back to article Racist malware blocks The Pirate Bay by tampering with victims' Windows hosts file

Malware laced with racial epithets tries to block Windows-based victims from visiting file-sharing sites associated with copyright infringement, according to new Sophos research. The malicious software amounts to a "goofy process to block people from going to the Pirate Bay," according to Sophos researcher Andrew Brandt, who …

  1. Zippy´s Sausage Factory
    Meh

    "This racist tirade makes it unlikely (but not impossible) that the malware was made by an aggrieved company angry at cheapskates downloading pirated copies of paid-for software"

    While this may be true, it reminds me of the nonsense that Prenda Law used to pull, and I can't help wondering whether someone has decided to do the same sort of thing. The racism could, of course, be there "to foul the trail", as it were. Equally, it could just be some rogue game dev who got laid off, who decided to blame piracy for their woes.

    1. Anonymous Coward
      Anonymous Coward

      Doubt anyone got laid off. Probably an entitled whiney baby who thinks he/she deserves more sales on Steam. Despite serving a sub-par product in a glutted market.

  2. Rory B Bellows

    "where they had used just the N word, like, more than 1,000 times in the file to just fill space, and it was just gross and weird. And really offensive."

    This is also done in rap music

    1. adam 40 Silver badge

      Misappropriation

      Also, Andrew Brandt is white, so he's appropriating another culture's racial offendedness.

    2. Dave314159ggggdffsdds Silver badge

      Ah, someone said 'racism', the rapid reaction team has turned up to claim there's no such thing...

      1. jake Silver badge

        Where did anyone say there is no such thing?

        Methinks your parser is b0rken.

    3. cornetman Silver badge
      Thumb Up

      > This is also done in rap music

      Indeed.

      It's almost, I dunno, like what's important is intent rather than the words themselves.

  3. jake Silver badge

    Hard as it may be to believe ...

    ... intent to shock and offend is not necessarily racist, regardless of the language used.

    1. Dave314159ggggdffsdds Silver badge

      Re: Hard as it may be to believe ...

      It's quite hard to believe, what with not being obviously true. It's a defensible assertion, certainly, but not a simple statement to unwrap and analyse sufficiently.

      I could assert the opposite, and justify it in various ways. Not sure I'd believe that, either.

      When the best one can find to say in defence of something is that it 'isn't necessarily' whatever we're talking about, then it's an admission that in practice it usually is. In situations like this, it's a rebuttable presumption that there is some racism involved.

      1. jake Silver badge

        Re: Hard as it may be to believe ...

        I'm not defending anything.

        Re-read what I said, not what you want me to have said.

  4. MacroRodent Silver badge
    Headmaster

    Misfiled article

    Why is this under the "Science" topic? "Security" would be more accurate.

    1. jake Silver badge

      Re: Misfiled article

      Of course it's science ... Anthropology, to be specific.

      1. A.P. Veening Silver badge

        Re: Misfiled article

        Anthropology isn't science, at the very best (and really pushing it at that) it is advanced button sorting.

  5. karlkarl Silver badge

    I imagine this wouldn't affect most people because they are using HTTP or SOCKS5h proxies because ISPs are being paid to block these domains.

    1. jake Silver badge

      Eh?

      I have a hand in running several ISPs (including three that still sell shell accounts).

      We are not being paid to block anything.

      1. John Brown (no body) Silver badge

        Re: Eh?

        "We are not being paid to block anything."

        That's what I thought from the press reports. ISPs are not paid to block stuff, ie are not profiting. But, depending on jurisdiction, there are threats of fines for not blocking certain things, ie costs.

        1. jake Silver badge

          Re: Eh?

          Ok, Mr. Pedantic ...

          We are not blocking anything because a third party has asked us to block it, under duress or otherwise. The ONLY things we block are either asked for by our users, or places that allow abuse of the network.

          My own ISP, est. 1982[0], has been asked by a couple of state and local agencies (and a couple of Universities) to block specific things over the years. I told 'em to fuck off each time. They stopped asking about 20 years ago. I have never been approached by an agency of the US Government, nor any foreign agency.

          All ISPs are in the San Francisco Bay Area, since you mentioned jurisdiction.

          [0] A tick over 10,000 active users at the moment, about 7,000 use the system daily, the rest check their email and/or monitor some world and local Usenet groups at least once per week or thereabouts. I provide DNS to those who want it. Around 25,000 inactive users. Users live word-wide. My services are free to them ... the system is a test-bed that is mostly a tax write-off.

          1. bombastic bob Silver badge
            Thumb Up

            Re: Eh?

            "My own ISP, est. 1982[0], has been asked by a couple of state and local agencies (and a couple of Universities) to block specific things over the years. I told 'em to fuck off each time."

            (needs no further comment)

            1. Law

              Re: Eh?

              Except please come to the UK... I want a BS-free ISP.

      2. karlkarl Silver badge

        Re: Eh?

        Might be different (in the US?) but in the UK almost all consumer facing ISPs can't wait to block things like the pirate bay. They are certainly being paid off.

        1. JohnG

          Re: Eh?

          In 2012, a number of UK ISPs were ordered to block TPB by the high court. UK ISPs that were not included in that order probably worked out that they would likely end up defending (and losing) an expensive court case and be given their own court order if they did not fall into line.

    2. Ben Tasker Silver badge

      The default behaviour of Firefox when using a SOCKS proxy is to still use local DNS resolution - you have to specifically go and change network.proxy.socks_remote_dns to true if you want queries to go via your proxy.

      So, this would still affect the majority of people.

      1. karlkarl Silver badge

        Yep, this is commonly called SOCKS 5h (i.e some browsers and git take the proxy string as socks5h://localhost:9999).

        You can actually access this in the settings page on firefox now. You don't need to configure it using the raw settings. Just go to where you set your proxy host and scroll down to the very bottom where it is kinda hidden.

  6. FILE_ID.DIZ Bronze badge
    Trollface

    Rank amature

    Anyone with a decent amount of knowledge knows that 0.0.0.0 (or anything within that /8) is far better for "blocking" a site via a hosts file than 127.0.0.1 (or anything within that /8).

    By using the former, the network stack doesn't even attempt to create a socket.

    1. BOFH in Training

      Re: Rank amature

      It's possible part of the idea is letting the users timeout while waiting for a 127.0.0.1 connection, compared to an instant rejection.

      Assuming most people dont run local httpd anyway.

  7. Adrian 4 Silver badge

    Hostfile ?

    A user process can edit the hostfile ?

    Sounds Darwinish .. an Os that primitive shouldn't be on the internet anyway

    1. FILE_ID.DIZ Bronze badge
      Boffin

      Re: Hostfile ?

      The HOSTS file has a secure DACL.

      But the article states this came through as an executable. If that executable requested elevation (and was granted it) OR if a user turns off UAC/runs as an Admin all the time, then its fair game.

      I find that many clowns don't like UAC.

      1. JohnG

        Re: Hostfile ?

        The malware "installation" requests a privilege escalation, just like many legitimate software installs.

    2. IGotOut Silver badge

      Re: Hostfile ?

      Hosts is a protected file, but just like every other system, if you decide to overide system protections, then it's your own dumb fault.

      1. Rich 2 Silver badge

        Re: Hostfile ?

        But there’s surely something wrong with the system if the user feels they need to switch off these protections by default?

        If I run an application on Unix or BSD or Linux and it won’t run because it needs root privileges I’d want to be pretty certain exactly what it needs before allowing it. Especially an executable is downloaded from goodness-knows-where.

        I certainly wouldn’t just blindly run it as root and if it was a problem I came across often I would question why

        1. blah@blag.com

          Re: Hostfile ? (Internet in a Box)

          Well, most* users don't know what an IP address is let alone a hosts file or UAC. More than that they don't want to know because they think it's a conspiracy to make them look stupid, a computer is just a magic talkie/typey box to them.

          * most is of course unspecified but I've never met a non-IT person who knows what UAC is let alone how to set it up properly.

          This is why this link is funny ... https://www.youtube.com/watch?v=iDbyYGrswtg

      2. David Hicklin

        Re: Hostfile ?

        Sadly in the windows world users have gotten very used to software installations asking for admin level access nearly all the time.

  8. Steve Graham

    "repository of copyright-infringing files"

    I'm far from being an expert on piracy, but I thought that the Pirate Bay's meagre legal fig-leaf is that they do not host files, just pointers to where the files can be retrieved via P2P.

    1. Rich 2 Silver badge

      Re: "repository of copyright-infringing files"

      I don’t see why they would bother with such a defence - YouTube is awash with pirated stuff and they make it openly available, and for some bizarre reason nobody seems to bother taking them to court.

      1. Anonymous Coward Silver badge
        Paris Hilton

        Re: "repository of copyright-infringing files"

        Bizarre?

        Have you seen the size of Alphabet's legal budget??

      2. A.P. Veening Silver badge

        Re: "repository of copyright-infringing files"

        and for some bizarre reason nobody seems to bother taking them to court.

        Everybody with a good enough claim and deep enough pockets gets bought off by Google/Alphabet, the rest can't afford the legal fees necessary.

    2. Anonymous Coward
      Anonymous Coward

      Re: "repository of copyright-infringing files"

      Yes - and this defence has worked for TPB in some court cases but not in others. Interestingly, their opposition has sometimes successfully (but inaccuratey) claimed that TPB's pointers are part of the content being illegally shared.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021