Today, BitTorrent is the most common technology to share digital materials in spite of any type of limitation imposed by the copyright regulations. Through BitTorrent, it is possible to download every type of files: movies, TV shows, songs, software and games. Unfortunately, the freedom and the ease of downloading desired content could pose serious risks for unaware users. They often get infected with malicious code hidden behind a torrent.
The two pages are quite similar. There is a short description of the film with a big and evident button to download the torrent file. After downloading the films, we are presented with a folder containing the movie and an executable with the Codec pack that enables the view of the movie:
Figure 16 shows the description of the torrent. In the area reserved for the details of the software, there is a minimal guide to install it. However, it is immediately visible that something is suspicious: the dimension of the file is quite small. So after downloading the file, we have the following folder on the computer:
While we were analyzing the Torrent network, we decided to dissect an interesting sample of malware related to a huge botnet spreading in the wild. This has been dubbed Sathurbot. This malicious code was one of the numerous types of malware distributed through torrents, pretending to be a Codec Pack necessary to display the video just downloaded by the victims. An older version of it had already been analyzed by ESET researchers in 2017. The new malware variant shows some different behavior from the older one. 153554b96e