Security Incident (Updated 9/14)

This morning on 9/13/2011 at approximately 4:20 a.m. Pacific Daylight Time (UTC -7), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard Windows software download was replaced with a type of fake antivirus “scareware” program. (UPDATE: See below for removal instructions.)

Just after 6:00 a.m. Pacific time, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally.

We have completed preliminary testing of the malware. Upon installation, a program called ‘Security Shield” launches and pops up warnings that a virus has been detected. It then prompts a user for payment to remove the virus. We recommend anyone who downloaded software between 4:20 a.m. and 6:10 a.m. Pacific time run a security scan of their computer.

We take the security of our systems and the safety of our users very seriously. We sincerely apologize to any users who were affected.

Clarification: This only affects users who downloaded software specifically from utorrent.com or bittorrent.com between the hours above this morning. Users who previously downloaded our software are not affected.

Update #2: After further analysis, we don’t believe BitTorrent.com or the BitTorrent Mainline/Chrysalis clients were part of the incident.

Update #3: File Removal Instructions

This particular piece of malware renames itself as a different .exe file every time it installs on a new machine. Therefore, first you need to determine the file name. To do this, visit the following File Directory on your Windows hard drive:

Windows XP: Click Start, click Run, and then type in “%USERPROFILE%\Local Settings\Application Data\” without the quotes. The file will be called [random].exe
Windows Vista and Windows 7: Click Start, in the search box type in “%localappdata%” without the quotes. The file will be called [random].exe.

To delete the file, first you need to make sure to kill the application first:
– Open your Task Manager (Control-Alt-Delete), select the [random].exe (the name you found in the file directory). Click “End Process” and select “Yes.”

– Next: select the file name (or right-click on the name) and hit Delete.

– Empty your trash.

44 Comments

  1. geepee
    Posted September 13, 2011 at 4:35 pm | Permalink | Reply

    A good reason to start signing software downloads with gpg

    • the-me
      Posted September 15, 2011 at 5:06 am | Permalink | Reply

      well, but then users would have to check the signature. and if more than 0.001% of all utorrent users do that, I’d be really surprised … . of course you’re right, signing would be the first step 🙂

  2. cody
    Posted September 13, 2011 at 5:34 pm | Permalink | Reply

    How many times was ‘Security Shield’ downloaded between the mentioned hours?

  3. Steven
    Posted September 13, 2011 at 11:06 pm | Permalink | Reply

    I’ll assume the malware did not have the digital signature of Bittorrent Inc?

  4. tricky micky
    Posted September 14, 2011 at 6:24 am | Permalink | Reply

    I got owned by this. Spybot search and destroy didn’t find it. Need to reboot in safe mode and delete the *.exe hiding in the users\you\appdata folder.

  5. Matt Fuerst
    Posted September 14, 2011 at 7:37 am | Permalink | Reply

    You realize you posted this story, with times, and no actual date?

    I assume by the URL path that we’re talking about this incident happening on Sept 13, 2011? But come on!

  6. fqa
    Posted September 14, 2011 at 7:47 am | Permalink | Reply

    how many downloads were there during that window.

  7. Stephen
    Posted September 14, 2011 at 10:14 am | Permalink | Reply

    Are you 100% sure this was the only time? I’ve had utorrent for a while and I had this same Security Shield malware hit me more then once.

    • Posted September 14, 2011 at 11:19 am | Permalink | Reply

      Yes, we’ve never had this kind of attack before. It’s unlikely its the first time the hackers used this piece of malware though.

  8. Someone
    Posted September 14, 2011 at 2:29 pm | Permalink | Reply

    They should burn the people that do these things, you know? Stab them violently until they scream!

    • lql
      Posted September 14, 2011 at 11:21 pm | Permalink | Reply

      What a WISE Comment NOT! 😉

  9. Jon
    Posted September 14, 2011 at 3:07 pm | Permalink | Reply

    Many software projects sign their projects with GPG keys for this reason.

  10. Joe Chan
    Posted September 14, 2011 at 4:15 pm | Permalink | Reply

    How about the OS X version of µTorrent? Was it compromised as well?

    • Posted September 14, 2011 at 6:46 pm | Permalink | Reply

      No, Windows only – if downloaded between those two hours. Thanks!

  11. priscilla
    Posted September 14, 2011 at 9:00 pm | Permalink | Reply

    Ya this compromised my computer alright I can’t even load my control panel to erase shit all! Thanks for paying for virus protection, everything is a scam now days

  12. SIT
    Posted September 15, 2011 at 6:16 am | Permalink | Reply

    Why do we still need email adresses in webforms. It’s so 2005.

    Why isn’t it clear in the article whether OSX is compromised as well.

  13. Bernie
    Posted September 15, 2011 at 10:32 am | Permalink | Reply

    Yeah this got into my system 4 times yesterday , each time i installed utorrent ! hehehe Was easy to fix, just booted into safe mode and restored my computer to a earlier time and ran a virus scan ! No Biggy ! Them dang hackers ! ehhehee

  14. curious
    Posted September 15, 2011 at 12:30 pm | Permalink | Reply

    was researching ledbat and noticed this news.

    so what httpd do you guys use on the download site?

    nginx?

    publicfile? not.

    how experienced are your admins with unix?

    others could learn from the mistakes made.

    seems many, many www admins are making the same old mistakes as we continue to see www servers get compromised.

    anyway sorry to hear about this.

  15. osewaninaru
    Posted September 15, 2011 at 12:32 pm | Permalink | Reply

    Were the automatic updates also affected?

    • Posted September 15, 2011 at 5:11 pm | Permalink | Reply

      No, auto updates weren’t affected. See reply above for more detail 🙂

  16. Fakeer
    Posted September 15, 2011 at 12:46 pm | Permalink | Reply

    uTorrent automatically connects and updates. Any such suto updates during those hours might have anything to do with that? I didn’t install though it has been running for last 16 days. Besides I didn’t fins that file.

    • Posted September 15, 2011 at 5:11 pm | Permalink | Reply

      No, auto-updates weren’t affected. As it turns out, that server was offline at that moment. Had it been on, there are measures in place that would have ensured your client would have rejected the new build as an update. Thanks for asking – good question.

  17. Mike
    Posted September 16, 2011 at 1:42 am | Permalink | Reply

    People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.

    If it were up to me I’d string them all up in a crowded parking lot somewhere with signs tattooed across their chests and backs saying “I hack computers with fake antivirus software and steal credit card into. And just let the people throw rocks at them all day, then I’d tie their legs to the back of bus and drive them down the highway at 80 miles and hour until there is nothing left but a bloody rope! That’s what these criminals deserve!

    • Blxr
      Posted September 20, 2011 at 10:09 am | Permalink | Reply

      Actually, the Stuxnet virus is a sign of cyber-terrorism. It can mess up PLCs and that can lead to physical damage in the real world. But I see what you’re saying 😉

  18. guru
    Posted September 16, 2011 at 10:16 pm | Permalink | Reply

    Not able to download from any of the bandwidth servers, it says HTTP 404 error

  19. Posted September 18, 2011 at 11:46 am | Permalink | Reply

    it is a very good software our pc it provides more security more than other softwares.

  20. Anonymous
    Posted September 19, 2011 at 8:08 am | Permalink | Reply

    Will you care to explain the details of the hack ?

  21. Keith
    Posted September 20, 2011 at 8:01 am | Permalink | Reply

    I have 2 issues. First, I haven’t gotten my validation email for the forums, although I’ve checked my inbox and spam inbox, and I’ve resent the validation email. And secondly, I just downloaded BitTorrent for Mac, and when I open a torrent that has multiple files, it just automatically starts to download the entire torrent, instead of allowing me to select the files that I want from the torrent.

  22. Posted September 23, 2011 at 7:50 pm | Permalink | Reply

    if you build it, they will come…..

  23. Posted September 23, 2011 at 7:51 pm | Permalink | Reply

    Luke, I am your father

  24. Posted September 27, 2011 at 7:15 am | Permalink | Reply

    It happens, Nothing to worry.. if we would have not fall in trouble then this process of learning may stop.. these problems may help us in learning more and more.. 🙂

  25. Posted September 28, 2011 at 2:38 pm | Permalink | Reply

    i just helped a friend in removing this Security Shield fake antivirus.

  26. Posted September 29, 2011 at 8:38 pm | Permalink | Reply

    I know someone who was affected by this.

  27. Posted October 20, 2011 at 9:47 pm | Permalink | Reply

    Interesting, this site came up when I searched for “how to get rid of scareware” not what I’d expect, but your solutions worked, so it’s all good.

  28. Posted November 8, 2011 at 1:24 pm | Permalink | Reply

    When removing viruses you should also search for the virus file name in windows search with “view hidden files” check to see if there are any hidden files that will reinstall when you restart your computer.

  29. Posted November 15, 2011 at 2:29 am | Permalink | Reply

    Do you have any idea of whom could posibly did that?

  30. brunno
    Posted November 19, 2011 at 3:56 pm | Permalink | Reply

    someone there can help me?
    I’m using bittorrent as a download manager, and I want that when a
    download is complete, automatically move to the next download, until you finish the download list I put in bittorrent.

    I appreciate it now.

  31. Posted November 30, 2011 at 5:56 am | Permalink | Reply

    Thanks guys for letting me know about this.

  32. Posted December 11, 2011 at 1:06 am | Permalink | Reply

    thanks for the warning.

  33. Posted January 13, 2012 at 9:15 am | Permalink | Reply

    I had the same problem, Spybot Search and Destroy didnt pick it up considering its one of the top malware softwares.

  34. Posted January 15, 2012 at 9:46 pm | Permalink | Reply

    People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.

  35. Posted February 29, 2012 at 9:44 am | Permalink | Reply

    How about the OS X version of µTorrent? Was it compromised as well?

17 Trackbacks

  1. […] standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California […]

  2. […] The owner of the Web sites and the torrent clients hosted there, BitTorrent, Inc., reported in a blog post that the breach occurred around 4:20 a.m Pacific Standard […]

  3. […] affected. The owners of a Web sites and a swell clients hosted there, BitTorrent, Inc., reported in a blog post that a crack occurred around 4:20 a.m Pacific Standard […]

  4. […] standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California […]

  5. […] The owner of the Web sites and the torrent clients hosted there, BitTorrent, Inc., reported in a blog post that the breach occurred around 4:20 a.m Pacific Standard […]

  6. By uTorrent, possibly BitTorrent Web sites hacked on September 13, 2011 at 9:01 pm

    […] affected. The owners of a Web sites and a swell clients hosted there, BitTorrent, Inc., reported in a blog post that a crack occurred around 4:20 a.m Pacific Standard […]

  7. […] was affected. BitTorrent, the owner of the Web sites and the torrent clients hosted there, reported in a blog post that the breach occurred around 4:20 a.m […]

  8. […] sobre esta noticia: http://www.hispas…aaldia/4708/comentarMás información:Security Incident http://blog.bitto…3/security-incident/Juan José Ruiz jruiz[jruiz arroba hispasec.com]Sergio de los Santos ssantos[ssantos arroba […]

  9. […] Blog de BitTorrent […]

  10. By µTorrent Confirms: We Were Hacked | Skuggen.com on September 15, 2011 at 9:28 am

    […] who tried to download the program were tricked into downloading fake antivirus software. Via a message on their website µTorrent confirms, that during Tuesday afternoon, they were exposed to a hacker attack. This […]

  11. […] maggiori informazioni riguardo l’attacco sul blog di BitTorrent. Tags: fake antivirus, scareware, torrent, utorrent hacked, utorrent installer […]

  12. By P2PTalk » uTorrent Website Attacked by Malware on September 16, 2011 at 3:03 pm

    […] the site: We have completed preliminary testing of the malware. Upon installation, a program called […]

  13. By uTorrent.com hacked, serving scareware on September 19, 2011 at 9:00 am

    […] to a blog post explaining a incident: This morning on 9/13/2011 during approximately 4:20 a.m. Pacific Daylight Time (UTC -7), a […]

  14. […] линковете за изтегляне на торент-клиента, съобщава Bittorrent Blog. В резултат на това, при опит за изтегляне вместо uTorrent, […]

  15. […] customary program downloads with a square of feign antivirus program famous as Security Shield, an advisory warned. Anyone who downloaded and commissioned program from those sites between 4:20 a.m. […]

  16. […] standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California […]

  17. […] The Register, BitTorrent blog Esta entrada fue publicada en Noticias. Guarda el enlace permanente. ← Se encuentra […]

Post a Comment

Required fields are marked *

*
*

%d bloggers like this: