There are some torrrents showing up with .lnk
extension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).
These (fake) torrents include a .lnk
file that executes a script on your Windows
HOW TO exclude from download on qBittorrent.
-
Go to Options -> Downloads
-
Enable “Exclude file names”
-
Add patterns:
(one by line)
*.mp4.lnk
*.mp3.lnk
*.mkv.lnk
*.torrent.lnk
Or exclude all together: *.lnk
Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection
- DoucheBagMcSwag ( @DoucheBagMcSwag@lemmy.dbzer0.com ) English1•52 minutes ago
Is that the malware that is undetectable because it runs purely in memory? The name is escaping me
- Aatube ( @Aatube@kbin.melroy.org ) 47•4 hours ago
I use Arch btw
- CmdrShepard42 ( @CmdrShepard42@lemm.ee ) English31•6 hours ago
What if it executes and install Windows 11 on your machine!?
- Aatube ( @Aatube@kbin.melroy.org ) 3•2 hours ago
ackshually the proprietary .lnk shortcut format can only be run on windows 🤓
- Trent ( @Trent@lemmy.ml ) English4•3 hours ago
That would be the very worst malware. I mean both the malware that installed it and win11…
- black0ut ( @black0ut@pawb.social ) English6•4 hours ago
Oh lord please have mercy! Blacklisting the file extension right now!
Me too, but don’t want to download GBs of malware and bandwidth
- LiveLM ( @LiveLM@lemmy.zip ) English6•4 hours ago
Weak.
Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s - catloaf ( @catloaf@lemm.ee ) English1•4 hours ago
.lnk files are less than 4kb
- Aatube ( @Aatube@kbin.melroy.org ) 4•1 hour ago
That would seem suspicious. I’m sure they have some way to pad out the size.
- catloaf ( @catloaf@lemm.ee ) English3•3 hours ago
Anyone paying attention to size would probably also notice they’re just .lnk files.
- Aatube ( @Aatube@kbin.melroy.org ) 2•1 hour ago
Not necessarily. Even with “hide extensions” unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I’m surprised antivirus doesn’t know about it already tbh.
Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.
Also Sonarr/Radarr filter torrents by size
Here some examples
https://bt4gprx.com/search?q=The.Lord.of.The.Rings.The.Rings.of.Power.S02E08Those where posted on 1337x (and removed) and probably other sites, Sonarr can pick those based on release name and torrent size
PS: had to rename the fine from
.lnk
to.com
so virustotal could accept
- ReversalHatchery ( @ReversalHatchery@beehaw.org ) English54•6 hours ago
thanks Microsoft for hiding extensions by default!
- wizardbeard ( @wizardbeard@lemmy.dbzer0.com ) English2•1 hour ago
Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you’re looking for be considered an acceptable result?
Tack $ on the end of your regex, for fucks sake.
- bad_news ( @bad_news@lemmy.billiam.net ) English16•5 hours ago
You gotta love how aggressively they prevent users from seamlessly running executables from the internet, a VERY legitimate common use case, but a desktop shortcut from the internet? Run away!
- Bobby Turkalino ( @turkalino@lemmy.yachts ) English16•6 hours ago
Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default
On many distros will open with WINE by default, not a big deal, you can just delete
~/.wine
. If it does anything
- Daemon Silverstein ( @dsilverz@thelemmy.club ) English20•6 hours ago
When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it’s possible to append binary data other than audio, video or subtitles specifically inside a MKV). The “.lnk” trick only works in Windows and, even there, it’s easy to prevent: Windows Explorer > Options > Advanced > find and check “Always show extensions for files” (i can’t really remember the exact label for this option as I’m not a Windows user, but something like this will be there).
- cosmic_skillet ( @cosmic_skillet@lemmy.ml ) 7•5 hours ago
I believe you uncheck “Hide extensions for known file types”
- Daemon Silverstein ( @dsilverz@thelemmy.club ) English3•5 hours ago
Exactly! Thanks! I couldn’t point the exact label, I’ve been using Linux for years in a daily basis so I forgot most of the Windows shortcuts/options.
- Nexy ( @Nexy@lemmy.sdf.org ) English1•4 hours ago
Nice to know! Thank you!
- Kuvwert ( @Kuvwert@lemm.ee ) English13•6 hours ago
Could you just add *.lnk?
- Lojcs ( @Lojcs@lemm.ee ) English3•6 hours ago
How is the link file executing malware? Can you put any shell script as the target?
- wizardbeard ( @wizardbeard@lemmy.dbzer0.com ) English2•1 hour ago
You can put the script itself as the link. Shortcut to: powershell -command “Write-Host ‘Gonna pwn your shit’”
- LordeMostarda ( @LordeMostarda@lemmy.eco.br ) English5•5 hours ago
I am pretty sure a link file can open cmd/powershell with parameters to execute commands