FileShareFreak THE source for BitTorrent & P2P Tips, Tricks and Info.

Public Torrent Users Beware: The Next-gen Torrent Scam

•    
•    

August 30, 08 by sharky   4,601  views  

Unless you happened to be fortunate enough to start out on BitTorrent through the great world of private trackers, you’ve probably fallen for some pretty intricate public torrent scams in your time. And let’s face it - we’ve all been duped into downloading password-protected torrents, only to have to click on external links to find that elusive password on sites that we just shouldn’t need to be visiting. Some of us may have been forced to acquire a special media player (such as DOM) to play that movie you just spent three days downloading. But all of this is child’s play compared to the new generation of torrent scams.

Introducing the latest torrent threat: Pay-Per-Install (PPI) adware, spyware & malware binded into the torrent files. But don’t just take our word for it; check out these sites that cater to PPI torrent scams:

• — http://www.blackhatworld.com/blackhat-seo/f75-torrents/
• — http://www.pay-per-install.org/buy-sell-trade/

PPI-Binded *.EXE files - The Next Generation of Bad Torrents

The old method of passwording *.rar archives in the torrent is now somewhat antiquated, as these automatically qualify for an instant ban on most of the monster trackers, including mininova & thepiratebay. Not only do these torrents become easy candidates for instant removal, but the uploader also gets banned for upping them in the first place. Scammers have been forced to move onto a different method of making money, through hidden PPI installers.

The latest method of torrent scam involves the procedure known as "binding EXEs". To oversimplify it, this is the process of combining a ‘clean’ EXE file with a "Pay-Per-Install" (PPI) .exe file(s), for the purpose of hiding the PPI payload installer. This is achieved by way of a crypter/binder (there’s too many to mention). Files/torrents that are most susceptible to this are usually small applications or cracks, cracked files/keygens, including games cracks.

Scammers tend to stick with small appz because they need to test the binded EXE file before uploading it to a public tracker. If it is easily detected via antivirus/spyware software, then it is not FUD (fully undetected) and thus it will (usually) be promptly deleted from the torrent website. To verify the FUD %, the finished binded file is uploaded to an online antivirus checker such as virustotal or novirusthanks. Once it clears this, (or is close to 100% FUD), it is then appropriate for submission to public trackers. Users then create accounts at TPB and mininova and upload their modified torrents, or hire a third-party to do the torrent uploading for them.

The Dangers

Having to click a few ads or links to get a password to unlock that RAR file is one thing, but it’s really nothing more than a time-wasting annoyance. On the other hand, PPI installers are pure evil, and are very difficult to remove from an infected computer. When properly ‘binded’, they can be virtually undetectable by many anti-spyware / anti-virus applications, and may include rootkits and self-replicating adware.

PPI installers are not exclusive to torrents, and can be inserted into any (exe) file and shared through any P2P filesharing protocol. It’s become big business, with new PPI companies sprouting up all the time, notably Luxecash and Oxocash.

Simple Solutions:

— Wherever possible, stick with private trackers. Most PPI-ers are not brazen enough to upload a bad torrent - one attempt at this would obviously lead to their last login (instant ban). Manual torrent moderation (removal) is something that public trackers don’t usually engage in (due to the sheer volume of new torrents reaching the site each day).

— If you must use public trackers, avoid *.EXE files (small applications, cracks, keygens). Stick with movies and music files - "PPI installers" have yet to be fused into them (if this is even a possibility).

— When compared to mininova, it’s been noted that ThePirateBay has a better filtration / detection system to catch these scammy torrents.

Bookmark It:

•    
•    

• Date Saturday, 30 Aug 08 at 2:31 pm
• Under Bad P2P
•  You can follow any responses to this entry through the RSS 2.0 feed .
• You can leave a response , or trackback from your own site .

RELATED POSTS:

• Demonoid Users Beware - Be Careful What You Download
• Anonymous Web Proxies & Proxy Servers
• Web-Based Torrent Solutions & Services
• How To: Download Torrents Through a Proxy/Firewall
• TorrentDam - The Mac OS X Torrent Search Utility

19 responses for this post

1. 01   •   Trackback :: Public Torrent Users Beware: The Next-gen Torrent Scam - P2P Talk! 30.08.08 at 5:15 pm

   [...] *

2. 02   •   Trackback :: PPI 15mn of fame - Pay Per Install 30.08.08 at 11:10 pm

   [...] 15mn of fame Public Torrent Users Beware: The Next-gen Torrent Scam | THE source for BitTorrent & P2P Tips, T… Oh yeah, I love [...]

3. 03   •   Chris Hanlon Says: 30.08.08 at 11:29 pm

   Wow… why people use public trackers in the first place amazes me. you can find decent privates (tbytes,bitsoup) that are open for signup.

4. 04   •   Shamus McFartfinger Says: 31.08.08 at 8:43 am

   And I say Chris Hanlon is an idiot. A private tracker can just as easily host infected files like these as a public tracker. In future, I suggest you read and understand the article before commenting on it.

   99% of the internet community has no idea how their computer works. There’s little point in proving that with your aloof and idiotic diatribe.

5. 05   •   Chris Hanlon Says: 31.08.08 at 10:21 am

   Yes, put as the article says, most people wouldn’t dare (thats a most, not an always) as they would be banned instantly

6. 06   •   Andrew Says: 31.08.08 at 10:39 am

   @ Shamus McFartfinger

   That’s part of the reason why not everyone can upload torrents to private sites…

7. 07   •   skidz Says: 31.08.08 at 5:00 pm

   I know I have downloaded passworded protected TV/Movies in the past, and did once go through the trying to get password by clicking links but gave up realising it was scam, that was on Virgin Media, so I was pissed off due to bandwidth limits and throttling, I still get them on O2 on TPB..pisses me off, download, delete. now this…its apps you need to watch out for then…luckily I dont downlaod many apps, but games and movies and TV shows..

8. 08   •   skidz Says: 31.08.08 at 5:03 pm

   Anyone heard of podmailing here? its really good…pity its not used too much….can we have an article about it?

9. 09   •   fgsdfd Says: 03.09.08 at 10:34 am

   I have uploaded 50 viruses to piratebay, 75% of my botnet is from piratebay

10. 010   •   LulzCrypt team Says: 05.09.08 at 8:01 am

    We have been alerted of your information on our application and are not pleased. Please note we are a professional company meerly defending people from getting their application reverse engineered by anti-virus and dis-assembler programs out there. False rumors and aquisitions like this are punishable by prosecution, I hope you are pleased with yourself.

    Sincerely,

    LulzCrypt Team.

11. 011   •   D-Packer Dev Team Says: 05.09.08 at 8:22 am

    Hey.
    This article have messed with our program’s reputation. And will cause moral damage if kept here.
    So in behalf of d-packer coders. You have 3 days until this article is removed. Otherwise this site will be nulled for at least one month causing problems to you and your viewers.
    Countdown has started.
    We’ll start to heat the oven so we can bake this site after 3 days if orders were disobeyed.

    Heil Hitler.

    Regards.

12. 012   •   Omg-Lolo0rZ Says: 05.09.08 at 1:33 pm

    LouzyKrypt and FugdePacker Dev Team r NUBS! Fear their botnet of D00M consisting of 4 bots in their basement! MUHAHahAHHA Le’ Snort!

13. 013   •   breal Says: 05.09.08 at 7:52 pm

    D-Packer Dev Team and LulzCrypt team
    You may as well go after me too as I have spend this info all over the net.
    Fuck You..You want me come get me.

    Thanks filesharefreak for the info

14. 014   •   LulzCrypt team Says: 05.09.08 at 10:20 pm

    Excuse me, you have spend this info?

15. 015   •   breal Says: 06.09.08 at 1:24 am

    lol..I must be high……….. spread

16. 016   •   breal Says: 06.09.08 at 3:28 pm

    I love when LulzCrypt team will say he defending people from getting their application reverse engineered.
    Then he post his software on a hacker forum like this one below.
    Stop lying

    http://www.hackforums.net/showthread.php?tid=25466&pid=190038#pid190038

17. 017   •   LulzCrypt team Says: 06.09.08 at 7:20 pm

    Breal, that is meerly an affiliate, once again I see weakness in your brain, perhaps around the ‘common sense’ part.

18. 018   •   sharky Says: 07.09.08 at 5:39 pm

    @ The D-Packer Dev Team : The article stays.

    You’ve been removed from any reference in this article. Thus, there is no further viable reason for you to request that this post be deleted. If anyone has an issue with something published herein at FSF, it is NOT conducive to having it resolved in a threatening manner in a public reader’s comment. Normally, it should be conducted through the “Contact Us” link, and, in a professional (and private) manner something can be resolved. We’ve removed many URLs and links from PVT trackers or anyone else that wishes for removal, non-mention, etc, and will continue in a cooperative manner to accommodate anyone…when this is done professionally.

19. 019   •   jimbo Says: 09.09.08 at 2:35 am

    Yes, that’s right - DON’T EXECUTE .EXES FROM UNKNOWN SOURCES.

    Seriously, I would never run a program I downloaded on p2p

Leave a Reply