BitTorrent serves malware directly from website – no need for P2P!

Back in 2001, when BitTorrent was first announced, it seemed inevitable – and, at the same time, implausible – that a commercial company based around its social approach to file sharing would emerge and succeed, despite its novelty.

Inevitable, because the sheer popularity of peer-to-peer file sharing means that the potential return for any company successfully commercialising a popular P2P client is enormous.

Implausible, because the indelible association between P2P and piracy means that potential risk of burning out in lawsuits from copyright holders is vast.

But the creator of BitTorrent, Bram Cohen, did create a company out of his codebase, and BitTorrent, Inc. is effectively today’s Torrent mothership.

The company is also the custodian of two popular Torrent clients: the so-called Mainline version, and its extremely popular compact cousin, uTorrent.

(The character u is commonly, if confusingly, used in Latin alphabets to represent the Greek letter μ. Short for micro, it’s pronounced in English as mew, as in cat. So much for internationalisation.)

In its ten-year history, BitTorrent – the protocol, not the company – has become well known for facilitating the unregulated sharing of arbitrary material. Indeed, it’s become quite the way to find all the ripped-off software, films, TV shows and porn you might need. Unsuprisingly, the cybercrooks love that sort of neo-anarchic mix, because it makes it easy for them to expose you to your fair share of malware.

Unfortunately, however, even if you are one of the several many entirely law-abiding users of BitTorrent, the folks at BitTorrent, Inc. may recently have put you in harm’s way.

According to a really-ought-to-be-more-visible warning on the download pages of and, a breach of the two servers resulted in a two-hour window in which downloading BitTorrent’s software would have given you a fake anti-virus program instead.

This morning [13 Sep 2011 on the US West Coast] at approximately 4:20 a.m. PT, the and Web servers were compromised. Our standard software download was replaced with a type of fake antivirus "scareware" program.

Just after 6:00 a.m. PT, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally

BitTorrent, Inc. identifies the malware as belonging to the Security Shield scareware family. Program files under this “brand” of fake anti-virus should be mopped up by Sophos Anti-Virus as CXmal/FakeAV-A.

Confusingly, the BitTorrent blog has recently been updated to claim that the software available from the URI was not affected, implying that only those who downloaded utorrent during the infection window would be at risk.

Since the two sites share the same network infrastructure – both resolve to the same IP number in Limelight Networks’ cloud – you might want to ignore that blog update and assume that any recent downloads from Bittorrent, Inc. were dodgy and give yourself a thorough anti-malware checkover.

I’d also ignore the time window, since BitTorrent used the annoyingly ambiguous abbreviation “PT” to denote the timezone. I’m guessing they meant to say UTC-7, but they didn’t.

Update. Allison at BitTorrent got in touch to say she’s updated the official report to make it clear: Pacific Daylight Time, UTC-7. Thanks for listening, Allison!

PS. If you will forgive some mild commercialism, you can download a fully-functional trial of Sophos Endpoint Security and Control – with detection AND cleanup included, unlike with scareware! – from our website. Registration is required, and you will get contacted by Sales. But for one month, you can use the product as widely as you like at home or in your business. And you’re entitled to our award-winning 24/7 support by email and phone throughout. Give it a go. You know it makes sense. (Did I get that right? Is that how salespeople speak?)