Virus within a film?

[Guest]

And to think that some people still say that AVs are *useless*... *sigh*

[captain_to_fire]

36 minutes ago, tlustymen said:

Definitely. Like I said, I did a deep scan, but is it still somehow possible that some part of it stayed?

Some malware refuse to execute when being manually scanned and would only reveal its contents when executed by double clicking. That's why it's good to do a little research on different antivirus programs.

 

I'd like to know if you're using Windows Defender or a third party one.

[tlustymen]

1 minute ago, captain_to_fire said:

Some malware refuse to execute when being manually scanned and would only reveal its contents when executed by double clicking. That's why it's good to do a little research on different antivirus programs.

 

I'd like to know if you're using Windows Defender or a third party one.

Well I already deletd the "movie" (and emptied bin), so I don't think it could be activated again, then again, I'm not the smartest.

I'm using the business version of AVG

[captain_to_fire]

30 minutes ago, Cora_Lie said:

And to think that some people still say that AVs are *useless*... *sigh*

I think this stems from the fact that antivirus programs run on high privileges and that can actually be used to compromise someone's computer.

Google Project Zero actually found critical vulnerabilities in AV programs from Kaspersky, Symantec, ESET, Sophos, FireEye, and even   Windows Defender [1] [2] [3]  , typically they find problems with the AV's file parser. With that said, they recommend AV programs to run on a sandbox but I think at the time of writing, only Microsoft complied (not on by default). But again, all code written by man will contain vulnerabilities, the thing is when an antivirus bug is reported either in the wild or privately, they're quite quick in patching them and many of them have bug bounties.

[tlustymen]

So all the scanners haven't found anything, so I'm going to take this as a lesson for the future.

[WkdPaul]

20 minutes ago, tlustymen said:

So all the scanners haven't found anything, so I'm going to take this as a lesson for the future.

Just some recommendations here, that's how my personal gaming PC is setup, same for my work laptop and the family members' PC I imaged or fixed ;

 

• Show files extensions (in file explorer, open the 'folder and search option' and in the view tab, uncheck 'Hide extensions for known file type',
• Create an admin user, change your current user to 'standard user', if you need to install or modify something, use the admin account credentials when prompted,
• If your AV has the option, turn on real-time scan' (actively scans your files and folders),
• Scan whatever you download (lots of AV will have a right click option to scan whatever you selected).

 

There are other things too, but I would say that's the minimum. Since I started applying this (minus the last point since I can't do that on family member's PCs), I didn't have to disinfect a family member's PC in a while and I only have to troubleshoot bugs and hardware issues.

Edited August 30, 2019 by wkdpaul

[tlustymen]

4 minutes ago, wkdpaul said:

Just some recommendations here, that's how my personal gaming PC is setup, same for my work laptop and the family members' PC I imaged or fixed ;

 

• Show files extensions (in file explorer, open the 'folder and search option' and in the view tab, uncheck 'Hide extensions for known file type',
• Create an admin user, change your current user to 'standard user', if you need to install or modify something, use the admin account credentials when prompted,
• If your AV has the option, turn on real-time scan' (actively scans your files and folders),
• Scan whatever you download (lots of AV will have a right click option to scan whatever you selected).

 

There are other things too, but I would say that's the minimum. Since I started applying this (minus the last point since I can't do that on family member's PCs), I didn't have to disinfect a family member's PC in a while and I only have to troubleshoot bugs and hardware issues.

Yes, I have the extensions active and I scan almost everything. I even think I scanned this "film", but honestly I'm not sure anymore. I don't have a admin user at the moment, but thanks for the tip, I'll look into that. And I don't know if Avg has real-time scan, but if it has, I should have it active.

[Joluch]

42 minutes ago, wkdpaul said:

if you need to install or modify something, use the admin account credentials when prompted

That just brought up memories of how UAC used to jump out at anything back in Vista. Seems like they had the right idea all along.

2 hours ago, captain_to_fire said:

I think that’s possible with steganography 

That is both wickedly cool and deeply unsettling.

[DildorTheDecent]

53 minutes ago, tlustymen said:

Yes, I have the extensions active and I scan almost everything. I even think I scanned this "film", but honestly I'm not sure anymore. I don't have a admin user at the moment, but thanks for the tip, I'll look into that. And I don't know if Avg has real-time scan, but if it has, I should have it active.

Just check the file contents in the future. You can check the contents either during the download or whenever you're selecting where to put the file. Most movies have a .txt saying where its from and who uploaded it. Maybe the subtitle file will be there too.

 

Also, low IQ move to use uTorrent and use .torrent files. qBittorrent is a superior client and magnet links are the way to go.

 

[tlustymen]

8 minutes ago, DildorTheDecent said:

Also, low IQ move to use uTorrent and use .torrent files. qBittorrent is a superior client and magnet links are the way to go.

 

I've heared and I'd like to know more about that? I guess it's not apropriate here, but could you maybe give me some more info? Sick parrot btw.

[DildorTheDecent]

19 minutes ago, tlustymen said:

I've heared and I'd like to know more about that? I guess it's not apropriate here, but could you maybe give me some more info?

Simple explanation from life hacker:

First, what are .torrent files:

Quote

The torrent file tells your torrent client the names of the files being shared, a URL for the tracker, and more. Your torrent client then calculates a hash code, which is a unique code that only that torrent has—kind of like an ISBN or catalog number. From there, it can use that code to find others uploading those files, so you can download from them.

Then what are magnet files:

Quote

A magnet link is essentially a hyperlink containing the hash code for that torrent, which your torrent client can immediately use to start finding people sharing those files.

 

Source

 

I never bother with .torrent files mostly because one click fewer is always nice.

19 minutes ago, tlustymen said:

Sick parrot btw.

He's a good boy. IRL bird is endangered though.

[tlustymen]

So by using other clients, like qBittorent, I don't download .torrent files and to download something I just copy magnet link?

[WkdPaul]

Just now, tlustymen said:

So by using other clients, like qBittorent, I don't download .torrent files and to download something I just copy magnet link?

uTorrent supports magnet links, but uTorrent was at one point bundled with adware and crypto malware, and it's highly recommended to stay clear of that torrent client.

 

With that said, we're getting closer to having this thread closed, let's not go further than that as it could violate the Community Standards.

[tlustymen]

1 minute ago, wkdpaul said:

uTorrent supports magnet links, but uTorrent was at one point bundled with adware and crypto malware, and it's highly recommended to stay clear of that torrent client.

 

With that said, we're getting closer to having this thread closed, let's not go further than that as it could violate the Community Standards.

Okay, agree, may I just ask if you could navigate me to a better torrent client? Like mentioned qBittorent or something else?

[mariushm]

29 minutes ago, tlustymen said:

So by using other clients, like qBittorent, I don't download .torrent files and to download something I just copy magnet link?

both uTorrent and qBitTorrent support magnet links which give you the ability to download something without having the torrent.

 

The magnet link contains all the needed information for your torrent client to access the p2p network and retrieve the information that's usually in torrent file, from the computers that actually seed that torrent. The only requirement is for the torrent clients seeding the torrent to have this "make the torrent data available if requested" option enabled, which is by default enabled as far as I know and there's no hard leaving it enabled.

 

A physical torrent file is still useful because it can speed up things... for example, if you have a big torrent and the torrent file was let's say 200 KB, that torrent may have only one seeder with a poor connection and your torrent client may need a couple of minutes to retrieve the minimum information needed to start downloading everything.

 

Give qBitTorrent a try, these days it's better than uTorrent.

[tlustymen]

16 minutes ago, mariushm said:

both uTorrent and qBitTorrent support magnet links which give you the ability to download something without having the torrent.

 

The magnet link contains all the needed information for your torrent client to access the p2p network and retrieve the information that's usually in torrent file, from the computers that actually seed that torrent. The only requirement is for the torrent clients seeding the torrent to have this "make the torrent data available if requested" option enabled, which is by default enabled as far as I know and there's no hard leaving it enabled.

 

A physical torrent file is still useful because it can speed up things... for example, if you have a big torrent and the torrent file was let's say 200 KB, that torrent may have only one seeder with a poor connection and your torrent client may need a couple of minutes to retrieve the minimum information needed to start downloading everything.

 

Give qBitTorrent a try, these days it's better than uTorrent.

Okay, thank you

[vanished]

4 hours ago, captain_to_fire said:

I think this stems from the fact that antivirus programs run on high privileges and that can actually be used to compromise someone's computer.

Google Project Zero actually found critical vulnerabilities in AV programs from Kaspersky, Symantec, ESET, Sophos, FireEye, and even   Windows Defender [1] [2] [3]  , typically they find problems with the AV's file parser. With that said, they recommend AV programs to run on a sandbox but I think at the time of writing, only Microsoft complied (not on by default). But again, all code written by man will contain vulnerabilities, the thing is when an antivirus bug is reported either in the wild or privately, they're quite quick in patching them and many of them have bug bounties.

It is a thing for sure, but I'm not sure how much this is behind the shift in mentality.  I am just guessing, but I would attribute it instead to improvements in software, particularly in Windows.  What I'm getting at is there are two main ways malware can attack you - either you willingly install and run it, like what happened in this thread, or it makes its own way in by exploiting vulnerabilities in the system, network, web browser, etc. like "wannacry" and other worms or "drive-by" infections.  The former can be protected against simply by avoiding dangerous areas and having common sense, the latter cannot (though it may still help).  I think the reason some people may not value AV software as much any more is, while of course it would protect you against either type, people are more confident now that they can avoid the first kind on their own, and as for the latter, I think they are much less common these days.  Windows in particular used to be basically a meme for how weak it was in this regard, and while I feel like it may still be partially true on some level, it certainly has come a long way compared to Unix based systems to the point where iirc this factor wasn't even mentioned in the TQ on why Windows gets infected more.  Certainly install base has always been a part of it and still is, but yeah.

[lewdicrous]

6 hours ago, Gunshark said:

Virus is good to have in torrents: if you go rob a bank expect to get killed.

You wouldn't download a car would you? /s

 

This is the dumbest thing I've read today, congrats.

I advise learning about the uses of torrents before spewing bs like that.

[tlustymen]

Btw, I found the Url in browser's history and like I said, it's deleted, but can't it still be somehow traced to the source? By that I mean original uploader or something, like you can see deleted comments on reddit with 3rd party sites.

[Zodiark1593]

8 hours ago, tlustymen said:

Sadly true.

No need to feel bad. Live and learn from your mistakes. 

 

If you've a beater PC that is isolated, you could run whatever downloaded file on that and virus scan it there too before moving it to archival. My Atom desktop serves this purpose. It's on an old Windows 7 version (not intentionally but because I rely on cellular internet at home), so if anything is going to be pulling shenanigans, it's probably going to be there.

[tlustymen]

4 minutes ago, Zodiark1593 said:

No need to feel bad. Live and learn from your mistakes.

I think I really needed to hear that. I mean I'm sophmore in IT school this year, so I feel really fricking stupid and can't quite get it out of my head. That being said, I've learned from my mistakes and now I at least know this community is really helpful. I posted this on reddit with 500k+ people and got like 2 a bit very constructive responses.

[Kisai]

10 hours ago, tlustymen said:

Yesterday I torrented a film. When I wanted to play it, it opened some system folder where it opened a command line (can't remember what program it was exactly, it was blue and wasn't cmd). Thankfully it was stopped by antivirus, but I just can’t stop wondering what it wanted to do. The torrent was deleted since then, so I can't try it again for more info. And how did it go through uTorrent pro’s antivirus protection? Any ideas? Thanks

 

edit: It opened Powershell and yes, it wasn't a movie

I also deep scanned the pc yesterday, everything should be alright, but I'm gonna scan it with few more scanners recommended to me, just to be sure.

 

Sounds like it was piggybacked. Powershell has the bluebackground, but also by default you shouldn't be able to "run" it.

 

But I'd probably suggest immediately using system restore and rolling back to before this happened.

 

https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/

 

Also update Powershell if you actually use it and change powershell script launch parameters to load notepad, not execute, so you have to actually "right click, execute" to run scripts.

[tlustymen]

7 minutes ago, Kisai said:

 

Sounds like it was piggybacked.

What does that mean?

 

7 minutes ago, Kisai said:

But I'd probably suggest immediately using system restore and rolling back to before this happened.

Interesting, haven't thought of that. Do you really think it has purpose? I already did ton of scans from even paid AVs.

 

8 minutes ago, Kisai said:

Also update Powershell if you actually use it and change powershell script launch parameters to load notepad, not execute, so you have to actually "right click, execute" to run scripts.

How?

 

Thanks

[dalekphalm]

10 hours ago, Gunshark said:

Isn't torrenting a film illegal? Should not be advertised here.

 

Torrenting a copyrighted movie is illegal (in most countries anyway), but there are plenty of movies that are released as Public Domain (or the copyright expired and it entered public domain).

 

Torrenting itself isn't illegal. It simply depends on what you torrent.

[Kisai]

4 minutes ago, tlustymen said:

What does that mean?

 

Interesting, haven't thought of that. Do you really think it has purpose? I already did ton of scans from even paid AVs.

 

How?

 

Thanks

It's possible to piggyback a payload. eg 

 

Create a video, then copy /b payload.exe+video.avi output.avi.exe , This is literately how viruses used to transmit in the 90's. Except it was normally done with the exe file. The person then double-clicks the avi file, because the icon has the expected thumbnail of the video, but the operating system runs it because the user has hide file name extensions on.

 

That's one way, what it appears you did was download a .torrent file that was actually a .lnk , and didn't notice.

 

https://devblogs.microsoft.com/powershell/windows-powershell-and-the-powershell-worm/

 

Basically the "lnk" file is accomplishing what would normally be accomplished had .ps1 files been executable. Remember on Linux and such, you need to explicitly mark scripts as +x in order to run them, where as on windows, anything with a file association, has something to run it.

 

 

As for system restore, if it succeded in launching powershell, then it likely succeeded in downloading something. You may want to check the event log to see what it did first, but I'd probably just run system restore so that any files changed are changed back.

 

AV products do not protect you from PEBKAC. For all you know, the script reported you to the FBI. Figure out exactly what you did even if you have to get the link to the file again and paste it into virustotal.