Malware software programs are often known as viruses for good reason. In most cases the virus once it gets on your computer or any other devices proceeds to wreak havoc. Some payloads are created just to create chaos including trashing/deleting files or they could be crafty and for self-gain as we see in ransomware that encrypts files and demands payment to give you a key you can use to decrypt those files.
There is, however, another type which is loosely termed vigilante anti-copyright malware. I remember some years ago there was a virus that attempted to impede pirating activities. It was poorly made and barely made waves on the internet. According to security company Sophos, it seems a reincarnation of the virus has now resurfaced and you need to be careful what you download from pirate sites otherwise you will end up infected.
How the vigilante virus works?
A lot of people don’t want to pay for software and that includes a lot of Zimbabweans I know. They instead visit sites like PirateBay and many others to download a “cracked” or “nulled” version of the software. Cracked software is released by various groups most of whom are benevolent but the unknown actor who is distributing this anti-copyright virus is also uploading “cracked” versions of various popular software to PirateBay and other sites. Each version of the software comes with an unexpected gift-the anti-copyright virus. An example is that of a software package called AnyTrans.
When you download the vigilante’s infected crack your computer is infected during the installation process which normally requires administrative permissions. The virus then looks for the computer’s hosts file under the System32 directory. It then adds a couple of hundred torrent sites domain names and points them to 127.0.0.1 aka “localhost”.
Advanced computer users will know that just like Linux, Windows also has a hosts file. When you open your browser and try to visit a given website using its domain name for example thepiratebay.org, Windows does not just start by sending a query to the system’s configured DNS server. First, it checks the host’s file in the System32 directory. The anatomy of a hosts file is pretty simple. You have an IP, white space and a given domain on each line. If you put a domain name in there and a matching IP, Windows will assume that the typed IP is the correct one and use this. It will never bother to use DNS.
As shown in the image above the vigilante virus makes entries that will force Windows to think the IP addresses of the given torrent sites is 127.0.0.1. In other words, Windows will try to connect to itself and obviously since you are not PirateBay you will either see an error or if you have a server running you will see that local website instead. The same can also be accomplished by using the IP 0.0.0.0 instead of 127.0.0.1
How to protect yourself?
First of all, stop using cracked software, a lot of it contains malware of some sort. If you must please stick to well-known groups and verify that the file you are downloading was at least uploaded and made by the trusted collectives. Also, make sure your antivirus is up to date although this is not going to help you much in the grand scheme of things.
Almost all antivirus vendors detect cracks as malware, even when they don’t have malware. These false positives are probably encouraged by software companies in a bid to scare people from installing malware. Most cracks require you to temporarily disable your antivirus software. Malware distributors know this and utilise that brief window to infect you.
That’s why the best way to protect yourself is to stop using cracked versions. I know Zimbabweans are going through an economic crisis but there are other cheap ways to get genuine keys and accounts. This includes going on eBay where you can buy genuine keys for popular software like Windows, Office, Internet Download Manager (IDM) and others for a reduced price. While there, beware of scammers.
You can also look into using Free and Open Source Software like I do. I have been a happy Ubuntu user for over a decade and these days I hardly even have to think about my operating system as a lot of things are available via the browser. Chrome works the same way on Linux as it does on Windows, I use Gmail the same way. I also use VLC for media playback and WPS for Spreadsheets, Word Processing and presentations.
What if you are already infected?
Fortunately, the damage is easy to repair even if you are not well versed in computers. If you have been having trouble visiting torrent sites it might be because you are infected or maybe the site you want to access is just down. Try a few popular torrent sites and if all of them appear not to be working you can check your hosts folder:
- Open Command prompt as admin
- Navigate to C:\Windows\System32\Drivers\etc\, just make sure to replace C: with your actual drive letter
- Type Notedpad hosts. You can replace Notepad with your favourite text editor e.g. Sublime, Atom or MS Code
- Remove the host entries in that file
- Save the file
- Scan your computer with an up to date antivirus
That should do it.