https://arstechnica.com/gadgets/2021/06/newly-discovered-vigilante-malware-outs-software-pirates-and-blocks-them/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up VIGILANTE -- Newly discovered Vigilante malware outs software pirates and blocks them Most malware tries to steal stuff. Vigilante, by contrast, takes aim at piracy. Dan Goodin - Jun 17, 2021 9:01 pm UTC A warning sign on a grid-style metal fence. Enlarge Getty Images reader comments 136 with 101 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit A researcher has uncovered one of the more unusual finds in the annals of malware: booby-trapped files that rat out downloaders and try to prevent unauthorized downloading in the future. The files are available on sites frequented by software pirates. Vigilante, as SophosLabs Principal Researcher Andrew Brandt is calling the malware, gets installed when victims download and execute what they think is pirated software or games. Behind the scenes, the malware reports the file name that was executed to an attacker-controlled server, along with the IP address of the victims' computers. As a finishing touch, Vigilante tries to modify the victims' computers so they can no longer access thepiratebay.com and as many as 1,000 other pirate sites. Not your typical malware "It's really unusual to see something like this because there's normally just one motive behind most malware: stealing stuff," Brandt wrote on Twitter. "Whether that's passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals." But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals. For one thing, they modify the HOSTS file on the PC to add entries. A lot of entries. They had a common theme. pic.twitter.com/O1Z2fSXZ1n -- Accountability Brandt (@threatresearch) June 17, 2021 Once victims have executed the trojanized file, the file name and IP address are sent in the form of an HTTP GET request to the attacker-controlled 1flchier[.]com, which can easily be confused with the cloud-storage provider 1fichier (the former is spelled with an L as the third character in the name instead of an I). The malware in the files is largely identical except for the file names it generates in the web requests. [malware-names][1flchier-user-agent] Vigilante goes on to update a file on the infected computer that prevents it from connecting to The Pirate Bay and other Internet destinations known to be used by people trading pirated software. Specifically, the malware updates Hosts, a file that pairs one or more domain addresses to distinct IP addresses. As the image below shows, the malware pairs thepiratebay.com to 127.0.0.1, a special-purpose IP address, often called the localhost or loopback address, that computers use to identify their real IP address to other systems. Advertisement [pirate-hosts-file] Sophos By mapping the domains to the local host, the malware ensures that the computer can no longer access the sites. The only way to reverse the blocking is to edit the Hosts file to remove the entries. Brandt found some of the trojans lurking in software packages available on a Discord-hosted chat service. He found others masquerading as popular games, productivity tools, and security products available through BitTorrent. There are other oddities. Many of the trojanized executables are digitally signed using a fake code signing tool. The signatures contain a string of randomly generated 18-character uppercase and lowercase letters. The certificate validity began on the day the files became available and is set to expire in 2039. Additionally, the properties sheets of the executables don't align with the file name. When viewed through a hex editor, the executables also contain a racial epithet that's repeated more than 1,000 times followed by a large, randomly sized block of alphabetical characters. "Padding out the archive with purposeless files of random length may simply be done to modify the archive's hash value," Brandt wrote. "Padding it out with racist slurs told me all I needed to know about its creator." Vigilante has no persistence method, meaning it has no way to remain installed. That means people who have been infected need only to edit their Hosts file to be disinfected. SophosLabs provides indicators of compromise here. reader comments 136 with 101 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices