We all know about the dangers of torrents and pirated software, but nonetheless, there are still successful malicious campaigns based on popular torrent websites [and lesser educated users]. Such a campaign was just spotted by Symantec [who just acquired Blue Coat, but that’s food for other thoughts].
The security firm has spotted and analyzed fake torrents with names of popular games like Assassin’s Creed Syndicate, World of Warcraft: Legion and The Walking Dead: Michonne which actually download potentially unwanted applications (PUAs, or PUPs). Furthermore, it is suspected that the campaign takes advantage of legitimate affiliate pay-per-install programs. Be careful with .torrent files, and analyze them before proceeding with download.
You Know What a PUA Is, Right?
It’s the kind of suspicious software that makes your system vulnerable to a variety of security issues. PUAs or PUPs (potentially unwanted programs) can impact the system and its performance in many ways. Some PUP installations require user interaction. However, some unwanted apps can be more intrusive and can install silently, without the user’s awareness. This is not the case with the .torrent file involved in this particular operation.
Potentially unwanted programs can be bundled with other software (carefully go through the installation process to uncheck added software) or, in this case, can come through a fake .torrent file download.
When .torrent Is Fake: World of Warcraft: Legion and Other Popular Games Abused to Lure Users
Here is a list of popular games that are being abused in this malicious campaign:
- World of Warcraft: Legion (Blizzard Entertainment)
- Assassin’s Creed Syndicate (Ubisoft)
- The Witcher 3: Wild Hunt (CD Projekt)
- Tom Clancy’s The Division (Ubisoft)
- Just Cause 3 (Square Enix)
- The Walking Dead: Michonne (Telltale Games)
Users who are tricked into the scheme think they are downloading a .torrent file for one of the games mentioned above. If the user is caught up in the scheme and proceeds with the download, he will be provided with specific directions on how to continue with the installation. A User Account Control (UAC) security dialogue will be displayed to him to request confirmation for the download to be executed. If the user agrees to it, a redirection will be started and the user will end up downloading an executable hosted on Google Drive. Fortunately, Google has identified some of the malicious downloaders.
How to Spot the Irregularities with the .torrent File?
The very first thing that will catch the attention of a trained eye is that the promised .torrent file is an .exe. According to VirusTotal, the .exe in question is video_chto_takoe_starenie(.)exe. Also, the file’s size is another indicator, as it is too big for a torrent file – 3.5 MB.
Symantec’s detection for the PUA (PUP) downloader is PUA.ICLoader!g3. Other detections include Trojan.ICLoader.CD and the following:
- Bitdefender – Gen:Variant.Symmi.62307
- Dr. Web – Trojan.InstallCube.987
- ESET-NOD32 – Win32/Adware.ICLoader.MB
- EmsiSoft – Gen:Variant.Symmi.62307 (B)
- Kaspersky – not-a-virus:AdWare.Win32.ICLoader.afvc
- McAfee – Artemis!164FBBB04F06
- Microsoft – SoftwareBundler:Win32/ICLoader
- TrendMicro – TROJ_GEN.R00XC0EDE16
Keep in mind that the PUP downloader may initiate POST requests to several remote locations hosting adware:
The downloader can also check for virtual environments and silently download more PUPs onto the victim’s system. The worst part is that the additional installation of PUPs doesn’t require user interaction and no EULA is displayed to the user so that he can opt out. If you notice that your browser’s home page is changed, and browser shortcuts are either hidden or replaced with third-party browsers, you should consider scanning your system via anti-malware software. It has been invaded by adware and browser hijackers.
How to Remove PUPs Brought by video_chto_takoe_starenie(.)exe
Since the PUA downloader may have brought many PUPs to your computer, the easiest way to detect and remove all of them is by installing and running an anti-malware program. This is the most secure way to make sure your system is clean. However, if your knowledge in the removal of unwanted programs is above-average, you can also try and fix your system and browsers manually, by following the steps below.