Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system:
Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.
One obvious solution would be for Microsoft to give the Ukrainians Windows licenses, so they don’t have to get their software from sketchy torrent sites.
Posted on December 20, 2022 at 7:30 AM •
Here’s the story of how it was done. First, a fake ad on torrent listings linked the site to a Latvian bank account, an e-mail address, and a Facebook page.
Using basic website-tracking services, Der-Yeghiayan was able to uncover (via a reverse DNS search) the hosts of seven apparent KAT website domains: kickasstorrents.com, kat.cr, kickass.to, kat.ph, kastatic.com, thekat.tv and kickass.cr. This dug up two Chicago IP addresses, which were used as KAT name servers for more than four years. Agents were then able to legally gain a copy of the server’s access logs (explaining why it was federal authorities in Chicago that eventually charged Vaulin with his alleged crimes).
Using similar tools, Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site. A WHOIS search can provide the name, address, email and phone number of a website registrant. In the case of kickasstorrents.biz, that was Artem Vaulin from Kharkiv, Ukraine.
Der-Yeghiayan was able to link the email address found in the WHOIS lookup to an Apple email address that Vaulin purportedly used to operate KAT. It’s this Apple account that appears to tie all of pieces of Vaulin’s alleged involvement together.
On July 31st 2015, records provided by Apple show that the me.com account was used to purchase something on iTunes. The logs show that the same IP address was used on the same day to access the KAT Facebook page. After KAT began accepting Bitcoin donations in 2012, $72,767 was moved into a Coinbase account in Vaulin’s name. That Bitcoin wallet was registered with the same me.com email address.
Posted on July 26, 2016 at 6:42 AM •
Interesting research: “One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users“:
Abstract: Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over a single circuit, tracing one stream sent over a circuit traces them all. Surprisingly, it is unknown whether this linkability allows in practice to trace a significant number of streams originating from secure (i.e., proxied) applications. In this paper, we show that linkability allows us to trace 193% of additional streams, including 27% of HTTP streams possibly originating from “secure” browsers. In particular, we traced 9% of Tor streams carried by our instrumented exit nodes. Using BitTorrent as the insecure application, we design two attacks tracing BitTorrent users on Tor. We run these attacks in the wild for 23 days and reveal 10,000 IP addresses of Tor users. Using these IP addresses, we then profile not only the BitTorrent downloads but also the websites visited per country of origin of Tor users. We show that BitTorrent users on Tor are over-represented in some countries as compared to BitTorrent users outside of Tor. By analyzing the type of content downloaded, we then explain the observed behaviors by the higher concentration of pornographic content downloaded at the scale of a country. Finally, we present results suggesting the existence of an underground BitTorrent ecosystem on Tor.
Posted on March 25, 2011 at 6:38 AM •
Nasty scam, where the user is pressured into accepting a “pre-trial settlement” for copyright violations. The level of detail is impressive.
Posted on April 26, 2010 at 12:55 PM •
The team of researchers, which includes graduate students David Choffnes (electrical engineering and computer science) and Dean Malmgren (chemical and biological engineering), and postdoctoral fellow Jordi Duch (chemical and biological engineering), studied connection patterns in the BitTorrent file-sharing network—one of the largest and most popular P2P systems today. They found that over the course of weeks, groups of users formed communities where each member consistently connected with other community members more than with users outside the community.
“This was particularly surprising because BitTorrent is designed to establish connections at random, so there is no a priori reason for such strong communities to exist,” Bustamante says. After identifying this community behavior, the researchers showed that an eavesdropper could classify users into specific communities using a relatively small number of observation points. Indeed, a savvy attacker can correctly extract communities more than 85 percent of the time by observing only 0.01 percent of the total users. Worse yet, this information could be used to launch a “guilt-by-association” attack, where an attacker need only determine the downloading behavior of one user in the community to convincingly argue that all users in the communities are doing the same.
Given the impact of this threat, the researchers developed a technique that prevents accurate classification by intelligently hiding user-intended downloading behavior in a cloud of random downloading. They showed that this approach causes an eavesdropper’s classification to be wrong the majority of the time, providing users with grounds to claim “plausible deniability” if accused.
Posted on April 9, 2009 at 7:07 AM •
Interesting speculation from Nicholas Weaver:
All that is necessary is that the MPAA or their contractor automatically spiders for torrents. When it finds torrents, it connects to each torrent with manipulated clients. The client would first transfer enough content to verify copyright, and then attempt to map the participants in the Torrent.
Now the MPAA has a “map” of the participants, a graph of all clients of a particular stream. Simply send this as an automated message to the ISP saying “This current graph is bad, block it”. All the ISP has to do is put in a set of short lived (10 minute) router ACLs which block all pairs that cross its network, killing all traffic for that torrent on the ISP’s network. By continuing to spider the Torrent, the MPAA can find new users as they are added and dropped, updating the map to the ISP in near-real-time.
Note that this requires no wiretapping, and nicely minimizes false positives.
Debate on idea here.
Posted on February 11, 2008 at 1:24 PM •
Excellent article by John Tehranian: “Infringement Nation: Copyright Reform and the Law/Norm Gap“:
By the end of the day, John has infringed the copyrights of twenty emails, three legal articles, an architectural rendering, a poem, five photographs, an animated character, a musical composition, a painting, and fifty notes and drawings. All told, he has committed at least eighty-three acts of infringement and faces liability in the amount of $12.45 million (to say nothing of potential criminal charges). There is nothing particularly extraordinary about John’s activities. Yet if copyright holders were inclined to enforce their rights to the maximum extent allowed by law, he would be indisputably liable for a mind-boggling $4.544 billion in potential damages each year. And, surprisingly, he has not even committed a single act of infringement through P2P file sharing. Such an outcome flies in the face of our basic sense of justice. Indeed, one must either irrationally conclude that John is a criminal infringer—a veritable grand larcenist—or blithely surmise that copyright law must not mean what it appears to say. Something is clearly amiss. Moreover, the troublesome gap between copyright law and norms has grown only wider in recent years.
The point of the article is how, simply by acting normally, all of us are technically lawbreakers many times over every day. When laws are this far outside the social norms, it’s time to change them.
Posted on November 26, 2007 at 6:54 AM •
This story is poised to become a bigger deal:
Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender’s elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender’s collaboration with the New York Attorney General’s office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.
More info here.
And now, phone calls were leaked. Here’s a teaser—Ben Grodsky of Media Defender talking to the New York State General Attorney’s office:
Ben Grodsky: “Yeah it seems…I mean, from our telephone call yesterday it seems that uhm… we all pretty much came to the conclusion that probably was ehm… caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm… knew the login and the IP address and port uhm… but they weren’t able to get in because we had changed the password on our end, you know, following our normal security protocols uhm… when we are making secure transactions like these on the first login we’ll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm… intercepted.
You know just because it is,.. probably it was going through the public Internet and there wasn’t any sort of encryption key used to ehm… protect the data in that email.”
Ben Grodsky: “…if you guys are comfortable just communicating with us by phone, anything that is really really sensitive we can just communicate in this fashion…”
Ben Grodsky: “OK [confused, taking notes]. So, you are gonna disable password authentication and enable public key?”
Ben Grodsky: “…that part has… has not been compromised in any way. I mean, the communications between our offices in Santa Monica and our data centers have not been compromised in any way and all those communications to NY, to your offices, are secured. The only part that was compromised was…was the email communications about these things.”
Ben Grodsky: “…All we can say for sure Media Defender’s mail server has not been hacked or compromised…”
[Answering to the question “What kind of IDS you guys are running?”]
Ben Grodsky: “Ehm…I don’t know. Let me look into that.”
EDITED TO ADD (9/20): Media Defender’s source code is now available on P2P networks. Actually, I’m feeling sorry for them.
Posted on September 18, 2007 at 12:03 PM •
It’s online: digital photographs of every page are available on BitTorrent.
I’ve been fielding press calls on this, mostly from reporters asking me what the publisher could have done differently. Honestly, I don’t think it was possible to keep the book under wraps. There are millions of copies of the book headed to all four corners of the globe. There are simply too many people who must be trusted in order for the security to hold. And all it takes is one untrustworthy person—one truck driver, one bookstore owner, one warehouse worker—to leak the book.
But conversely, I don’t think the publishers should care. Anyone fan-crazed enough to read digital photographs of the pages a few days before the real copy comes out is also someone who is going to buy a real copy. And anyone who will read the digital photographs instead of the real book would have borrowed a copy from a friend. My guess is that the publishers will lose zero sales, and that the pre-release will simply increase the press frenzy.
I’m kind of amazed the book hadn’t leaked sooner.
And, of course, it is inevitable that we’ll get ASCII copies of the book post-publication, for all of you who want to read it on your PDA.
EDITED TO ADD (7/18): I was interviewed for “Future Tense” on this story.
EDITED TO ADD (7/20): This article outlines some of the security measures the publisher took with the manuscript.
EDITED TO ADD (7/25): The camera has a unique serial number embedded in each of the digital photos which might be used to track the author. Just another example of how we leave electronic footprints everywhere we go.
EDITED TO ADD (8/15): Here is a much more comprehensive analysis of who the leaker is:
- The photographer is Caucasian.
- The photographer is probably not married (no wedding ring on left hand).
- The photographer is likely male. In the first few photos, the ring finger appears to be longer than the index finger. This is called the 2D:4D ratio and a lower ratio is symptomatic a high level of testosterone, suggesting a male. However, there is no clear shot of the fingers layed out, so this is not conclusive.
- Although cameras are usually designed for right-handed use, the photographer uses his left hand to pin down the book. This suggests that the photographer is right handed. (I’ve seen southpaws try to do this sort of thing, and they usually hold the camera in an odd way with their left hand.) However, this too is not conclusive.
- The photographer’s hand looks young—possibly a teenager or young adult.
Much, much more in the link.
Posted on July 17, 2007 at 4:38 PM •
Why is the Department of Homeland Security involved in copyright issues?
Agents shut down a popular Web site that allegedly had been distributing copyrighted music and movies, including versions of Star Wars Episode III: Revenge of the Sith. Homeland Security agents from several divisions served search warrants on 10 people around the country suspected of being involved with the Elite Torrents site, and took over the group’s main server.
Shouldn’t they be spending their resources on matters of national security instead of worrying about who is downloading the new Star Wars movie? Here’s the DHS’s mission statement, in case anyone is unsure what they’re supposed to be doing.
We will lead the unified national effort to secure America. We will prevent and deter terrorist attacks and protect against and respond to threats and hazards to the nation. We will ensure safe and secure borders, welcome lawful immigrants and visitors, and promote the free-flow of commerce.
I simply don’t believe that running down file sharers counts under “promote the free-flow of commerce.” That’s more along the lines of checking incoming shipping for smuggled nuclear bombs without shutting down our seaports.
Edited to add: Steve Wildstrom of Business Week left this comment, which seems to explain matters:
The DHS involvement turns out to be not the least bit mysterious. DHS is a sprawling agglomeration of agencies and the actual unit involved was Immigration and Customs Enforcement, a/k/a the Customs Service. Its involvement arose because the pirated copy of Star Wars apparently originated outside the U.S. and Customs is routinely involved in the interception and seizure of material entering the U.S. in violation of copyright or trademark laws. In Washington, for example, Customs agents regularly bust street vendors selling T-shirts with unlicensed Disney characters and other trademarked and copyright stuff.
The Secret Service’s role in computer crime enforcement arose from its anti-counterfeiting activities which extended to electronic crimes against financial institutions and cyber-crime in general. But they aren’t very good at it (anyone remember the Steve Jackson Games fiasco?) and the functions would probably best be turned over to another agency.
Posted on June 1, 2005 at 2:31 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.