Security Incident (Updated 9/14)

This morning on 9/13/2011 at approximately 4:20 a.m. Pacific Daylight Time (UTC -7), the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard Windows software download was replaced with a type of fake antivirus “scareware” program. (UPDATE: See below for removal instructions.)

Just after 6:00 a.m. Pacific time, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally.

We have completed preliminary testing of the malware. Upon installation, a program called ‘Security Shield” launches and pops up warnings that a virus has been detected. It then prompts a user for payment to remove the virus. We recommend anyone who downloaded software between 4:20 a.m. and 6:10 a.m. Pacific time run a security scan of their computer.

We take the security of our systems and the safety of our users very seriously. We sincerely apologize to any users who were affected.

Clarification: This only affects users who downloaded software specifically from utorrent.com or bittorrent.com between the hours above this morning. Users who previously downloaded our software are not affected.

Update #2: After further analysis, we don’t believe BitTorrent.com or the BitTorrent Mainline/Chrysalis clients were part of the incident.

Update #3: File Removal Instructions

This particular piece of malware renames itself as a different .exe file every time it installs on a new machine. Therefore, first you need to determine the file name. To do this, visit the following File Directory on your Windows hard drive:

Windows XP: Click Start, click Run, and then type in “%USERPROFILE%Local SettingsApplication Data” without the quotes. The file will be called [random].exe
Windows Vista and Windows 7: Click Start, in the search box type in “%localappdata%” without the quotes. The file will be called [random].exe.

To delete the file, first you need to make sure to kill the application first:
- Open your Task Manager (Control-Alt-Delete), select the [random].exe (the name you found in the file directory). Click “End Process” and select “Yes.”

- Next: select the file name (or right-click on the name) and hit Delete.

- Empty your trash.

Written by: BitTorrent

BitTorrent is a company of over 100 people, based in downtown San Francisco. We’re passionate about building a better, smarter Internet through distributed computing.

  • geepee

    A good reason to start signing software downloads with gpg

    • the-me

      well, but then users would have to check the signature. and if more than 0.001% of all utorrent users do that, I’d be really surprised … . of course you’re right, signing would be the first step :)

  • Pingback: Bittorrent.com’s software download hacked to serve malware | Torrents & File Sharing News

  • cody

    How many times was ‘Security Shield’ downloaded between the mentioned hours?

    • http://port6969.wordpress.com BitTorrent

      About 28,000 users were affected.

  • Pingback: uTorrent, possibly BitTorrent Web sites hacked - TechJohnson - TechJohnson

  • Pingback: TECHNOLOGY GADGETS - uTorrent, possibly BitTorrent Web sites hacked

  • Pingback: ste williams » Bittorrent.com’s software download hacked to serve malware

  • Pingback: uTorrent, possibly BitTorrent Web sites hacked » 99dzh

  • Pingback: uTorrent, possibly BitTorrent Web sites hacked

  • Pingback: uTorrent, possibly BitTorrent Web sites hacked | Torrents & File Sharing News

  • Steven

    I’ll assume the malware did not have the digital signature of Bittorrent Inc?

  • tricky micky

    I got owned by this. Spybot search and destroy didn’t find it. Need to reboot in safe mode and delete the *.exe hiding in the usersyouappdata folder.

  • Matt Fuerst

    You realize you posted this story, with times, and no actual date?

    I assume by the URL path that we’re talking about this incident happening on Sept 13, 2011? But come on!

  • fqa

    how many downloads were there during that window.

  • Stephen

    Are you 100% sure this was the only time? I’ve had utorrent for a while and I had this same Security Shield malware hit me more then once.

    • http://port6969.wordpress.com BitTorrent

      Yes, we’ve never had this kind of attack before. It’s unlikely its the first time the hackers used this piece of malware though.

  • Someone

    They should burn the people that do these things, you know? Stab them violently until they scream!

    • lql

      What a WISE Comment NOT! ;)

  • Jon

    Many software projects sign their projects with GPG keys for this reason.

  • Joe Chan

    How about the OS X version of µTorrent? Was it compromised as well?

    • http://port6969.wordpress.com BitTorrent

      No, Windows only – if downloaded between those two hours. Thanks!

  • priscilla

    Ya this compromised my computer alright I can’t even load my control panel to erase shit all! Thanks for paying for virus protection, everything is a scam now days

  • Pingback: Reemplazan uTorrent por malware en utorrent.com | MundoPC.NET

  • SIT

    Why do we still need email adresses in webforms. It’s so 2005.

    Why isn’t it clear in the article whether OSX is compromised as well.

    • http://port6969.wordpress.com BitTorrent

      OSX was not affected, only Windows. Thank you.

  • Pingback: Hackeo de BitTorrent y uTorrent afecta a 28.000 usuarios. | @DosDigitos

  • Pingback: µTorrent Confirms: We Were Hacked | Skuggen.com

  • Bernie

    Yeah this got into my system 4 times yesterday , each time i installed utorrent ! hehehe Was easy to fix, just booted into safe mode and restored my computer to a earlier time and ran a virus scan ! No Biggy ! Them dang hackers ! ehhehee

  • curious

    was researching ledbat and noticed this news.

    so what httpd do you guys use on the download site?

    nginx?

    publicfile? not.

    how experienced are your admins with unix?

    others could learn from the mistakes made.

    seems many, many www admins are making the same old mistakes as we continue to see www servers get compromised.

    anyway sorry to hear about this.

  • osewaninaru

    Were the automatic updates also affected?

    • http://port6969.wordpress.com BitTorrent

      No, auto updates weren’t affected. See reply above for more detail :)

  • Fakeer

    uTorrent automatically connects and updates. Any such suto updates during those hours might have anything to do with that? I didn’t install though it has been running for last 16 days. Besides I didn’t fins that file.

    • http://port6969.wordpress.com BitTorrent

      No, auto-updates weren’t affected. As it turns out, that server was offline at that moment. Had it been on, there are measures in place that would have ensured your client would have rejected the new build as an update. Thanks for asking – good question.

  • Pingback: uTorrent.com violato: a rischio gli installer per Windows - The Silicon Jey

  • Mike

    People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.

    If it were up to me I’d string them all up in a crowded parking lot somewhere with signs tattooed across their chests and backs saying “I hack computers with fake antivirus software and steal credit card into. And just let the people throw rocks at them all day, then I’d tie their legs to the back of bus and drive them down the highway at 80 miles and hour until there is nothing left but a bloody rope! That’s what these criminals deserve!

    • Blxr

      Actually, the Stuxnet virus is a sign of cyber-terrorism. It can mess up PLCs and that can lead to physical damage in the real world. But I see what you’re saying ;)

  • Pingback: P2PTalk » uTorrent Website Attacked by Malware

  • guru

    Not able to download from any of the bandwidth servers, it says HTTP 404 error

  • http://bittorrent.com virender singh

    it is a very good software our pc it provides more security more than other softwares.

  • Anonymous

    Will you care to explain the details of the hack ?

  • Pingback: uTorrent.com hacked, serving scareware

  • Keith

    I have 2 issues. First, I haven’t gotten my validation email for the forums, although I’ve checked my inbox and spam inbox, and I’ve resent the validation email. And secondly, I just downloaded BitTorrent for Mac, and when I open a torrent that has multiple files, it just automatically starts to download the entire torrent, instead of allowing me to select the files that I want from the torrent.

  • Pingback: Официалният сайт на uTorrent е предлагал за изтегляне фалшив антивирус | ПЕТРИЧКИ НОВИНИ | ПЕТРИЧ NEWS

  • http://theronatwork.blogspot.com Theron G

    if you build it, they will come…..

  • http://theronatwork.blogspot.com Theron G

    Luke, I am your father

  • http://www.vuzs.net fuad

    It happens, Nothing to worry.. if we would have not fall in trouble then this process of learning may stop.. these problems may help us in learning more and more.. :)

  • http://www.protips.info sonu

    i just helped a friend in removing this Security Shield fake antivirus.

  • http://www.4helpforum.com James Schudel

    I know someone who was affected by this.

  • Pingback: lubuklinggau.org » Blog Archive » Bittorrent.com’s software download hacked to serve malware

  • Pingback: Bittorrent.com’s software download hacked to serve malware

  • http://getridofsmell.net/ John

    Interesting, this site came up when I searched for “how to get rid of scareware” not what I’d expect, but your solutions worked, so it’s all good.

  • http://www.topfreeprograms.com top free programs

    When removing viruses you should also search for the virus file name in windows search with “view hidden files” check to see if there are any hidden files that will reinstall when you restart your computer.

  • http://www.necesitodinerourgente.net/ luis| dinero urgente

    Do you have any idea of whom could posibly did that?

  • brunno

    someone there can help me?
    I’m using bittorrent as a download manager, and I want that when a
    download is complete, automatically move to the next download, until you finish the download list I put in bittorrent.

    I appreciate it now.

  • http://mehrdadhakimian.com mehrdad hakimian

    Thanks guys for letting me know about this.

  • http://www.workwithjackbarnum.com jack the inspirational story guy

    thanks for the warning.

  • http://www.omsecurity.co.uk/ security guards london

    I had the same problem, Spybot Search and Destroy didnt pick it up considering its one of the top malware softwares.

  • http://smilekenya.com smile kenya

    People that bundle these fake virus programs into software downloads just to scare you into typing in your credit card info so they can steal your money are nothing less than cyber terrorists! Why doesn’t the government form a special task force to track and prosecute these people? You know they have the resources to do anything they want. But no, they are too busy worrying about who illegally downloaded a music album or movie without paying for it yet. News flash, these people aren’t hurting anybody, these other jerks are harming innocent peoples computers.

  • http://torrentfiles.us torrent search

    How about the OS X version of µTorrent? Was it compromised as well?

  • Pingback: Los hackers andan sueltos, ahora hackean los servidores de uTorrent y BitTorrent | Web Site de Prueba

  • Brian

    Thank you for the help, I followed your File Removal Instructions with Windows 7, and it worked fine.
    Security Guards London