It is also worth noting that during its research, Sophos found a. Specifically (because the malware appears mainly in fake downloads for pirated computer games) the hacker could be working within the computer games industry, perhaps for a game studio that has suffered at the hands of pirates.
This implies that the hacker may be working on behalf of copyright holders who feel they have been wronged by torrent and piracy sites. This stands in direct contradiction with the will of the majority of cybercriminals – who are generally in favor of piracy.
On the surface, the vigilante malware seems most likely to have been disseminated by a hacker whose primary motivation is to support copyright holders and content publishers whose work is being pirated and shared for free on Torrent websites. However, the exploit (which is described as being "oddball" by its discoverer) certainly raises an eyebrow. Who's behind the malware?įor the time being it is unclear who is behind this malware. Non-persistence aside, we do highly recommend that you use an top antivirus program to ensure that you do not become infected with this kind of malware in the future and to ensure that you can properly detect and remove it from your system if you have been victimized.
For more information on cleaning up your HOSTS file or returning it to its default state visit this Windows blog on the subject for more information. What's more, the virus has no persistence mechanisms, so once you have updated the HOSTS file (as long as you do not run the executable again) you will no longer have any issues. Users who have inadvertently run one of these files can clean up their HOSTS file manually, by running a copy of Notepad elevated (as administrator), and modifying the file at c:\Windows\System32\Drivers\etc\hosts to remove all the lines that begin with '127.0.0.1' and reference the various ThePirateBay (and other) sites. Anybody who has become infected can manually access their HOSTS file to either return it to its default state or to manually clean up any entries that have been set up to point to 127.0.0.1.
As a result, the computer is blocked from accessing the genuine IP addresses for piracy and torrenting services.įortunately, undoing the negative effect of this malware is relatively straightforward. When infected by the anti-piracy malware, popular hostnames for piracy websites like the Pirate Bay are altered within the HOSTS file to purposefully point to the IP address 127.0.0.1. The HOSTS file is an operating system resource that maps human-friendly hostnames contained within URLs (for example) to the numerical value used in routing to identify and locate a host in an IP network.
That said, anybody who has been infected will also need to manually update the HOSTS file on their operating system to regain access to the blocked torrent and piracy sites.
Other popular antivirus programs should also be able to successfully detect, block, and remove the exploit because it can be discovered using its "unique runtime packer, which is the same as used by an unrelated malware family, Qbot," Sophos said.
It is designed to prevent "people from visiting software piracy websites (if only temporarily)".Īnybody infected with "vigilante" malware can remove it using Sophos antivirus according to the company. Lead researcher at Sophos, Andrew Brandt, stated that the primary purpose of the malware is "pretty clear". Instead of seeking to steal passwords or to extort a computer's owner for ransom, this malware blocks infected users' computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system.Īccording to Sophos, the irritating payload has been making its way onto people's machines via fake downloads for pirated versions of "popular games, productivity tools, and even security products". In their blog post on the subject, researchers at Sophos note that the unconventional malware departs from accepted norms for exploit behavior: Once infected, the exploit prevents the user from visiting over a thousand websites relating to torrenting and piracy.Īccording to the security firm, the vigilante-style malware is relatively non-complex and can be fixed pretty easily to recover access to the torrent and privacy-related websites it blocks. The anti-piracy malware was uncovered during research performed by the cybersecurity company Sophos.