Torrent and download sites offer an easy way to get everything, including versions of some anti-virus programs like Avira. But, there sometimes is a catch – malware.
“It’s one of my favorite methods to get newly adapted malware,” said Stefan Kurtzhals, anti-malware expert in the Avira Protection Labs department. “Monitoring the Usenet for items that have “Avira” in the file name is a good source for brand new malware for me with over 95% of the files being malicious.”
“The malware writers seed the names of actual newly released warez such as tools, movies, shows with malware and then add this to popular download channels like Torrent streams, web pages, Usenet and so on – very likely using an automated process, he explained.
Getting the right name is a critical part of the scheme. The malware writers automatically take some of the items that are most often downloaded by users and create fake releases with exactly the same file name. “For example ‘game.of.thrones.s0601.720p.bLaH.rar’ would be a likely candidate when the new season will be out in 2016,” Stefan added. “Any kind of popular download will be faked — games, tools, movies, shows or music – look out for Star Wars.”
Most samples are also “FUD” (fully undetected, malware as a service), encrypted with a new version of some obfuscation/encryption wrapper, and able to avoid easy detection.
At least with downloads, size does matter, he pointed out. “Usually, the size of the archive alone is a good indicator that the file is fake and does not have the content wanted by the user. A 720p TV show rarely fits into 50 KB, or 20 MB.” In these “Lite” cases, downloaders only get a malware executable file.
But for more advanced malware, file size is not a safe signal of malware. The hopeful downloader receives the desired program or game, but it has been modified. The new file executes the malware simultaneously along with the program. “It is pretty much state-of-the-art to use in-memory droppers now, so the malware executable does not have to be saved on the hard disc but can be injected into some already active process to avoid attention,” he said.
Paradoxically, antivirus warnings often work to the malware writers’ benefit. “Downloaders are often seeing false positives on cracks/keygens and they will tend to ignore the detection alerts and disable the anti-malware protection to be able to run the cracked software,” added Stefan. “Malware writers are very much aware of this user behavior – it is one of the reasons why they choose this malware distribution method.”
Just remember, when downloading, take care that you don’t download more than you really want. And yes, consider getting your programs from a clean source such as https://www.avira.com/en/avira-safeapps.