacked, it must be running Windows (according to certain posters here) but could someone check and report back? It sure would be bad news if it turned out that utorrent.com was running on Linux.
    • It's running on Linux. I checked before making my post.


      1. search.utorrent.com Site Report august 2006 secured private network linux
      2. www.utorrent.com Site Report december 2004 llnw europe 2 unknown
      3. forum.utorrent.com Site Report november 2005 secured private network linux
      4. www3.utorrent.com Site Report june 2011 oc3 networks & web solutions, llc linux
      5. www.nutorrent.com Site Report november 2005 reality check network linux
      6. ll.www.utorrent.com Site Report september 2011 secured private network linux
      7. www.youtorrent.com Site Report december 2006 interserver, inc linux
      8. download.utorrent.com Site Report august 2006 secured private network linux
      9. www.absolutorrent.com Site Report september 2008 serverhosting cz, sk linux - debian
      10. remote.utorrent.com Site Report september 2011 amazon.com, inc. linux
      11. web.utorrent.com Site Report july 2010 amazon.com, inc. linux
      12. macupdate.utorrent.com Site Report march 2009 secured private network linux
      13. butorrent.com Site Report december 2007 eqvia llc unknown
      14. utorrent.com Site Report june 2006 secured private network linux
      15. www.emutorrent.com Site Report march 2004 ovh sas unknown
      • Ah, then we must proceed to phase 2 of the Linux hack defense

        @ye <br>Phase 2 has two parts to it.<br><br>Part 1: State that we don't know what the attack vector was and until we know, we can't assume anything. We then hope that everyone kind of forgets about this while the investigations happen so that even if it turns out to be yet another Linux rootkit, the real headline (Yet Another Linux Server Hacked) has long been forgotten.<br><br>This is followed immediately by<br>Part 2: Assume that the hack was caused by an infected Windows PC with a keylogger on it that captured a user's password on the Linux system. This might seem contradictory to part 1 where we've just finished stating that no assumptions can be made but since when is logic required when it comes to OS fanboys?
      • RE: Phase 2 has two parts to it.


        That's is the problem with most fanboys. They assume too much. I much rather be a realist and know that all Operating Systems and Software have potential vulnerabilities and take all steps I can to protect myself no matter what Operating System or Software I choose to use.

        Of course the user has always been the unpredictable factor and still the primary cause of security breaches today.
      • RE: uTorrent.com hacked, serving scareware

        What did you use to find out its operating system?

        As far as I can tell, utorrent.com is running Microsoft-ds..
        I found this out using the nmap utility. I wanna know how you got your results though.

        It could be a case of a Windows server hiding behind Linux servers, because diverse infrastructure is probably a security plus. (Microsoft is doing this: http://www.zdnet.co.uk/news/application-development/2003/08/27/microsoft-hides-behind-linux-for-protection-39115920/ )
      • RE: uTorrent.com hacked, serving scareware

        @ye "Our standard Windows software download was replaced with a type of fake antivirus ???scareware??? program."

        Hmmn I wonder.....
      • Netcraft.

        @clearning: [i]What did you use to find out its operating system?[/i]
    • RE: uTorrent.com hacked, serving scareware

      Anyone that says Linux isnt hackable is just plain lame. What Linux is is an alternative to Windows and IMO much lower cost. If a hacker wants to hack a computer it is easily done whether or not its linux. I myself refuse to pay for anything except hardware and alot of times I dont pay for that either. On my current machine the only thing I paid for was the TB hard drive. The rest of it was either given to me or left as part of an upgrade including the Core 2 processor and the Kingston HyperX ram.
  • RE: uTorrent.com hacked, serving scareware

    Scarface Claw
    • Yes apples can get viruses...

      @Scarface Claw , you are not clear as to what variety of apples you refer to. Generally, Apple mosaic virus is one of the oldest known and most widespread apple viruses. The same virus can cause line pattern symptoms in plum and rose mosaic disease. Apple mosaic virus is related to Prunus necrotic ringspot virus. However, if you are referring to Apple COMPUTERS, then a program called "Elk Cloner" was the first computer virus to appear "in the wild"???that is, outside the single computer or lab where it was created. Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk. Jumping to this year, we have the wonderful case of MacDefender (scareware), probably the first time Apple Computer admitted to a native malware problem. So, are you talking about apples or Apples? ;-)
      • RE: uTorrent.com hacked, serving scareware

        @randysmith@... That is one of the funniest responses I've heard on here well done and all 100% true.
  • RE: uTorrent.com hacked, serving scareware

    Am I the only one who lol'd at the attack taking place at 4:20 am?