this post was submitted on 28 Sep 2024
229 points (98.7% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54609 readers
584 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk...) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).

These (fake) torrents include a .lnk file that executes a script on your Windows


HOW TO exclude from download on qBittorrent.

  • Go to Options -> Downloads

  • Enable "Exclude file names"

  • Add patterns:

(one by line)

*.mp4.lnk  
*.mp3.lnk  
*.mkv.lnk
*.torrent.lnk 

Or exclude all together: *.lnk


Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection

all 49 comments
sorted by: hot top controversial new old
[–] ReversalHatchery@beehaw.org 157 points 1 month ago (2 children)

thanks Microsoft for hiding extensions by default!

[–] wizardbeard@lemmy.dbzer0.com 43 points 1 month ago* (last edited 1 month ago) (1 children)

Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you're looking for be considered an acceptable result?

Tack $ on the end of your regex, for fucks sake.

[–] American_Jesus@lemm.ee 8 points 1 month ago* (last edited 1 month ago)

Is not regex
https://github.com/qbittorrent/qBittorrent/pull/17106

Examples
*.exe: filter '.exe' file extension.
readme.txt: filter exact file name.
?.txt: filter 'a.txt', 'b.txt' but not 'aa.txt'.
readme[0-9].txt: filter 'readme1.txt', 'readme2.txt' but not 'readme10.txt'

[–] ad_on_is@lemm.ee 21 points 1 month ago* (last edited 1 month ago) (2 children)

Microsoft: De nada, amigo! Oh... here's an ad, btw... and...did you enable Recall already?

[–] ReversalHatchery@beehaw.org 12 points 1 month ago

or rather: oh silly you were so clumsy that you disabled recall by accident again. let us be so kind to re-enable it for you

[–] Boomkop3@reddthat.com 4 points 1 month ago

Have you tried setting your region to Europe? it's not an issue here

[–] Aatube@kbin.melroy.org 94 points 1 month ago (2 children)
[–] CmdrShepard42@lemm.ee 87 points 1 month ago (3 children)

What if it executes and install Windows 11 on your machine!?

[–] black0ut@pawb.social 40 points 1 month ago

Oh lord please have mercy! Blacklisting the file extension right now!

[–] Trent@lemmy.ml 22 points 1 month ago

That would be the very worst malware. I mean both the malware that installed it and win11...

[–] Aatube@kbin.melroy.org 8 points 1 month ago (1 children)

ackshually the proprietary .lnk shortcut format can only be run on windows 🤓

[–] avidamoeba@lemmy.ca 4 points 1 month ago (2 children)

A Linux executable can't be named ending on .lnk? 🤔🤔

[–] Aatube@kbin.melroy.org 4 points 1 month ago

Making such a polyglot that can run on both systems requires much more effort for little gain.

[–] mexicancartel@lemmy.dbzer0.com 3 points 1 month ago

But its not lnk but an executable that needs to be excecuted manually?

[–] American_Jesus@lemm.ee 25 points 1 month ago (2 children)

Me too, but don't want to download GBs of malware and bandwidth

[–] LiveLM@lemmy.zip 17 points 1 month ago* (last edited 1 month ago)

Weak.
Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s

[–] catloaf@lemm.ee 1 points 1 month ago (2 children)

.lnk files are less than 4kb

[–] Aatube@kbin.melroy.org 5 points 1 month ago (1 children)

That would seem suspicious. I'm sure they have some way to pad out the size.

[–] catloaf@lemm.ee 5 points 1 month ago (1 children)

Anyone paying attention to size would probably also notice they're just .lnk files.

[–] Aatube@kbin.melroy.org 3 points 1 month ago

Not necessarily. Even with "hide extensions" unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I'm surprised antivirus doesn't know about it already tbh.

[–] American_Jesus@lemm.ee 3 points 1 month ago* (last edited 1 month ago)

Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.

Also Sonarr/Radarr filter torrents by size

Here some examples
https://bt4gprx.com/search?q=The.Lord.of.The.Rings.The.Rings.of.Power.S02E08

Those where posted on 1337x (and removed) and probably other sites, Sonarr can pick those based on release name and torrent size

PS: had to rename the fine from .lnk to .com so virustotal could accept

[–] dsilverz@thelemmy.club 54 points 1 month ago (1 children)

When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it's possible to append binary data other than audio, video or subtitles specifically inside a MKV). The ".lnk" trick only works in Windows and, even there, it's easy to prevent: Windows Explorer > Options > Advanced > find and check "Always show extensions for files" (i can't really remember the exact label for this option as I'm not a Windows user, but something like this will be there).

[–] cosmic_skillet@lemmy.ml 27 points 1 month ago (1 children)

I believe you uncheck "Hide extensions for known file types"

[–] dsilverz@thelemmy.club 10 points 1 month ago (1 children)

Exactly! Thanks! I couldn't point the exact label, I've been using Linux for years in a daily basis so I forgot most of the Windows shortcuts/options.

[–] boredsquirrel@slrpnk.net 46 points 1 month ago (1 children)

Not using Windows helps a ton :)

[–] American_Jesus@lemm.ee 20 points 1 month ago

Sonarr will still pick the release and download GBs of malware, and if you don't notice your download directly is filled with GBs of fake torrents

[–] turkalino@lemmy.yachts 31 points 1 month ago (1 children)

Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default

[–] American_Jesus@lemm.ee 12 points 1 month ago

On many distros will open with WINE by default, not a big deal, you can just delete ~/.wine. If it does anything

[–] Kuvwert@lemm.ee 18 points 1 month ago (2 children)
[–] can@sh.itjust.works 11 points 1 month ago

That's mentioned near the bottom of the post.

[–] woodgen@lemm.ee 18 points 1 month ago (1 children)

that executes a script on your Windows.

I don't have a Windows.

[–] notastatist@feddit.org 4 points 1 month ago

Then just draw on your wall.

[–] N0x0n@lemmy.ml 17 points 1 month ago* (last edited 1 month ago)

For those interested, John Hammond did a video a few months ago about .lnk extension (and other 16 hidden extensions on Windows).

He doesn't go to much or to deep into the subject, but you get a general view how this could be exploitable.

YouTube link

Piped Link

[–] Lojcs@lemm.ee 5 points 1 month ago (2 children)

How is the link file executing malware? Can you put any shell script as the target?

[–] LordeMostarda 12 points 1 month ago (1 children)

I am pretty sure a link file can open cmd/powershell with parameters to execute commands

[–] montar@lemmy.ml 3 points 1 month ago

yep! I've found out browsing hacking/spamming site and i've found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to "the resource". Peeking inside i've found powershell executing base64 (or base32?) encoded script (it's got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl'd some exe from some site and ran it, site was down alredy.

[–] wizardbeard@lemmy.dbzer0.com 8 points 1 month ago

You can put the script itself as the link. Shortcut to: powershell -command "Write-Host 'Gonna pwn your shit'"

[–] LostXOR@fedia.io 4 points 1 month ago

Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.

[–] Xianshi@lemm.ee 1 points 1 month ago

Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn't move it from qbit but better to not DL it in the first place even though its a linux box

Is that the malware that is undetectable because it runs purely in memory? The name is escaping me

[–] Nexy@lemmy.sdf.org 1 points 1 month ago

Nice to know! Thank you!