August 30, 2008 by sharky
Unless you happened to be fortunate enough to start out on BitTorrent through the great world of private trackers, you’ve probably fallen for some pretty intricate public torrent scams in your time. And let’s face it - we’ve all been duped into downloading password-protected torrents, only to have to click on external links to find that elusive password on sites that we just shouldn’t need to be visiting. Some of us may have been forced to acquire a special media player (such as DOM) to play that movie you just spent three days downloading. But all of this is child’s play compared to the new generation of torrent scams.
Introducing the latest torrent threat: Pay-Per-Install (PPI) adware, spyware & malware binded into the torrent files. But don’t just take our word for it; check out these sites that cater to PPI torrent scams:
- — http://www.blackhatworld.com/blackhat-seo/f75-torrents/
- — http://www.pay-per-install.org/buy-sell-trade/
PPI-Binded *.EXE files - The Next Generation of Bad Torrents
The old method of passwording *.rar archives in the torrent is now somewhat antiquated, as these automatically qualify for an instant ban on most of the monster trackers, including mininova & thepiratebay. Not only do these torrents become easy candidates for instant removal, but the uploader also gets banned for upping them in the first place. Scammers have been forced to move onto a different method of making money, through hidden PPI installers.
The latest method of torrent scam involves the procedure known as "binding EXEs". To oversimplify it, this is the process of combining a ‘clean’ EXE file with a "Pay-Per-Install" (PPI) .exe file(s), for the purpose of hiding the PPI payload installer. This is achieved by way of a crypter/binder (there’s too many to mention). Files/torrents that are most susceptible to this are usually small applications or cracks, cracked files/keygens, including games cracks.
Scammers tend to stick with small appz because they need to test the binded EXE file before uploading it to a public tracker. If it is easily detected via antivirus/spyware software, then it is not FUD (fully undetected) and thus it will (usually) be promptly deleted from the torrent website. To verify the FUD %, the finished binded file is uploaded to an online antivirus checker such as virustotal or novirusthanks. Once it clears this, (or is close to 100% FUD), it is then appropriate for submission to public trackers. Users then create accounts at TPB and mininova and upload their modified torrents, or hire a third-party to do the torrent uploading for them.
The Dangers
Having to click a few ads or links to get a password to unlock that RAR file is one thing, but it’s really nothing more than a time-wasting annoyance. On the other hand, PPI installers are pure evil, and are very difficult to remove from an infected computer. When properly ‘binded’, they can be virtually undetectable by many anti-spyware / anti-virus applications, and may include rootkits and self-replicating adware.
PPI installers are not exclusive to torrents, and can be inserted into any (exe) file and shared through any P2P filesharing protocol. It’s become big business, with new PPI companies sprouting up all the time, notably Luxecash and Oxocash.
Simple Solutions:
— Wherever possible, stick with private trackers. Most PPI-ers are not brazen enough to upload a bad torrent - one attempt at this would obviously lead to their last login (instant ban). Manual torrent moderation (removal) is something that public trackers don’t usually engage in (due to the sheer volume of new torrents reaching the site each day).
— If you must use public trackers, avoid *.EXE files (small applications, cracks, keygens). Stick with movies and music files - "PPI installers" have yet to be fused into them (if this is even a possibility).
— When compared to mininova, it’s been noted that ThePirateBay has a better filtration / detection system to catch these scammy torrents.