Security Incident (Updated 9/14)

This morning on 9/13/2011 at approximately 4:20 a.m. Pacific Daylight Time (UTC -7), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard Windows software download was replaced with a type of fake antivirus “scareware” program. (UPDATE: See below for removal instructions.)

Just after 6:00 a.m. Pacific time, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally.

We have completed preliminary testing of the malware. Upon installation, a program called ‘Security Shield” launches and pops up warnings that a virus has been detected. It then prompts a user for payment to remove the virus. We recommend anyone who downloaded software between 4:20 a.m. and 6:10 a.m. Pacific time run a security scan of their computer.

We take the security of our systems and the safety of our users very seriously. We sincerely apologize to any users who were affected.

Clarification: This only affects users who downloaded software specifically from utorrent.com or bittorrent.com between the hours above this morning. Users who previously downloaded our software are not affected.

Update #2: After further analysis, we don’t believe BitTorrent.com or the BitTorrent Mainline/Chrysalis clients were part of the incident.

Update #3: File Removal Instructions

This particular piece of malware renames itself as a different .exe file every time it installs on a new machine. Therefore, first you need to determine the file name. To do this, visit the following File Directory on your Windows hard drive:

Windows XP: Click Start, click Run, and then type in “%USERPROFILE%Local SettingsApplication Data” without the quotes. The file will be called [random].exe
Windows Vista and Windows 7: Click Start, in the search box type in “%localappdata%” without the quotes. The file will be called [random].exe.

To delete the file, first you need to make sure to kill the application first:
– Open your Task Manager (Control-Alt-Delete), select the [random].exe (the name you found in the file directory). Click “End Process” and select “Yes.”

– Next: select the file name (or right-click on the name) and hit Delete.

– Empty your trash.

Written by: BitTorrent

BitTorrent is a company of over 100 people, based in downtown San Francisco. We’re passionate about building a better, smarter Internet through distributed computing.

62 Responses to “Security Incident (Updated 9/14)”

    • the-me

      well, but then users would have to check the signature. and if more than 0.001% of all utorrent users do that, I’d be really surprised … . of course you’re right, signing would be the first step 🙂

      Reply
  1. tricky micky

    I got owned by this. Spybot search and destroy didn’t find it. Need to reboot in safe mode and delete the *.exe hiding in the usersyouappdata folder.

    Reply
  2. Matt Fuerst

    You realize you posted this story, with times, and no actual date?

    I assume by the URL path that we’re talking about this incident happening on Sept 13, 2011? But come on!

    Reply
  3. Stephen

    Are you 100% sure this was the only time? I’ve had utorrent for a while and I had this same Security Shield malware hit me more then once.

    Reply
  4. Someone

    They should burn the people that do these things, you know? Stab them violently until they scream!

    Reply
  5. priscilla

    Ya this compromised my computer alright I can’t even load my control panel to erase shit all! Thanks for paying for virus protection, everything is a scam now days

    Reply
  6. SIT

    Why do we still need email adresses in webforms. It’s so 2005.

    Why isn’t it clear in the article whether OSX is compromised as well.

    Reply
  7. Bernie

    Yeah this got into my system 4 times yesterday , each time i installed utorrent ! hehehe Was easy to fix, just booted into safe mode and restored my computer to a earlier time and ran a virus scan ! No Biggy ! Them dang hackers ! ehhehee

    Reply
  8. curious

    was researching ledbat and noticed this news.

    so what httpd do you guys use on the download site?

    nginx?

    publicfile? not.

    how experienced are your admins with unix?

    others could learn from the mistakes made.

    seems many, many www admins are making the same old mistakes as we continue to see www servers get compromised.

    anyway sorry to hear about this.

    Reply
  9. Fakeer

    uTorrent automatically connects and updates. Any such suto updates during those hours might have anything to do with that? I didn’t install though it has been running for last 16 days. Besides I didn’t fins that file.

    Reply
    • BitTorrent

      No, auto-updates weren’t affected. As it turns out, that server was offline at that moment. Had it been on, there are measures in place that would have ensured your client would have rejected the new build as an update. Thanks for asking – good question.

      Reply
  10. Mike

    People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.

    If it were up to me I’d string them all up in a crowded parking lot somewhere with signs tattooed across their chests and backs saying “I hack computers with fake antivirus software and steal credit card into. And just let the people throw rocks at them all day, then I’d tie their legs to the back of bus and drive them down the highway at 80 miles and hour until there is nothing left but a bloody rope! That’s what these criminals deserve!

    Reply
    • Blxr

      Actually, the Stuxnet virus is a sign of cyber-terrorism. It can mess up PLCs and that can lead to physical damage in the real world. But I see what you’re saying 😉

      Reply
  11. Keith

    I have 2 issues. First, I haven’t gotten my validation email for the forums, although I’ve checked my inbox and spam inbox, and I’ve resent the validation email. And secondly, I just downloaded BitTorrent for Mac, and when I open a torrent that has multiple files, it just automatically starts to download the entire torrent, instead of allowing me to select the files that I want from the torrent.

    Reply
  12. fuad

    It happens, Nothing to worry.. if we would have not fall in trouble then this process of learning may stop.. these problems may help us in learning more and more.. 🙂

    Reply
  13. John

    Interesting, this site came up when I searched for “how to get rid of scareware” not what I’d expect, but your solutions worked, so it’s all good.

    Reply
  14. top free programs

    When removing viruses you should also search for the virus file name in windows search with “view hidden files” check to see if there are any hidden files that will reinstall when you restart your computer.

    Reply
  15. brunno

    someone there can help me?
    I’m using bittorrent as a download manager, and I want that when a
    download is complete, automatically move to the next download, until you finish the download list I put in bittorrent.

    I appreciate it now.

    Reply
  16. smile kenya

    People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.

    Reply

Leave a Reply

  • (will not be published)

Trackbacks and Pingbacks:

  1. Bittorrent.com’s software download hacked to serve malware | Torrents & File Sharing News

    […] standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California […]

  2. uTorrent, possibly BitTorrent Web sites hacked - TechJohnson - TechJohnson

    […] The owner of the Web sites and the torrent clients hosted there, BitTorrent, Inc., reported in a blog post that the breach occurred around 4:20 a.m Pacific Standard […]

  3. TECHNOLOGY GADGETS - uTorrent, possibly BitTorrent Web sites hacked

    […] affected. The owners of a Web sites and a swell clients hosted there, BitTorrent, Inc., reported in a blog post that a crack occurred around 4:20 a.m Pacific Standard […]

  4. ste williams » Bittorrent.com’s software download hacked to serve malware

    […] standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California […]

  5. uTorrent, possibly BitTorrent Web sites hacked » 99dzh

    […] The owner of the Web sites and the torrent clients hosted there, BitTorrent, Inc., reported in a blog post that the breach occurred around 4:20 a.m Pacific Standard […]

  6. uTorrent, possibly BitTorrent Web sites hacked

    […] affected. The owners of a Web sites and a swell clients hosted there, BitTorrent, Inc., reported in a blog post that a crack occurred around 4:20 a.m Pacific Standard […]

  7. uTorrent, possibly BitTorrent Web sites hacked | Torrents & File Sharing News

    […] was affected. BitTorrent, the owner of the Web sites and the torrent clients hosted there, reported in a blog post that the breach occurred around 4:20 a.m […]

  8. Reemplazan uTorrent por malware en utorrent.com | MundoPC.NET

    […] sobre esta noticia: http://www.hispas…aaldia/4708/comentarMás información:Security Incident http://blog.bitto…3/security-incident/Juan José Ruiz jruiz[jruiz arroba hispasec.com]Sergio de los Santos ssantos[ssantos arroba […]

  9. Hackeo de BitTorrent y uTorrent afecta a 28.000 usuarios. | @DosDigitos

    […] Blog de BitTorrent […]

  10. µTorrent Confirms: We Were Hacked | Skuggen.com

    […] who tried to download the program were tricked into downloading fake antivirus software. Via a message on their website µTorrent confirms, that during Tuesday afternoon, they were exposed to a hacker attack. This […]

  11. uTorrent.com violato: a rischio gli installer per Windows - The Silicon Jey

    […] maggiori informazioni riguardo l’attacco sul blog di BitTorrent. Tags: fake antivirus, scareware, torrent, utorrent hacked, utorrent installer […]

  12. P2PTalk » uTorrent Website Attacked by Malware

    […] the site: We have completed preliminary testing of the malware. Upon installation, a program called […]

  13. uTorrent.com hacked, serving scareware

    […] to a blog post explaining a incident: This morning on 9/13/2011 during approximately 4:20 a.m. Pacific Daylight Time (UTC -7), a […]

  14. Официалният сайт на uTorrent е предлагал за изтегляне фалшив антивирус | ПЕТРИЧКИ НОВИНИ | ПЕТРИЧ NEWS

    […] линковете за изтегляне на торент-клиента, съобщава Bittorrent Blog. В резултат на това, при опит за изтегляне вместо uTorrent, […]

  15. lubuklinggau.org » Blog Archive » Bittorrent.com’s software download hacked to serve malware

    […] customary program downloads with a square of feign antivirus program famous as Security Shield, an advisory warned. Anyone who downloaded and commissioned program from those sites between 4:20 a.m. […]

  16. Bittorrent.com’s software download hacked to serve malware

    […] standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California […]

  17. Los hackers andan sueltos, ahora hackean los servidores de uTorrent y BitTorrent | Web Site de Prueba

    […] The Register, BitTorrent blog Esta entrada fue publicada en Noticias. Guarda el enlace permanente. ← Se encuentra […]