this post was submitted on 28 Sep 2024
112 points (99.1% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54015 readers
892 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

💰 Please help cover server costs.

Ko-FiLiberapay

founded 1 year ago
MODERATORS
db0@lemmy.dbzer0.com
sunbrothersco@lemmy.dbzer0.com
dataprolet@lemmy.dbzer0.com
Flatworm7591@lemmy.dbzer0.com
RandomLegend@lemmy.dbzer0.com
112
PSA/HOWTO: Avoid fake mkv torrents. Avoid getting hacked (lemm.ee)
submitted 9 hours ago by American_Jesus@lemm.ee to c/piracy@lemmy.dbzer0.com
31 comments fedilink hide all child comments
 

There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk...) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).

These (fake) torrents include a .lnk file that executes a script on your Windows

HOW TO exclude from download on qBittorrent.

  • Go to Options -> Downloads

  • Enable "Exclude file names"

  • Add patterns:

(one by line)

*.mp4.lnk  
*.mp3.lnk  
*.mkv.lnk
*.torrent.lnk

Or exclude all together: *.lnk

Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection

all 32 comments
sorted by: hot top controversial new old
[–] bad_news@lemmy.billiam.net 23 points 7 hours ago

You gotta love how aggressively they prevent users from seamlessly running executables from the internet, a VERY legitimate common use case, but a desktop shortcut from the internet? Run away!

[–] dsilverz@thelemmy.club 29 points 8 hours ago (1 children)

When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it's possible to append binary data other than audio, video or subtitles specifically inside a MKV). The ".lnk" trick only works in Windows and, even there, it's easy to prevent: Windows Explorer > Options > Advanced > find and check "Always show extensions for files" (i can't really remember the exact label for this option as I'm not a Windows user, but something like this will be there).

[–] cosmic_skillet@lemmy.ml 11 points 7 hours ago (1 children)

I believe you uncheck "Hide extensions for known file types"

[–] dsilverz@thelemmy.club 7 points 7 hours ago (1 children)

Exactly! Thanks! I couldn't point the exact label, I've been using Linux for years in a daily basis so I forgot most of the Windows shortcuts/options.

[–] brainw0rms@hexbear.net 7 points 7 hours ago

Even then, that setting doesn't unhide the ".lnk" file extension, that requires a registry edit: https://www.askvg.com/tip-how-to-show-file-extensions-of-shortcuts-lnk-url-pif-in-windows-explorer/

Although shortcuts are pretty easy to spot in the first place unless you just double-click things without paying attention lol

[–] LostXOR@fedia.io 3 points 5 hours ago

Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.

[–] Kuvwert@lemm.ee 15 points 9 hours ago (2 children)

Could you just add *.lnk?

[–] can@sh.itjust.works 7 points 8 hours ago

That's mentioned near the bottom of the post.

[–] Lojcs@lemm.ee 4 points 8 hours ago (2 children)

How is the link file executing malware? Can you put any shell script as the target?

[–] LordeMostarda@lemmy.eco.br 7 points 7 hours ago

I am pretty sure a link file can open cmd/powershell with parameters to execute commands

[–] wizardbeard@lemmy.dbzer0.com 2 points 4 hours ago

You can put the script itself as the link. Shortcut to: powershell -command "Write-Host 'Gonna pwn your shit'"

[–] Nexy@lemmy.sdf.org 0 points 6 hours ago

Nice to know! Thank you!

[–] ReversalHatchery@beehaw.org 64 points 8 hours ago (1 children)

thanks Microsoft for hiding extensions by default!

[–] wizardbeard@lemmy.dbzer0.com 8 points 4 hours ago* (last edited 4 hours ago)

Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you're looking for be considered an acceptable result?

Tack $ on the end of your regex, for fucks sake.

[–] Aatube@kbin.melroy.org 48 points 8 hours ago (2 children)

Linux users:

[–] CmdrShepard42@lemm.ee 38 points 8 hours ago (3 children)

What if it executes and install Windows 11 on your machine!?

[–] Trent@lemmy.ml 5 points 5 hours ago

That would be the very worst malware. I mean both the malware that installed it and win11...

[–] black0ut@pawb.social 8 points 6 hours ago

Oh lord please have mercy! Blacklisting the file extension right now!

[–] Aatube@kbin.melroy.org 3 points 6 hours ago

ackshually the proprietary .lnk shortcut format can only be run on windows 🤓

[–] American_Jesus@lemm.ee 17 points 8 hours ago (2 children)

Me too, but don't want to download GBs of malware and bandwidth

[–] LiveLM@lemmy.zip 6 points 6 hours ago* (last edited 6 hours ago)

Weak.
Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s

[–] catloaf@lemm.ee 1 points 6 hours ago (2 children)

.lnk files are less than 4kb

[–] American_Jesus@lemm.ee 1 points 5 hours ago* (last edited 5 hours ago)

Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.

Also Sonarr/Radarr filter torrents by size

Here some examples
https://bt4gprx.com/search?q=The.Lord.of.The.Rings.The.Rings.of.Power.S02E08

Those where posted on 1337x (and removed) and probably other sites, Sonarr can pick those based on release name and torrent size

PS: had to rename the fine from .lnk to .com so virustotal could accept

[–] Aatube@kbin.melroy.org 4 points 6 hours ago (1 children)

That would seem suspicious. I'm sure they have some way to pad out the size.

[–] catloaf@lemm.ee 3 points 5 hours ago (1 children)

Anyone paying attention to size would probably also notice they're just .lnk files.

[–] Aatube@kbin.melroy.org 2 points 5 hours ago

Not necessarily. Even with "hide extensions" unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I'm surprised antivirus doesn't know about it already tbh.

[–] turkalino@lemmy.yachts 21 points 8 hours ago (1 children)

Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default

[–] American_Jesus@lemm.ee 6 points 6 hours ago

On many distros will open with WINE by default, not a big deal, you can just delete ~/.wine. If it does anything

[–] DoucheBagMcSwag@lemmy.dbzer0.com 1 points 3 hours ago

Is that the malware that is undetectable because it runs purely in memory? The name is escaping me