Unrevealing the dark side of BitTorrent
12 October 2011
With tens of millions of users, download events every day, 60% of Europe’s upstream traffic and 20% of its downstream traffic, BitTorrent is the world’s most popular P2P file-sharing application and represents a significant portion of current Internet traffic. . This level of popularity, however, not only attracts regular file-sharing users but others with malicious intentions.
Research carried out by Institute IMDEA Networks, University Carlos III of Madrid and Institut Telecom Sud Paris, “TorrentGuard: stopping scam and malware distribution in the BitTorrent ecosystem”, focused on the phenomenon of fake and malicious content publication in the BitTorrent ecosystem. It examined thirty thousand torrents published on the PirateBay portal over a period of two weeks. The results revealed that 35% of the torrents analyzed were associated with fake content. This means that every third torrent has different content to that described in its title.
PirateBay, BitTorrent’s most popular portal, deletes any torrent found to be fake, along with the user account that published the content. Fake torrents are recognized by downloaders who report back to PirateBay, which in turn removes the torrent and the user account. Despite this detection/deletion mechanism, every fourth download from BitTorrent contains fake content. This creates a serious threat that is yet to be dealt with.
The study reveals that just 20 publishers are responsible for injecting 90% of the fake content that appears in the BitTorrent ecosystem. Most of these publishers employ dedicated servers from foreign companies in order to have sufficient resources for their activities, as well as to hide their identities. A great deal of effort is spent on distributing this fake content, as the portals delete each account from which the content is published, and new accounts must continually be created. The study also describes different techniques used by publishers to attract downloaders to their content. These include using the title of popular movies or falsifying the performance statistics of a torrent to make it appear more popular. This level of investment in both time and resources can only be explained by the strong motivations that drive the distribution of fake content.
The researchers looked in detail at a large amount of fake content in order to identify these motivations. Their analysis showed that fake publishers fit one of three different profiles. Sixty-five percent exploit the popularity of the BitTorrent system to rapidly propagate malware among thousands of users. The content published may be malware itself, but there are also publishers using more sophisticated techniques. They publish movies with catchy titles, which open in a player showing pop-up windows. These request that the user install new codecs, providing a URL link to where they may be downloaded. Security and anti-virus software reports the file containing the false codecs as malware.
On the other hand, 35% of fake publishers are scammers. They use the torrent ecosystem to attract people to their websites, where different types of scams are carried out. For example, victims may be requested to provide their credit card number or to participate in premium SMS contests. Money, then, motivates these publishers. The result is that a very small fraction of fake torrents originate from anti-piracy agencies. Contrary to the two previous types of publishers, who pursue dishonest ends, anti-piracy agencies publish fake versions of the copyrighted content they want to protect. The measures undertaken by anti-piracy agencies are limited by the amount of content (under request from a company) and the time available (in the weeks before and after the content, e.g. movie, is released).
In order to protect themselves against fake torrents, the researchers implemented and evaluated software known as “TorrentGuard”. This program uses the PirateBay portal to collect IP addresses being used to distribute fake content. These addresses are then blacklisted. The software also monitors each torrent published on PirateBay and marks it as fake if a blacklisted IP address was used to serve its content. Using this method, it is possible to identify fake content shortly after it is first published, speeding up the detection process. The software is publicly available and can be accessed both through a website and a popular BitTorrent client’s plugin. Widespread use of this tool may prevent up to 35 million downloads of fake content every year, helping reduce the number of computer infections and scam episodes faced by BitTorrent users.
The study was carried out by Michal Kryczka from Institute IMDEA Networks, Rubén Cuevas, Roberto González and Arturo Azcorra from Carlos III University in Madrid, and Ángel Cuevas from Institut Telecom Sud Paris (France).
Madrimasd – Notiweb