ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

uTorrent.com hacked, serving scareware

By | September 19, 2011, 5:06am PDT

The popular file sharing web sites were compromised for a brief period of a few hours, with the links to the BitTorrent client replaced by a scareware (Security Shield) download.

According to a blog post explaining the incident:

This morning on 9/13/2011 at approximately 4:20 a.m. Pacific Daylight Time (UTC -7), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard Windows software download was replaced with a type of fake antivirus “scareware” program. (UPDATE: See below for removal instructions.)Just after 6:00 a.m. Pacific time, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally.

Typically, when a malicious attacker gains access to such as high profile site, they would use it to spread a hacktivist message. However, the fact that the attacker had a scareware sample which would generate him revenue once it’s downloaded, clearly indicates a degree of underground social networking, with uTorrent.com’s attacker clearly involved in related spreading mechanisms for his scareware sample.

The sites are now clean, and are back to normal. BitTorrent.com or the BitTorrent Mainline/Chrysalis clients weren’t part of the incident.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

File, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
28
Comments
Add Your Opinion

Join the conversation!

Just In

RE: uTorrent.com hacked, serving scareware
tank33 22nd Sep
thank you so much for sharing this article boot outlet uggs boot outlet uggs outlet
View in thread
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
ForgotMyPass 19th Sep
Clearly this clearly clear attack clearly demonstrates it's clarity in clear ways.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
mingtian 21st Sep
awesome! have a wonderful day happy replica chanel bags
Cool! I'm taking :)) Thank you! fake chanel bags
Downloading, thank you. replica chanel bags
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
tank33 22nd Sep
This is a pretty cool post,thanks discount uggs discount ugg discount ugg boots
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
tank33 22nd Sep
Those were great web! replica watches imitation watches replica watches uk
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
tank33 22nd Sep
thank you so much for sharing this article boot outlet uggs boot outlet uggs outlet
0 Votes
+ -
How can this be? They run on Linux!
ye 19th Sep
We were told this kind of thing cannot happen on Linux. One fanboy even staked his reputation on it.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
rick@... 19th Sep
@ye I wonder where all the Linux Dorks are today? When I saw this article, I was looking forward to seeing a lengthy debate with DTS, Linux Geek and others making all their usual excuses, and denying reality.

Come on Linux Dorks! It Monday and we all need a good laugh! Where are you? Don't tell me you all got jobs or something?

Rick
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
MrElectrifyer 19th Sep
@rick@... LMAO grin
0 Votes
+ -
What OS is utorrent.com running on?
toddybottom Updated - 19th Sep
I presume that since it was hacked, it must be running Windows (according to certain posters here) but could someone check and report back? It sure would be bad news if it turned out that utorrent.com was running on Linux.
0 Votes
+ -
It's running on Linux. I checked before making my post.
ye 19th Sep
@toddybottom:

1. search.utorrent.com Site Report august 2006 secured private network linux
2. www.utorrent.com Site Report december 2004 llnw europe 2 unknown
3. forum.utorrent.com Site Report november 2005 secured private network linux
4. www3.utorrent.com Site Report june 2011 oc3 networks & web solutions, llc linux
5. www.nutorrent.com Site Report november 2005 reality check network linux
6. ll.www.utorrent.com Site Report september 2011 secured private network linux
7. www.youtorrent.com Site Report december 2006 interserver, inc linux
8. download.utorrent.com Site Report august 2006 secured private network linux
9. www.absolutorrent.com Site Report september 2008 serverhosting cz, sk linux - debian
10. remote.utorrent.com Site Report september 2011 amazon.com, inc. linux
11. web.utorrent.com Site Report july 2010 amazon.com, inc. linux
12. macupdate.utorrent.com Site Report march 2009 secured private network linux
13. butorrent.com Site Report december 2007 eqvia llc unknown
14. utorrent.com Site Report june 2006 secured private network linux
15. www.emutorrent.com Site Report march 2004 ovh sas unknown
0 Votes
+ -
Ah, then we must proceed to phase 2 of the Linux hack defense
toddybottom Updated - 19th Sep
@ye
Phase 2 has two parts to it.

Part 1: State that we don't know what the attack vector was and until we know, we can't assume anything. We then hope that everyone kind of forgets about this while the investigations happen so that even if it turns out to be yet another Linux rootkit, the real headline (Yet Another Linux Server Hacked) has long been forgotten.

This is followed immediately by
Part 2: Assume that the hack was caused by an infected Windows PC with a keylogger on it that captured a user's password on the Linux system. This might seem contradictory to part 1 where we've just finished stating that no assumptions can be made but since when is logic required when it comes to OS fanboys?
0 Votes
+ -
RE: Phase 2 has two parts to it.
bobiroc 19th Sep
@toddybottom

That's is the problem with most fanboys. They assume too much. I much rather be a realist and know that all Operating Systems and Software have potential vulnerabilities and take all steps I can to protect myself no matter what Operating System or Software I choose to use.

Of course the user has always been the unpredictable factor and still the primary cause of security breaches today.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
clearning 19th Sep
@ye
What did you use to find out its operating system?

As far as I can tell, utorrent.com is running Microsoft-ds..
I found this out using the nmap utility. I wanna know how you got your results though.

It could be a case of a Windows server hiding behind Linux servers, because diverse infrastructure is probably a security plus. (Microsoft is doing this: http://www.zdnet.co.uk/news/application-development/2003/08/27/microsoft-hides-behind-linux-for-protection-39115920/ )
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
T-Wrench 20th Sep
@ye "Our standard Windows software download was replaced with a type of fake antivirus ???scareware??? program."

Hmmn I wonder.....
0 Votes
+ -
Netcraft.
ye 20th Sep
@clearning: What did you use to find out its operating system?
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
CentristBill 19th Sep
@toddybottom
Anyone that says Linux isnt hackable is just plain lame. What Linux is is an alternative to Windows and IMO much lower cost. If a hacker wants to hack a computer it is easily done whether or not its linux. I myself refuse to pay for anything except hardware and alot of times I dont pay for that either. On my current machine the only thing I paid for was the TB hard drive. The rest of it was either given to me or left as part of an upgrade including the Core 2 processor and the Kingston HyperX ram.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
Scarface Claw 19th Sep
APPLES CANT GET VIRUSES!
0 Votes
+ -
Yes apples can get viruses...
randysmith@... 19th Sep
@Scarface Claw , you are not clear as to what variety of apples you refer to. Generally, Apple mosaic virus is one of the oldest known and most widespread apple viruses. The same virus can cause line pattern symptoms in plum and rose mosaic disease. Apple mosaic virus is related to Prunus necrotic ringspot virus. However, if you are referring to Apple COMPUTERS, then a program called "Elk Cloner" was the first computer virus to appear "in the wild"???that is, outside the single computer or lab where it was created. Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk. Jumping to this year, we have the wonderful case of MacDefender (scareware), probably the first time Apple Computer admitted to a native malware problem. So, are you talking about apples or Apples? wink
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
paulw8270 19th Sep
@randysmith@... That is one of the funniest responses I've heard on here well done and all 100% true.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
joshua_keefer@... 19th Sep
Am I the only one who lol'd at the attack taking place at 4:20 am?
0 Votes
+ -
Linux?
asmoore82 19th Sep
A Web Server or Application Server Vulnerability does not a Linux Vulnerability make.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
rick@... 20th Sep
@asmoore82 You are correct, and most sensible people will realize this. You have to understand that there is a group of losers in this forum - people I refer to as "Linux Dorks" - who spend their days posting senseless messages about how Linux is invulnerable to any kind of attack, and how it is impossible for open source software to have any flaws because it is open source, and the code is reviewed by so many people that there is no way a flaw could slip through the cracks.

Whenever a Windows vulnerability is discovered, these Linux Dorks have a field day commenting about how only Windows has vulnerabilities, and only Windows can be hacked, etc. On the other hand, when a Linux vulnerability is found, or a Linux server is hacked into, then the Linux Dorks start making excuses about how "security is a process," or "the admin didn't properly secure their Linux system," etc.

Rick
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
RDRush 19th Sep
Even if you locked down an operating system a viral attack isn't just limited to the system files: it can key log, steal information in a subversive fashion behind an application system or jump a port through a connected application.

As has been stated, a virus can also work in various methods to try and "seduce"/trick the user into submitting their data; etc. the real problem here has been an on going issue of the general public's ignorance and that is where 99.9% of the attackers try to capitalize.

Essentially, no one that has posted here is entirely wrong or right, but has pieces to a larger puzzle and that yields the big picture -- kudos to everyone here with the courage to make a statement.

My Win& got trashed by a virus that installed itself and communicated through Orbit Downloader and an application titled Vreveal that I paid about $30 for at the NVidia Market Place -- the applications utilized the openCandy open source framework for running adds; etc.

openCandy is harmless as stated at the Vreveal user forums and even then the application is only using a small subset of the open source framework. Well the trojan that hijacked and destroyed my system was tracked before imminent re-installation to both Orbit Downloader and Vreveal. the trojan was obviously aware of both tools -- interesting what someone can track down with things like a hexadecimal disk search utility and Wireshark. i'm no forensics specialist, but I know what I was seeing in plain english and verified everything with anti-virus software as well as online security reporting sites.

Occasionally connected applications are just as vulnerable and more suspect that your incessant freeware downloads and that has been proven to my satisfaction.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
tim.w.jung@... 19th Sep
Any system can be setup incorrectly and thus open the door to a hacker. Security isn't a one time deal. It is an on going process. If companies put security as a last item to handle because they see it as a sink hole with no returns then it isn't surprising that their servers get hacked. It is my opinion that most Linux server distros have probably the best defaults out of the box compared to other systems. However that is not enough and requires tuning for your environment and ongoing work and monitoring just like any other server OS out there. Simply leaving on SELinux will reduce the amount of damage a hacker can do as well as reduce their ability to try and break things to get in to a system.
0 Votes
+ -
@idiots here
vamman@... 20th Sep
Just had to say this. 99% of hack vectors are because web scripting can be compromised such as sql exploits because developers do not check escape strings etc..
0 Votes
+ -
Yet this consideration is never given to Windows.
ye 20th Sep
@vamman@: 99% of hack vectors are because web scripting can be compromised such as sql exploits because developers do not check escape strings etc..

When a Windows web site is hacked blame is always laid at Windows and how "insecure" it is.
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
joshsrn9 20th Sep
well in all honesty theres nothing that says linux will protect against a weak password or even the default password that someone forgot to change
0 Votes
+ -
RE: uTorrent.com hacked, serving scareware
RLKJ1989 20th Sep
"BitTorrent
Posted September 14, 2011 at 6:46 pm | Permalink | Reply

No, Windows only ??? if downloaded between those two hours. Thanks!"
Link to the Bittorrent Blog Comment for verification sakes.
http://blog.bittorrent.com/2011/09/13/security-incident/#comment-2338

I'm a Windows OS user and uTorrent user and yet I still had to post this. Too analytical to do anything else.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix