Sophos has revealed new malware with a curious goal: preventing its victims from pirating software. The company says this digital vigilante, which is similar to a malware family discovered over a decade ago, modifies the infected system’s HOSTS file to block access to The Pirate Bay and other piracy-related sites.
“Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address,” SophosLabs Principal Researcher Andrew Brandt says in a blog post. “It’s crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they’ve been added to the HOSTS file, and they stay removed (unless you run the program a second time).”
The malware is said to spread via the Discord communications platform by masquerading as pirated copies of popular games. Brandt says it’s also distributed over BitTorrent in bundles “named after popular games, productivity tools, and even security products” that include other files whose sole purpose is to make the malware “appear to have originated with a well-known file sharing account on ThePirateBay.”
After the malware is downloaded it sends two HTTP GET requests to a now-inactive domain. The first request fetches a second payload called “ProcessHacker.jpg” that includes a kill-switch to prevent the malware from operating on devices containing files named “7686789678967896789678” and “412412512512512.” The files themselves can be empty; they simply have to use those names.
The second request “uses a query string to send the filename of the executable that was run to the website’s operators,” Brandt said, which would have allowed them to learn more about what kinds of files people are trying to pirate. That effort appears to have been dropped—Brandt says the server to which the HTTP GET requests were sent “no longer responds to requests, nor has a DNS record.”
Recommended by Our Editors
Sophos has updated its security products to defend against this malware. Brandt says anyone who’s already been affected by the campaign can manually restore their access to the websites it blocked by running Notepad as an administrator and “modifying the…