There are some torrrents showing up with .lnk
extension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).
These (fake) torrents include a .lnk
file that executes a script on your Windows
HOW TO exclude from download on qBittorrent.
-
Go to Options -> Downloads
-
Enable “Exclude file names”
-
Add patterns:
(one by line)
*.mp4.lnk
*.mp3.lnk
*.mkv.lnk
*.torrent.lnk
Or exclude all together: *.lnk
Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection
- ReversalHatchery ( @ReversalHatchery@beehaw.org ) English159•4 months ago
thanks Microsoft for hiding extensions by default!
- wizardbeard ( @wizardbeard@lemmy.dbzer0.com ) English43•4 months ago
Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you’re looking for be considered an acceptable result?
Tack $ on the end of your regex, for fucks sake.
Is not regex
https://github.com/qbittorrent/qBittorrent/pull/17106Examples
*.exe: filter ‘.exe’ file extension.
readme.txt: filter exact file name.
?.txt: filter ‘a.txt’, ‘b.txt’ but not ‘aa.txt’.
readme[0-9].txt: filter ‘readme1.txt’, ‘readme2.txt’ but not ‘readme10.txt’
- ad_on_is ( @ad_on_is@lemm.ee ) English22•3 months ago
Microsoft: De nada, amigo! Oh… here’s an ad, btw… and…did you enable Recall already?
- ReversalHatchery ( @ReversalHatchery@beehaw.org ) English12•3 months ago
or rather: oh silly you were so clumsy that you disabled recall by accident again. let us be so kind to re-enable it for you
- Boomkop3 ( @Boomkop3@reddthat.com ) English4•3 months ago
Have you tried setting your region to Europe? it’s not an issue here
- Aatube ( @Aatube@kbin.melroy.org ) 93•4 months ago
I use Arch btw
- CmdrShepard42 ( @CmdrShepard42@lemm.ee ) English74•4 months ago
What if it executes and install Windows 11 on your machine!?
- black0ut ( @black0ut@pawb.social ) English38•4 months ago
Oh lord please have mercy! Blacklisting the file extension right now!
- Trent ( @Trent@lemmy.ml ) English20•4 months ago
That would be the very worst malware. I mean both the malware that installed it and win11…
- Aatube ( @Aatube@kbin.melroy.org ) 10•4 months ago
ackshually the proprietary .lnk shortcut format can only be run on windows 🤓
- Avid Amoeba ( @avidamoeba@lemmy.ca ) English3•3 months ago
A Linux executable can’t be named ending on .lnk? 🤔🤔
- Aatube ( @Aatube@kbin.melroy.org ) 5•3 months ago
Making such a polyglot that can run on both systems requires much more effort for little gain.
- mexicancartel ( @mexicancartel@lemmy.dbzer0.com ) English3•3 months ago
But its not lnk but an executable that needs to be excecuted manually?
Me too, but don’t want to download GBs of malware and bandwidth
- LiveLM ( @LiveLM@lemmy.zip ) English16•4 months ago
Weak.
Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s - catloaf ( @catloaf@lemm.ee ) English2•4 months ago
.lnk files are less than 4kb
- Aatube ( @Aatube@kbin.melroy.org ) 5•4 months ago
That would seem suspicious. I’m sure they have some way to pad out the size.
- catloaf ( @catloaf@lemm.ee ) English5•4 months ago
Anyone paying attention to size would probably also notice they’re just .lnk files.
- Aatube ( @Aatube@kbin.melroy.org ) 3•4 months ago
Not necessarily. Even with “hide extensions” unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I’m surprised antivirus doesn’t know about it already tbh.
Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.
Also Sonarr/Radarr filter torrents by size
Here some examples
https://bt4gprx.com/search?q=The.Lord.of.The.Rings.The.Rings.of.Power.S02E08Those where posted on 1337x (and removed) and probably other sites, Sonarr can pick those based on release name and torrent size
PS: had to rename the fine from
.lnk
to.com
so virustotal could accept
- boredsquirrel ( @boredsquirrel@slrpnk.net ) English42•3 months ago
Not using Windows helps a ton :)
Sonarr will still pick the release and download GBs of malware, and if you don’t notice your download directly is filled with GBs of fake torrents
- Bobby Turkalino ( @turkalino@lemmy.yachts ) English29•4 months ago
Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default
On many distros will open with WINE by default, not a big deal, you can just delete
~/.wine
. If it does anything
- woodgen ( @woodgen@lemm.ee ) English19•3 months ago
that executes a script on your Windows.
I don’t have a Windows.
- notastatist ( @notastatist@feddit.org ) English5•3 months ago
Then just draw on your wall.
- Kuvwert ( @Kuvwert@lemm.ee ) English19•4 months ago
Could you just add *.lnk?
- N0x0n ( @N0x0n@lemmy.ml ) English15•3 months ago
For those interested, John Hammond did a video a few months ago about
.lnk
extension (and other 16 hidden extensions on Windows).He doesn’t go to much or to deep into the subject, but you get a general view how this could be exploitable.
- LostXOR ( @LostXOR@fedia.io ) 4•4 months ago
Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.
- Lojcs ( @Lojcs@lemm.ee ) English3•4 months ago
How is the link file executing malware? Can you put any shell script as the target?
- LordeMostarda ( @LordeMostarda@lemmy.eco.br ) English9•4 months ago
I am pretty sure a link file can open cmd/powershell with parameters to execute commands
- montar ( @montar@lemmy.ml ) English3•3 months ago
yep! I’ve found out browsing hacking/spamming site and i’ve found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to “the resource”. Peeking inside i’ve found powershell executing base64 (or base32?) encoded script (it’s got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl’d some exe from some site and ran it, site was down alredy.
- wizardbeard ( @wizardbeard@lemmy.dbzer0.com ) English7•4 months ago
You can put the script itself as the link. Shortcut to: powershell -command “Write-Host ‘Gonna pwn your shit’”
- DoucheBagMcSwag ( @DoucheBagMcSwag@lemmy.dbzer0.com ) English1•4 months ago
Is that the malware that is undetectable because it runs purely in memory? The name is escaping me
- Nexy ( @Nexy@lemmy.sdf.org ) English1•4 months ago
Nice to know! Thank you!
- Xianshi ( @Xianshi@lemm.ee ) English1•3 months ago
Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn’t move it from qbit but better to not DL it in the first place even though its a linux box