PSA/HOWTO: Avoid fake mkv torrents. Avoid getting hacked
PSA/HOWTO: Avoid fake mkv torrents. Avoid getting hacked
There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk...) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).
These (fake) torrents include a .lnk file that executes a script on your Windows
HOW TO exclude from download on qBittorrent.
-
Go to Options -> Downloads
-
Enable "Exclude file names"
-
Add patterns:
(one by line)
*.mp4.lnk
*.mp3.lnk
*.mkv.lnk
*.torrent.lnk
*.zipx
*.scr
Or exclude all together: *.lnk
Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection
-
thanks Microsoft for hiding extensions by default!
-
Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you're looking for be considered an acceptable result?
Tack $ on the end of your regex, for fucks sake.
-
Is not regex
https://github.com/qbittorrent/qBittorrent/pull/17106Examples
*.exe: filter '.exe' file extension.
readme.txt: filter exact file name.
?.txt: filter 'a.txt', 'b.txt' but not 'aa.txt'.
readme[0-9].txt: filter 'readme1.txt', 'readme2.txt' but not 'readme10.txt'
-
-
Microsoft: De nada, amigo! Oh... here's an ad, btw... and...did you enable Recall already?
-
or rather: oh silly you were so clumsy that you disabled recall by accident again. let us be so kind to re-enable it for you
-
Have you tried setting your region to Europe? it's not an issue here
-
-
-
I use Arch btw
-
What if it executes and install Windows 11 on your machine!?
-
-
Not using Windows helps a ton :)
-
Sonarr will still pick the release and download GBs of malware, and if you don't notice your download directly is filled with GBs of fake torrents
-
-
Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default
-
On many distros will open with WINE by default, not a big deal, you can just delete
~/.wine. If it does anything-
Wine will mount your root folder as a Windows drive by default. So if the malware is scanning all connected drives and encrypting/uploading them you still have a problem.
-
-
-
For those interested, John Hammond did a video a few months ago about
.lnkextension (and other 16 hidden extensions on Windows).He doesn't go to much or to deep into the subject, but you get a general view how this could be exploitable.
-
that executes a script on your Windows.
I don't have a Windows.
-
Then just draw on your wall.
-
-
Could you just add *.lnk?
-
That's mentioned near the bottom of the post.
-
-
How is the link file executing malware? Can you put any shell script as the target?
-
I am pretty sure a link file can open cmd/powershell with parameters to execute commands
-
yep! I've found out browsing hacking/spamming site and i've found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to "the resource". Peeking inside i've found powershell executing base64 (or base32?) encoded script (it's got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl'd some exe from some site and ran it, site was down alredy.
-
-
You can put the script itself as the link. Shortcut to: powershell -command "Write-Host 'Gonna pwn your shit'"
-
-
Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.
-
Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn't move it from qbit but better to not DL it in the first place even though its a linux box
-
Nice to know! Thank you!
-
Is that the malware that is undetectable because it runs purely in memory? The name is escaping me
-
Probably this will help as well at the arr end: https://forums.sonarr.tv/t/automatic-blacklist-malware/37822