A torrent file is being used to infect unsuspecting users with malware that conducts a distributed password attack against WordPress-powered websites.
The dangers of torrenting are by no means new. In this particular campaign, a user searches to download a movie or software without paying for it. Their favorite search engine yields some relevant files. But the sites hosting them don’t have anything to do with seeding torrent files.
Provided below is one example of these search results, if you happened to be hunting for a torrent of “Baywatch 2017”:
Definitely strange!
But what if a user really wanted to watch “Baywatch (2017)” now? They might go ahead and click on one of the links. ESET’s research team explains in a blog post what happens next:
“When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.”
Upon successful installation, Sathurbot retrieves its command and control (C&C). It can use this server to update itself. It can also run other malicious executables like Kovter and Fleercivet on the victim’s computer.
But that’s not all this malware can do.
The backdoor trojan comes with more than 5,000 generic words that it combines into two-four word query string. It then searches for this query using a search engine like Google and harvests all domain names it finds on the first three pages of search results. At that time, it checks to see if the site is powered by WordPress by testing the URL http://[domain_name]/wp-login.php for each domain. Every domain that fits the bell moves onto the next round: a password attack involving WordPress’s XML-RPC API.
ESET elaborates on this second-stage technique:
“The client is now ready to get a list of domain access credentials (formatted as
login:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.”
Assuming the malware successfully compromises the site, Sathurbot uses the libtorrent library to force the WordPress website to download a binary file, create a torrent, and seed it. This completes the infection cycle and helps the trojan reach even more potential victims.
To protect against this campaign, users should probably think twice before downloading a file from anyone other than a respected developer – especially sites that don’t appear to have anything to do with torrenting. At the same time, web admins should consider disabling XML-RPC on their WordPress website and use strong passwords.
Again, you have to be an idiot to believe you HAVE to install something new on your PC if you want to watch a video. Anyone with sense would know that your currently installed video playback software and codecs should be adequate to render the file on your screen, without the need for new software on your PC. If not, then download "K-Lite Codec Pack Full", and if it still won't play, then forget it and dump the video file. I always advise all of my PC users that, if they find themselves about to install ANY new software , stop and ask "Why do I need to do this? Is it really necessary or is it a scam?"